Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jcXViWLNuc.exe

Overview

General Information

Sample name:jcXViWLNuc.exe
renamed because original name is a hash value
Original sample name:a8ca71060dae68d7ae75ea3156301407.exe
Analysis ID:1465914
MD5:a8ca71060dae68d7ae75ea3156301407
SHA1:9e116e2ce2a01fdbc2587725fa5261b26758fc77
SHA256:9701b7e2c0cd3f562f2b817e94993309429963d2cec3424e7f77345f31ded0ae
Tags:32exetrojan
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jcXViWLNuc.exe (PID: 7836 cmdline: "C:\Users\user\Desktop\jcXViWLNuc.exe" MD5: A8CA71060DAE68D7AE75EA3156301407)
    • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "127.0.0.1:2404", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MG8NXC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
jcXViWLNuc.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    jcXViWLNuc.exeREMCOS_RAT_variantsunknownunknown
    • 0x58338:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x58848:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x58218:$str_b2: Executing file:
    • 0x58c1c:$str_b3: GetDirectListeningPort
    • 0x58638:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x587b8:$str_b7: \update.vbs
    • 0x58244:$str_b9: Downloaded file:
    • 0x58230:$str_b10: Downloading file:
    • 0x582d4:$str_b12: Failed to upload file:
    • 0x58be4:$str_b13: StartForward
    • 0x58c04:$str_b14: StopForward
    • 0x58710:$str_b15: fso.DeleteFile "
    • 0x586a4:$str_b16: On Error Resume Next
    • 0x58740:$str_b17: fso.DeleteFolder "
    • 0x582c4:$str_b18: Uploaded file:
    • 0x58284:$str_b19: Unable to delete:
    • 0x586d8:$str_b20: while fso.FileExists("
    • 0x58471:$str_c0: [Firefox StoredLogins not found]
    • 0x583a5:$str_c2: [Chrome StoredLogins found, cleared!]
    • 0x58381:$str_c3: [Chrome StoredLogins not found]
    • 0x58498:$str_c6: \logins.json

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Process Memory Space: jcXViWLNuc.exe PID: 7836JoeSecurity_RemcosYara detected Remcos RATJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.jcXViWLNuc.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              1.0.jcXViWLNuc.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x58338:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x58848:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x58218:$str_b2: Executing file:
              • 0x58c1c:$str_b3: GetDirectListeningPort
              • 0x58638:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x587b8:$str_b7: \update.vbs
              • 0x58244:$str_b9: Downloaded file:
              • 0x58230:$str_b10: Downloading file:
              • 0x582d4:$str_b12: Failed to upload file:
              • 0x58be4:$str_b13: StartForward
              • 0x58c04:$str_b14: StopForward
              • 0x58710:$str_b15: fso.DeleteFile "
              • 0x586a4:$str_b16: On Error Resume Next
              • 0x58740:$str_b17: fso.DeleteFolder "
              • 0x582c4:$str_b18: Uploaded file:
              • 0x58284:$str_b19: Unable to delete:
              • 0x586d8:$str_b20: while fso.FileExists("
              • 0x58471:$str_c0: [Firefox StoredLogins not found]
              • 0x583a5:$str_c2: [Chrome StoredLogins found, cleared!]
              • 0x58381:$str_c3: [Chrome StoredLogins not found]
              • 0x58498:$str_c6: \logins.json
              1.2.jcXViWLNuc.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                1.2.jcXViWLNuc.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                • 0x58338:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x58848:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x58218:$str_b2: Executing file:
                • 0x58c1c:$str_b3: GetDirectListeningPort
                • 0x58638:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x587b8:$str_b7: \update.vbs
                • 0x58244:$str_b9: Downloaded file:
                • 0x58230:$str_b10: Downloading file:
                • 0x582d4:$str_b12: Failed to upload file:
                • 0x58be4:$str_b13: StartForward
                • 0x58c04:$str_b14: StopForward
                • 0x58710:$str_b15: fso.DeleteFile "
                • 0x586a4:$str_b16: On Error Resume Next
                • 0x58740:$str_b17: fso.DeleteFolder "
                • 0x582c4:$str_b18: Uploaded file:
                • 0x58284:$str_b19: Unable to delete:
                • 0x586d8:$str_b20: while fso.FileExists("
                • 0x58471:$str_c0: [Firefox StoredLogins not found]
                • 0x583a5:$str_c2: [Chrome StoredLogins found, cleared!]
                • 0x58381:$str_c3: [Chrome StoredLogins not found]
                • 0x58498:$str_c6: \logins.json

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: jcXViWLNuc.exeAvira: detected
                Found malware configuration
                Source: 1.2.jcXViWLNuc.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": "127.0.0.1:2404", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MG8NXC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for submitted file
                Source: jcXViWLNuc.exeVirustotal: Detection: 79%Perma Link
                Source: jcXViWLNuc.exeReversingLabs: Detection: 84%
                Yara detected Remcos RAT
                Source: Yara matchFile source: jcXViWLNuc.exe, type: SAMPLE
                Source: Yara matchFile source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR
                Machine Learning detection for sample
                Source: jcXViWLNuc.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0042B19B CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,1_2_0042B19B
                Source: jcXViWLNuc.exe, 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_fb53869e-d
                Source: jcXViWLNuc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_004081F9
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,1_2_004072E5
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0041474A FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,1_2_0041474A
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,1_2_00407733
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00440A49 FindFirstFileExA,1_2_00440A49
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00404CF3 FindFirstFileW,FindNextFileW,1_2_00404CF3
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,1_2_00405C8E
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_00407FDE
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_0040511A

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 127.0.0.1
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,1_2_0040F4A7
                Source: jcXViWLNuc.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: jcXViWLNuc.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,1_2_0040F4A7
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,1_2_0040F4A7
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,1_2_0040F4A7

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: jcXViWLNuc.exe, type: SAMPLE
                Source: Yara matchFile source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00414D34 SystemParametersInfoW,1_2_00414D34

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: jcXViWLNuc.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00414085 OpenProcess,NtSuspendProcess,CloseHandle,1_2_00414085
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004140B1 OpenProcess,NtResumeProcess,CloseHandle,1_2_004140B1
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,1_2_0040F4A7
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0041601F1_2_0041601F
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004312171_2_00431217
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0042E2201_2_0042E220
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0042B2A61_2_0042B2A6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0044B4701_2_0044B470
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004304CE1_2_004304CE
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004454FB1_2_004454FB
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0041F4881_2_0041F488
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040F4A71_2_0040F4A7
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004175D61_2_004175D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0043164C1_2_0043164C
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0043B6801_2_0043B680
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004476B81_2_004476B8
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0042D76E1_2_0042D76E
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0043680C1_2_0043680C
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004309CA1_2_004309CA
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040D9A01_2_0040D9A0
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00436A3B1_2_00436A3B
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0041FB261_2_0041FB26
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0041FC691_2_0041FC69
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00445C191_2_00445C19
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00430DE21_2_00430DE2
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0041EF911_2_0041EF91
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: String function: 0042BE33 appears 34 times
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: String function: 0042C720 appears 50 times
                Source: jcXViWLNuc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: jcXViWLNuc.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@2/1@0/1
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00410D25 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,1_2_00410D25
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040A7FF CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_0040A7FF
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00413B3A FindResourceA,LoadResource,LockResource,SizeofResource,1_2_00413B3A
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0041311D OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_0041311D
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-MG8NXC
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: \~F1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: \~F1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: Software\1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: Rmc-MG8NXC1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: Exe1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: Exe1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: licence1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: Administrator1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: User1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: del1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: del1_2_0040A1D6
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCommand line argument: del1_2_0040A1D6
                Source: jcXViWLNuc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: jcXViWLNuc.exeVirustotal: Detection: 79%
                Source: jcXViWLNuc.exeReversingLabs: Detection: 84%
                Source: unknownProcess created: C:\Users\user\Desktop\jcXViWLNuc.exe "C:\Users\user\Desktop\jcXViWLNuc.exe"
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeSection loaded: mswsock.dllJump to behavior
                Source: jcXViWLNuc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: jcXViWLNuc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: jcXViWLNuc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: jcXViWLNuc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: jcXViWLNuc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: jcXViWLNuc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: jcXViWLNuc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: jcXViWLNuc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: jcXViWLNuc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: jcXViWLNuc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: jcXViWLNuc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: jcXViWLNuc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00414EA2 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_00414EA2
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0044A5D6 push ecx; ret 1_2_0044A5E9
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0042C766 push ecx; ret 1_2_0042C779
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0044AE38 push eax; ret 1_2_0044AE56
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00404A3B ShellExecuteW,URLDownloadToFileW,1_2_00404A3B
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0041311D OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_0041311D
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00414EA2 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_00414EA2
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040A6C0 Sleep,ExitProcess,1_2_0040A6C0
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,1_2_00412E4B
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeWindow / User API: threadDelayed 4086Jump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeWindow / User API: threadDelayed 5862Jump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_1-41190
                Source: C:\Users\user\Desktop\jcXViWLNuc.exe TID: 7896Thread sleep time: -12258000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\jcXViWLNuc.exe TID: 7896Thread sleep time: -17586000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_004081F9
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,1_2_004072E5
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0041474A FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,1_2_0041474A
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,1_2_00407733
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00440A49 FindFirstFileExA,1_2_00440A49
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00404CF3 FindFirstFileW,FindNextFileW,1_2_00404CF3
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,1_2_00405C8E
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_00407FDE
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_0040511A
                Source: jcXViWLNuc.exe, 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004320EC
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00414EA2 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_00414EA2
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004389B4 mov eax, dword ptr fs:[00000030h]1_2_004389B4
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0040CB6C SetLastError,GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,1_2_0040CB6C
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004320EC
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0042C52B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0042C52B
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0042C6BD SetUnhandledExceptionFilter,1_2_0042C6BD
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0042C8EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0042C8EC
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_004124EF mouse_event,1_2_004124EF
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_0042C37B cpuid 1_2_0042C37B
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: EnumSystemLocalesW,1_2_0044416B
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: EnumSystemLocalesW,1_2_00444120
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: EnumSystemLocalesW,1_2_00444206
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_00444293
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: GetLocaleInfoW,1_2_0043D31C
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: GetLocaleInfoW,1_2_004444E3
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_0044460C
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: GetLocaleInfoW,1_2_00444713
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: GetLocaleInfoA,1_2_0040A7D3
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_004447E0
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_00443EA8
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: EnumSystemLocalesW,1_2_0043CEB5
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00413B81 GetLocalTime,1_2_00413B81
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: 1_2_00413C9F CreateThread,GetComputerNameExW,GetUserNameW,1_2_00413C9F

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: jcXViWLNuc.exe, type: SAMPLE
                Source: Yara matchFile source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data1_2_00407EC0
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\1_2_00407FDE
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: \key3.db1_2_00407FDE

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-MG8NXCJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: jcXViWLNuc.exe, type: SAMPLE
                Source: Yara matchFile source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR
                Source: C:\Users\user\Desktop\jcXViWLNuc.exeCode function: cmd.exe1_2_00403B0B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts12
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                Account Discovery                		Remote Desktop Protocol3
                Clipboard Data                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		Logon Script (Windows)1
                Windows Service                		1
                DLL Side-Loading                		Security Account Manager1
                System Service Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Process Injection                		1
                Virtualization/Sandbox Evasion                		NTDS2
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Access Token Manipulation                		LSA Secrets22
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Process Injection                		Cached Domain Credentials21
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                jcXViWLNuc.exe80%VirustotalBrowse
                jcXViWLNuc.exe84%ReversingLabsWin32.Trojan.DumpDacic
                jcXViWLNuc.exe100%AviraBDS/Backdoor.Gen
                jcXViWLNuc.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                127.0.0.10%Avira URL Cloudsafe
                127.0.0.10%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                127.0.0.1true
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpjcXViWLNuc.exefalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gp/CjcXViWLNuc.exefalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious

                Private

                IP
                127.0.0.1

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1465914
                Start date and time:2024-07-02 08:24:48 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 33s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:jcXViWLNuc.exe
                renamed because original name is a hash value
                Original Sample Name:a8ca71060dae68d7ae75ea3156301407.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.evad.winEXE@2/1@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 33
                • Number of non-executed functions: 154
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information

                Simulations

                Behavior and APIs

                TimeTypeDescription
                02:26:15API Interceptor4215266x Sleep call for process: jcXViWLNuc.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                \Device\ConDrv

                Download File
                Process:C:\Users\user\Desktop\jcXViWLNuc.exe
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):8899
                Entropy (8bit):4.6858370653291965
                Encrypted:false
                SSDEEP:96:U5d9n9X9LHhyyCR3j8hORxsnJNK+Mfz74nx4:Y9njD8yKznxsnJNK17si
                MD5:5229AAF40CB2A93D8304333BC71074BF
                SHA1:7A94957159870BBB129B164F963AED741DA3644B
                SHA-256:97E371E976C234877E9D6C8CD2A915E5C7BD629F0753D8EDDE5A4D049735CF02
                SHA-512:4A592A59BF8397311DA0F0DA029D997E627D4CE6E64B37E937AB37C1EB2E4D56F7F2BFBB9C745B5CF7BC3CFD05DDD1441BBB256B28B287DE850FE0C92ED2D3D8
                Malicious:false
                Reputation:low
                Preview:... ______ ...(_____ \ ... _____) )_____ ____ ____ ___ ___ ...| __ /| ___ | \ / ___) _ \ /___)...| | \ \| ____| | | ( (__| |_| |___ |...|_| |_|_____)_|_|_|\____)___/(___/ .....Remcos v5.0.0 Light.... BreakingSecurity.net....02:25:39:418 i | Remcos Agent initialized..02:25:39:418 i | Access Level: Administrator..02:25:39:433 i | Connecting | TLS On | 127.0.0.1:2404..02:25:41:496 E | Connection Refused..02:25:42:512 i | Connecting | TLS On | 127.0.0.1:2404..02:25:44:527 E | Connection Refused..02:25:45:543 i | Connecting | TLS On | 127.0.0.1:2404..02:25:47:574 E | Connection Refused..02:25:48:590 i | Connecting | TLS On | 127.0.0.1:2404..02:25:50:652 E | Connection Refused..02:25:51:668 i | Connecting | TLS On | 127.0.0.1:2404..02:25:53:699 E | Connection Refused..02:25:54:715 i | Connecting | TLS On | 127.0.0.1:2404..02:25:56:746 E | Connection Refused..02:25:57:762 i | Connecting | TLS On | 127.0.0.1:240

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.562026880509969
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:jcXViWLNuc.exe
                File size:440'320 bytes
                MD5:a8ca71060dae68d7ae75ea3156301407
                SHA1:9e116e2ce2a01fdbc2587725fa5261b26758fc77
                SHA256:9701b7e2c0cd3f562f2b817e94993309429963d2cec3424e7f77345f31ded0ae
                SHA512:2adae876a6db5ac8ef80357b1c8f2b28348fdb20fd5c14bc02275cd5bd416550d518b7b65c07429a2e049fa9feb346db4667d53b3b6f799a9581089bd0f813c2
                SSDEEP:6144:VCJBSkHyP4DivRrO+d3cyU6320ho4nbJAj0N91EU7ZUFbz68AO2ZjXH76crV6B3:VCJB/RuFhU6ho0ej0N91HFAAZ77iB3
                TLSH:B1949E12B492C032C17212740E29FB7599BCBD212936497B73EA5E5BBE741C1BB36363
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............,...,...,MEj,...,MEh,X..,MEi,...,...,...,gy\,...,T..-...,T..-...,T..-...,...,...,...,...,N..-...,N.d,...,N..-...,Rich...

                File Icon

                Icon Hash:95694d05214c1b33

                Static PE Info

                General

                Entrypoint:0x42c2ee
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:TERMINAL_SERVER_AWARE
                Time Stamp:0x66728C31 [Wed Jun 19 07:43:45 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:8a3b06a792183c402d038c6ccea86944

                Entrypoint Preview

                Instruction
                call 00007F73C4EEF0FDh
                jmp 00007F73C4EEEB03h
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007F73C4ECBF7Ah
                mov dword ptr [esi], 0044D608h
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 0044D610h
                mov dword ptr [ecx], 0044D608h
                ret
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007F73C4ECBF47h
                mov dword ptr [esi], 0044D624h
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 0044D62Ch
                mov dword ptr [ecx], 0044D624h
                ret
                push ebp
                mov ebp, esp
                sub esp, 0Ch
                lea ecx, dword ptr [ebp-0Ch]
                call 00007F73C4EEEC4Fh
                push 0046152Ch
                lea eax, dword ptr [ebp-0Ch]
                push eax
                call 00007F73C4EF14CFh
                int3
                push ebp
                mov ebp, esp
                and dword ptr [00464CF4h], 00000000h
                sub esp, 2Ch
                push ebx
                xor ebx, ebx
                inc ebx
                or dword ptr [00464008h], ebx
                push 0000000Ah
                call 00007F73C4F0CEA6h
                test eax, eax
                je 00007F73C4EEEDEDh
                and dword ptr [ebp-14h], 00000000h
                xor eax, eax
                or dword ptr [00464008h], 02h
                xor ecx, ecx
                push esi
                push edi
                mov dword ptr [00004CF4h], ebx

                Rich Headers

                Programming Language:
                • [C++] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x61ee00xf0.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x4b5c.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x3240.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x606200x38.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x606b40x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x606580x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x4d0000x458.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x4b65e0x4b800db294eb3652167aac011a6f88084697aFalse0.5698403870033113data6.593617980898634IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x4d0000x166580x1680044d09f38441ed2ef4311a469320c0844False0.5041124131944444OpenPGP Public Key Version 65.864615616592108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x640000x58040xe00c2f8f7020787d3b2510df7c8e5ebb891False0.22098214285714285DOS executable (block device driver @\273\)2.9547475152611895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .tls0x6a0000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .gfids0x6b0000x2300x400800849abfeb58a77f7c196a6ccde4afcFalse0.333984375data2.4412722468785604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .rsrc0x6c0000x4b5c0x4c00f8ebe6ff964670e60ce66ee7b7d82ab7False0.28423108552631576data3.986262864613123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x710000x32400x3400e5f4a62ea9b11557f22221f2b6eacc1cFalse0.7478966346153846data6.6079153889088955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0x6c18c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                RT_ICON0x6c5f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                RT_ICON0x6cf7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                RT_ICON0x6e0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                RT_RCDATA0x705cc0x54ddata1.0081061164333087
                RT_GROUP_ICON0x70b1c0x3edataEnglishUnited States0.8064516129032258

                Imports

                DLLImport
                KERNEL32.dllVirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcAddress, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetCurrentProcess, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetCurrentProcessId, GetTickCount, GlobalUnlock, LocalAlloc, GetModuleHandleA, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, RemoveDirectoryW, FindResourceA, OpenProcess, lstrcatW, LockResource, LoadResource, LocalFree, GetFileSize, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindNextVolumeW, SetLastError, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, VirtualProtect, Process32FirstW, Process32NextW, CreateToolhelp32Snapshot, GetLocaleInfoA, ExitProcess, CreateMutexA, GetModuleFileNameW, GetLongPathNameW, ExpandEnvironmentStringsA, GetLastError, WaitForSingleObject, FindNextFileA, FindFirstFileA, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, CreateFileW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, CreateDirectoryW, CreateProcessA, Sleep, PeekNamedPipe, CreatePipe, TerminateProcess, WriteFile, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, CloseHandle, SetEvent, CreateEventW, AllocConsole, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetModuleHandleW, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                USER32.dllEnumWindows, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, SetForegroundWindow, SetClipboardData, GetClipboardData, MessageBoxW, IsWindowVisible, CloseWindow, GetWindowThreadProcessId, SendInput, EnumDisplaySettingsW, mouse_event, DrawIcon, GetSystemMetrics, GetIconInfo, SystemParametersInfoW, GetForegroundWindow, GetCursorPos, RegisterClassExA, AppendMenuA, CreateWindowExA, DefWindowProcA, TrackPopupMenu, CreatePopupMenu, ShowWindow, OpenClipboard, SetWindowTextW, ExitWindowsEx, EmptyClipboard, CloseClipboard
                GDI32.dllCreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, BitBlt
                ADVAPI32.dllRegDeleteKeyA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                SHLWAPI.dllStrToIntA, PathFileExistsA, PathFileExistsW
                WINMM.dllPlaySoundW, mciSendStringA, mciSendStringW
                WS2_32.dllconnect, socket, send, WSAStartup, recv, htons, htonl, getservbyname, inet_ntoa, ntohs, getservbyport, gethostbyaddr, WSAGetLastError, WSASetLastError, inet_addr, closesocket, gethostbyname
                urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                gdiplus.dllGdiplusStartup, GdipDisposeImage, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipGetImageEncoders, GdipCloneImage, GdipAlloc
                WININET.dllInternetOpenW, InternetCloseHandle, InternetReadFile, InternetOpenUrlW

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:1
                Start time:02:25:39
                Start date:02/07/2024
                Path:C:\Users\user\Desktop\jcXViWLNuc.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\jcXViWLNuc.exe"
                Imagebase:0x400000
                File size:440'320 bytes
                MD5 hash:A8CA71060DAE68D7AE75EA3156301407
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                General

                Target ID:2
                Start time:02:25:39
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6ee680000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:4.3%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:15.3%
                  Total number of Nodes:1167
                  Total number of Limit Nodes:18
                  execution_graph 41374 40f846 138 API calls 41196 415a49 41197 415b25 CreatePopupMenu AppendMenuA 41196->41197 41198 415a5a 41196->41198 41199 415b40 41197->41199 41200 415a65 41198->41200 41201 415b0a 41198->41201 41203 415a6c DefWindowProcA 41200->41203 41205 415a81 41200->41205 41206 415ace IsWindowVisible 41200->41206 41201->41199 41202 415b10 Shell_NotifyIconA ExitProcess 41201->41202 41203->41199 41205->41203 41207 415a9f GetCursorPos SetForegroundWindow TrackPopupMenu 41205->41207 41208 415aee ShowWindow SetForegroundWindow 41206->41208 41209 415ade ShowWindow 41206->41209 41207->41199 41208->41199 41209->41199 41379 43e857 34 API calls 2 library calls 41488 42be5b 38 API calls 4 library calls 41490 411264 136 API calls 41494 40b26d LeaveCriticalSection 41495 431e70 5 API calls 2 library calls 41498 40b27d EnterCriticalSection 41387 43bc01 21 API calls 3 library calls 41388 445c00 21 API calls 41389 401005 31 API calls pre_c_initialization 41394 401016 32 API calls pre_c_initialization 41501 438e18 31 API calls 41395 42f022 49 API calls 2 library calls 41396 432428 36 API calls 5 library calls 41399 401033 29 API calls pre_c_initialization 41400 437c34 27 API calls 3 library calls 41505 40fe3a 46 API calls 41402 42cc39 DeleteCriticalSection std::_Init_locks::~_Init_locks 41506 404a3b 69 API calls 41508 428ac3 23 API calls 41509 40f6c6 65 API calls 41406 42c0c8 43 API calls 6 library calls 41510 42c6c9 35 API calls _unexpected 41409 43acd6 12 API calls __wsopen_s 41513 4076d7 99 API calls 41410 449cdc CloseHandle 41411 4414da GetCommandLineA GetCommandLineW 41515 4086e3 76 API calls 41414 4444e3 39 API calls 3 library calls 41519 42c2ee GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 41416 4124ef 118 API calls 41521 4032ee 82 API calls 41419 4084f3 130 API calls 41523 438af0 49 API calls 2 library calls 41524 40fef5 31 API calls 41210 43fcfe 41215 43facc 41210->41215 41212 43fd14 41214 43fd26 41212->41214 41225 44907f 41212->41225 41218 43faf7 41215->41218 41216 434256 _free 20 API calls 41217 43fc49 __wsopen_s 41216->41217 41217->41212 41218->41218 41221 43fc40 41218->41221 41228 438517 43 API calls 2 library calls 41218->41228 41220 43fc8a 41220->41221 41229 438517 43 API calls 2 library calls 41220->41229 41221->41216 41221->41217 41223 43fca9 41223->41221 41230 438517 43 API calls 2 library calls 41223->41230 41231 448a54 41225->41231 41227 44909a 41227->41214 41228->41220 41229->41223 41230->41221 41233 448a60 ___BuildCatchObject 41231->41233 41232 448a6e 41234 434256 _free 20 API calls 41232->41234 41233->41232 41235 448aa7 41233->41235 41238 448a73 ___BuildCatchObject __wsopen_s 41234->41238 41240 44902e 41235->41240 41238->41227 41248 44a01d 41240->41248 41242 449044 41243 448acb 41242->41243 41268 44909f 41242->41268 41247 448af4 LeaveCriticalSection __wsopen_s 41243->41247 41246 43bea5 _free 20 API calls 41246->41243 41247->41238 41249 44a040 41248->41249 41250 44a029 41248->41250 41252 44a05f 41249->41252 41253 44a048 41249->41253 41251 434256 _free 20 API calls 41250->41251 41256 44a02e __wsopen_s 41251->41256 41315 43d092 10 API calls 2 library calls 41252->41315 41254 434256 _free 20 API calls 41253->41254 41254->41256 41256->41242 41257 44a066 MultiByteToWideChar 41258 44a095 41257->41258 41259 44a085 GetLastError 41257->41259 41261 43b5c6 ___crtLCMapStringA 21 API calls 41258->41261 41316 434220 20 API calls 2 library calls 41259->41316 41262 44a09d 41261->41262 41263 44a0c5 41262->41263 41264 44a0a4 MultiByteToWideChar 41262->41264 41266 43bea5 _free 20 API calls 41263->41266 41264->41263 41265 44a0b9 GetLastError 41264->41265 41317 434220 20 API calls 2 library calls 41265->41317 41266->41256 41318 448e02 41268->41318 41271 4490d1 41346 434243 20 API calls __dosmaperr 41271->41346 41272 4490ea 41332 4424c5 41272->41332 41275 4490ef 41276 44910f 41275->41276 41277 4490f8 41275->41277 41345 448d6d CreateFileW 41276->41345 41347 434243 20 API calls __dosmaperr 41277->41347 41279 434256 _free 20 API calls 41284 44906c 41279->41284 41281 4490fd 41285 434256 _free 20 API calls 41281->41285 41282 4491c5 GetFileType 41288 449217 41282->41288 41289 4491d0 GetLastError 41282->41289 41283 449148 41283->41282 41287 44919a GetLastError 41283->41287 41348 448d6d CreateFileW 41283->41348 41284->41246 41286 4490d6 41285->41286 41286->41279 41349 434220 20 API calls 2 library calls 41287->41349 41351 44240e 21 API calls 3 library calls 41288->41351 41350 434220 20 API calls 2 library calls 41289->41350 41293 4491de CloseHandle 41293->41286 41294 449207 41293->41294 41297 434256 _free 20 API calls 41294->41297 41296 44918d 41296->41282 41296->41287 41299 44920c 41297->41299 41298 449238 41300 449284 41298->41300 41352 448f7e 69 API calls 3 library calls 41298->41352 41299->41286 41304 4492b1 41300->41304 41353 448b20 72 API calls 3 library calls 41300->41353 41303 4492aa 41303->41304 41305 4492c2 41303->41305 41354 43e620 23 API calls 2 library calls 41304->41354 41305->41284 41307 449340 CloseHandle 41305->41307 41355 448d6d CreateFileW 41307->41355 41309 44936b 41310 449375 GetLastError 41309->41310 41314 4492ba 41309->41314 41356 434220 20 API calls 2 library calls 41310->41356 41312 449381 41357 4425d7 21 API calls 3 library calls 41312->41357 41314->41284 41315->41257 41316->41256 41317->41263 41319 448e23 41318->41319 41322 448e32 __wsopen_s 41318->41322 41321 434256 _free 20 API calls 41319->41321 41319->41322 41321->41322 41358 448d92 41322->41358 41323 448e75 41325 434256 _free 20 API calls 41323->41325 41327 448e99 __wsopen_s 41323->41327 41325->41327 41326 448ef2 41328 448f71 41326->41328 41330 448ef7 41326->41330 41327->41330 41363 439951 20 API calls 2 library calls 41327->41363 41364 4322e3 11 API calls _Atexit 41328->41364 41330->41271 41330->41272 41331 448f7d 41333 4424d1 ___BuildCatchObject 41332->41333 41365 43ad17 EnterCriticalSection 41333->41365 41335 44251f 41366 4425ce 41335->41366 41336 4424d8 41336->41335 41337 4424fd 41336->41337 41342 44256b EnterCriticalSection 41336->41342 41369 4422a4 21 API calls 3 library calls 41337->41369 41340 442548 ___BuildCatchObject 41340->41275 41341 442502 41341->41335 41370 4423eb EnterCriticalSection 41341->41370 41342->41335 41343 442578 LeaveCriticalSection 41342->41343 41343->41336 41345->41283 41346->41286 41347->41281 41348->41296 41349->41286 41350->41293 41351->41298 41352->41300 41353->41303 41354->41314 41355->41309 41356->41312 41357->41314 41360 448daa 41358->41360 41359 448dc5 41359->41323 41360->41359 41361 434256 _free 20 API calls 41360->41361 41362 448de9 __wsopen_s 41361->41362 41362->41323 41363->41326 41364->41331 41365->41336 41371 43ad5f LeaveCriticalSection 41366->41371 41368 4425d5 41368->41340 41369->41341 41370->41335 41371->41368 41528 40fe8b 125 API calls 41529 433e93 68 API calls _free 41531 444293 41 API calls 3 library calls 41428 40f4a7 290 API calls ctype 41533 42c2ab 20 API calls 41430 4494b4 48 API calls 41431 42f8b2 45 API calls 41432 40f8b2 169 API calls 41433 44c4b7 98 API calls 41434 4010b6 23 API calls pre_c_initialization 41435 42d4bb DecodePointer 41536 43dabf 25 API calls 2 library calls 41436 4408b9 27 API calls 4 library calls 41537 42c2bf 28 API calls 2 library calls 41438 411542 GdipFree GdipDisposeImage ___InternalCxxFrameHandler 41540 409f48 28 API calls 41439 41ed4a WSAGetLastError recv 41440 40ad4d 31 API calls 41542 40cb52 FreeLibrary 41442 44395c 41 API calls 4 library calls 41544 40f75c 47 API calls 41443 413567 117 API calls 41444 402967 11 API calls 41546 43d76b 60 API calls 2 library calls 41547 40ff69 136 API calls 41549 42d76e 41 API calls 41550 40ab70 62 API calls 41446 42c174 21 API calls pre_c_initialization 41553 40f6ee 87 API calls 41554 40ab02 77 API calls 41555 401305 GetProcAddress 41556 405f0b FindClose 41558 43c70d 22 API calls __dosmaperr 41453 40a111 21 API calls std::bad_exception::bad_exception 41560 43db15 21 API calls 41455 441d1d GetProcessHeap 41456 40511a 201 API calls ___scrt_get_show_window_mode 41562 439719 8 API calls ___vcrt_uninitialize 41564 40ab1e 63 API calls 41566 409b24 43 API calls __Tolower 41570 40cb33 LoadLibraryA 41458 402939 22 API calls 41571 42bf38 DeleteCriticalSection CloseHandle 41572 40e33b 47 API calls 41461 4291c6 22 API calls 41576 4013d2 24 API calls pre_c_initialization 41462 4129d2 110 API calls 41578 4427d0 42 API calls 3 library calls 41463 40f9dd 67 API calls 41579 445be4 IsProcessorFeaturePresent 41465 4029e3 12 API calls __CxxThrowException@8 41580 40bfe4 36 API calls 41466 43b1e5 50 API calls 5 library calls 41467 438de9 57 API calls 41583 40c3ec 77 API calls 41584 40f7ec 29 API calls 41468 42cdf7 4 API calls 2 library calls 41469 4415fd 56 API calls 6 library calls 41471 4091fb 45 API calls 41588 40f781 45 API calls 39995 42c186 39996 42c192 ___BuildCatchObject 39995->39996 40022 42bc59 39996->40022 39998 42c199 40000 42c1c2 39998->40000 40184 42c52b IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 39998->40184 40001 42c201 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 40000->40001 40185 43990c 5 API calls _ValidateLocalCookies 40000->40185 40006 42c261 40001->40006 40187 438aa2 35 API calls 6 library calls 40001->40187 40003 42c1db 40004 42c1e1 ___BuildCatchObject 40003->40004 40186 4398b0 5 API calls _ValidateLocalCookies 40003->40186 40033 42c646 40006->40033 40015 42c283 40016 42c28d 40015->40016 40189 438ada 28 API calls _Atexit 40015->40189 40018 42c296 40016->40018 40190 438a7d 28 API calls _Atexit 40016->40190 40191 42bdd0 13 API calls 2 library calls 40018->40191 40021 42c29e 40021->40004 40023 42bc62 40022->40023 40192 42c37b IsProcessorFeaturePresent 40023->40192 40025 42bc6e 40193 42e723 10 API calls 4 library calls 40025->40193 40027 42bc73 40032 42bc77 40027->40032 40194 439799 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 40027->40194 40029 42bc80 40030 42bc8e 40029->40030 40195 42e74c 8 API calls 3 library calls 40029->40195 40030->39998 40032->39998 40196 42ec50 40033->40196 40036 42c267 40037 43985d 40036->40037 40198 441229 40037->40198 40039 42c270 40042 40a1d6 40039->40042 40041 439866 40041->40039 40202 43bf38 35 API calls 40041->40202 40204 414ea2 LoadLibraryA GetProcAddress 40042->40204 40044 40a1f2 GetModuleFileNameW 40209 40a60c 40044->40209 40046 40a20e 40224 4021e0 40046->40224 40049 4021e0 28 API calls 40050 40a22c 40049->40050 40230 414339 40050->40230 40054 40a23e 40256 4034fa 40054->40256 40057 40a2a7 40262 4034cf 40057->40262 40059 40a2b5 40061 4034cf 22 API calls 40059->40061 40060 40a25d 40504 40aa8b 116 API calls 40060->40504 40063 40a2c3 40061->40063 40267 402a91 40063->40267 40064 40a26f 40066 4034cf 22 API calls 40064->40066 40068 40a27b 40066->40068 40505 40be14 36 API calls 2 library calls 40068->40505 40074 40a28d 40506 40aa3c 77 API calls 40074->40506 40078 40a296 40507 40a5f9 70 API calls 40078->40507 40079 402091 11 API calls 40081 40a2fc 40079->40081 40083 4034cf 22 API calls 40081->40083 40082 40a29f 40085 402091 11 API calls 40082->40085 40084 40a305 40083->40084 40291 402077 40084->40291 40087 40a334 40085->40087 40188 42c679 GetModuleHandleW 40087->40188 40088 40a310 40295 4087ef 40088->40295 40090 40a324 40090->40082 40091 40a33f 40090->40091 40298 41395b 40091->40298 40093 40a34f 40094 4034cf 22 API calls 40093->40094 40095 40a368 40094->40095 40315 4141da 40095->40315 40097 40a373 40319 4064d4 40097->40319 40102 4034cf 22 API calls 40103 40a390 40102->40103 40104 4034cf 22 API calls 40103->40104 40105 40a399 40104->40105 40106 4034cf 22 API calls 40105->40106 40107 40a3a2 40106->40107 40108 4034cf 22 API calls 40107->40108 40109 40a3ab 40108->40109 40110 40a41e 40109->40110 40111 4034cf 22 API calls 40109->40111 40112 4034cf 22 API calls 40110->40112 40115 40a3c0 40111->40115 40113 40a429 40112->40113 40331 402178 40113->40331 40115->40110 40115->40115 40117 4034cf 22 API calls 40115->40117 40116 40a43b 40337 40d202 RegCreateKeyA 40116->40337 40118 40a3e4 40117->40118 40122 4034cf 22 API calls 40118->40122 40121 4034cf 22 API calls 40123 40a45d 40121->40123 40124 40a3f6 40122->40124 40343 433426 40123->40343 40508 40900f 32 API calls 40124->40508 40128 40a409 40129 4064d4 28 API calls 40128->40129 40133 40a415 40129->40133 40130 40a495 40132 402178 28 API calls 40130->40132 40135 40a4a4 40132->40135 40136 4034ff 11 API calls 40133->40136 40137 402178 28 API calls 40135->40137 40136->40110 40138 40a4b4 40137->40138 40356 413b81 40138->40356 40143 4064d4 28 API calls 40144 40a4d0 40143->40144 40145 4034ff 11 API calls 40144->40145 40146 40a4d9 40145->40146 40147 40a4e2 SetProcessDEPPolicy 40146->40147 40148 40a4e5 CreateThread 40146->40148 40147->40148 40149 40a4fa 40148->40149 41159 40a6c0 40148->41159 40150 402178 28 API calls 40149->40150 40151 40a540 40149->40151 40152 40a514 40150->40152 40396 40cf8c RegOpenKeyExA 40151->40396 40391 402a6d 40152->40391 40157 40a5ee 40407 4092fd 40157->40407 40158 402178 28 API calls 40160 40a52f 40158->40160 40159 4141da 28 API calls 40162 40a56d 40159->40162 40163 413b81 79 API calls 40160->40163 40399 40d0a8 RegOpenKeyExW 40162->40399 40166 40a534 40163->40166 40168 402091 11 API calls 40166->40168 40167 40a5f8 40168->40151 40171 4034ff 11 API calls 40174 40a589 40171->40174 40172 40a5b1 DeleteFileW 40173 40a5b8 40172->40173 40172->40174 40176 4141da 28 API calls 40173->40176 40174->40172 40174->40173 40175 40a59f Sleep 40174->40175 40177 404c42 40175->40177 40178 40a5c8 40176->40178 40177->40172 40404 40d444 RegOpenKeyExW 40178->40404 40181 4034ff 11 API calls 40182 40a5e5 40181->40182 40183 4034ff 11 API calls 40182->40183 40183->40157 40184->39998 40185->40003 40186->40001 40187->40006 40188->40015 40189->40016 40190->40018 40191->40021 40192->40025 40193->40027 40194->40029 40195->40032 40197 42c659 GetStartupInfoW 40196->40197 40197->40036 40199 44123b 40198->40199 40200 441232 40198->40200 40199->40041 40203 441128 48 API calls 4 library calls 40200->40203 40202->40041 40203->40199 40205 414ee3 LoadLibraryA GetProcAddress 40204->40205 40206 414ecf GetModuleHandleA GetProcAddress 40204->40206 40207 414efb LoadLibraryA GetProcAddress 40205->40207 40208 414f0f 44 API calls 40205->40208 40206->40205 40207->40208 40208->40044 40509 413b3a FindResourceA 40209->40509 40213 40a639 ctype 40519 40219f 40213->40519 40216 40209b 28 API calls 40217 40a65e 40216->40217 40218 402091 11 API calls 40217->40218 40219 40a666 40218->40219 40220 432316 new 21 API calls 40219->40220 40221 40a679 ctype 40220->40221 40525 404964 40221->40525 40223 40a6b0 40223->40046 40225 4021f6 40224->40225 40226 402261 11 API calls 40225->40226 40227 402210 40226->40227 40228 402405 28 API calls 40227->40228 40229 40221e 40228->40229 40229->40049 40603 4021c9 40230->40603 40232 41434c 40233 4143bc 40232->40233 40237 4143be 40232->40237 40243 40209b 28 API calls 40232->40243 40248 402091 11 API calls 40232->40248 40607 402006 28 API calls 40232->40607 40608 415194 28 API calls 40232->40608 40234 402091 11 API calls 40233->40234 40235 4143ee 40234->40235 40236 402091 11 API calls 40235->40236 40238 4143f6 40236->40238 40609 402006 28 API calls 40237->40609 40241 402091 11 API calls 40238->40241 40244 40a235 40241->40244 40242 4143ca 40245 40209b 28 API calls 40242->40245 40243->40232 40252 40a9e5 40244->40252 40246 4143d3 40245->40246 40247 402091 11 API calls 40246->40247 40249 4143db 40247->40249 40248->40232 40610 415194 28 API calls 40249->40610 40253 40a9f3 40252->40253 40255 40a9fa 40252->40255 40611 40353b 11 API calls 40253->40611 40255->40054 40258 40353b 40256->40258 40257 403577 40257->40057 40257->40060 40258->40257 40612 4036b8 11 API calls 40258->40612 40260 40355c 40613 4036a1 11 API calls std::_Deallocate 40260->40613 40263 4034da 40262->40263 40264 4034e1 40263->40264 40614 403530 22 API calls 40263->40614 40264->40059 40268 4021c9 11 API calls 40267->40268 40269 402aa0 40268->40269 40615 402ba1 40269->40615 40271 402abb 40619 40206e 40271->40619 40274 404804 40633 40203c 40274->40633 40276 404814 40637 40210e 40276->40637 40279 40209b 40280 4020f2 40279->40280 40281 4020aa 40279->40281 40288 402091 40280->40288 40282 402261 11 API calls 40281->40282 40283 4020b3 40282->40283 40284 4020f5 40283->40284 40285 4020ce 40283->40285 40286 4025a1 11 API calls 40284->40286 40659 402aef 28 API calls 40285->40659 40286->40280 40289 402261 11 API calls 40288->40289 40290 40209a 40289->40290 40290->40079 40292 402082 40291->40292 40293 40208a 40291->40293 40660 40247c 28 API calls 40292->40660 40293->40088 40661 402028 40295->40661 40297 4087f9 CreateMutexA GetLastError 40297->40090 40663 414407 40298->40663 40303 40209b 28 API calls 40304 413997 40303->40304 40305 402091 11 API calls 40304->40305 40306 41399f 40305->40306 40307 40d033 31 API calls 40306->40307 40309 4139f2 40306->40309 40308 4139c5 40307->40308 40310 4139d0 StrToIntA 40308->40310 40309->40093 40311 4139e7 40310->40311 40312 4139de 40310->40312 40314 402091 11 API calls 40311->40314 40672 4152dc 22 API calls 40312->40672 40314->40309 40316 4141f3 40315->40316 40673 41528b 40316->40673 40318 4141fb 40318->40097 40320 4064e3 40319->40320 40321 40652b 40319->40321 40322 4035a8 11 API calls 40320->40322 40328 4034ff 40321->40328 40323 4064ec 40322->40323 40324 40652e 40323->40324 40326 406507 40323->40326 40706 406821 40324->40706 40705 406cb1 28 API calls 40326->40705 40329 4035a8 11 API calls 40328->40329 40330 403508 40329->40330 40330->40102 40332 402183 40331->40332 40333 402261 11 API calls 40332->40333 40334 40218e 40333->40334 40710 402387 40334->40710 40338 40d252 40337->40338 40339 40d21b 40337->40339 40340 402091 11 API calls 40338->40340 40342 40d22d RegSetValueExA RegCloseKey 40339->40342 40341 40a451 40340->40341 40341->40121 40342->40338 40344 43343f swprintf 40343->40344 40714 43262e 40344->40714 40346 40a46a 40346->40130 40347 4150dd AllocConsole GetConsoleWindow 40346->40347 40348 415105 40347->40348 40349 4150fc ShowWindow 40347->40349 40749 4377e9 40348->40749 40349->40348 40353 415131 ___scrt_get_show_window_mode 40755 413936 40353->40755 40357 413c32 40356->40357 40358 413b97 GetLocalTime 40356->40358 40359 402091 11 API calls 40357->40359 40360 402a91 28 API calls 40358->40360 40362 413c3a 40359->40362 40361 413bd9 40360->40361 40363 404804 28 API calls 40361->40363 40364 402091 11 API calls 40362->40364 40365 413be5 40363->40365 40366 40a4b9 40364->40366 40889 404779 40365->40889 40380 413c9f GetComputerNameExW GetUserNameW 40366->40380 40369 404804 28 API calls 40370 413bfd 40369->40370 40371 413936 76 API calls 40370->40371 40372 413c0b 40371->40372 40373 402091 11 API calls 40372->40373 40374 413c17 40373->40374 40375 402091 11 API calls 40374->40375 40376 413c20 40375->40376 40377 402091 11 API calls 40376->40377 40378 413c29 40377->40378 40379 402091 11 API calls 40378->40379 40379->40357 40897 403509 40380->40897 40387 4034ff 11 API calls 40388 413d0d 40387->40388 40389 4034ff 11 API calls 40388->40389 40390 40a4c5 40389->40390 40390->40143 40967 402c69 40391->40967 40393 402a7d 40394 40210e 11 API calls 40393->40394 40395 402a8c 40394->40395 40395->40158 40397 40cfad RegQueryValueExA RegCloseKey 40396->40397 40398 40a558 40396->40398 40397->40398 40398->40157 40398->40159 40400 40d107 40399->40400 40401 40d0d8 RegQueryValueExW RegCloseKey 40399->40401 40402 403509 28 API calls 40400->40402 40401->40400 40403 40a57e 40402->40403 40403->40171 40405 40d460 RegDeleteValueW 40404->40405 40406 40a5db 40404->40406 40405->40406 40406->40181 40408 409316 40407->40408 40409 40cf8c 3 API calls 40408->40409 40410 40931d 40409->40410 40414 40933c 40410->40414 40986 4087e7 40410->40986 40412 40932a 40989 40d310 RegCreateKeyA 40412->40989 40415 40e92f 40414->40415 40416 4021c9 11 API calls 40415->40416 40417 40e943 40416->40417 41002 413e52 40417->41002 40420 4021c9 11 API calls 40421 40e959 40420->40421 40422 4034cf 22 API calls 40421->40422 40423 40e967 40422->40423 40424 433426 39 API calls 40423->40424 40425 40e974 40424->40425 40426 40e986 40425->40426 40427 40e979 Sleep 40425->40427 40428 402178 28 API calls 40426->40428 40427->40426 40429 40e995 40428->40429 40430 4034cf 22 API calls 40429->40430 40431 40e99e 40430->40431 40432 4021e0 28 API calls 40431->40432 40433 40e9a9 40432->40433 40434 414339 28 API calls 40433->40434 40435 40e9b1 40434->40435 41006 4016e4 WSAStartup 40435->41006 40437 40e9bb 40438 4034cf 22 API calls 40437->40438 40439 40e9c4 40438->40439 40440 4034cf 22 API calls 40439->40440 40466 40ea43 40439->40466 40441 40e9dd 40440->40441 40444 4034cf 22 API calls 40441->40444 40442 4034cf 22 API calls 40442->40466 40443 4021e0 28 API calls 40443->40466 40445 40e9ee 40444->40445 40447 4034cf 22 API calls 40445->40447 40446 414339 28 API calls 40446->40466 40448 40e9ff 40447->40448 40449 4034cf 22 API calls 40448->40449 40451 40ea10 40449->40451 40453 4034cf 22 API calls 40451->40453 40452 40209b 28 API calls 40452->40466 40454 40ea21 40453->40454 40456 4034cf 22 API calls 40454->40456 40455 402091 11 API calls 40455->40466 40457 40ea33 40456->40457 41116 401585 88 API calls 40457->41116 40460 40eb91 WSAGetLastError 41117 414e33 30 API calls 40460->41117 40463 402a6d 28 API calls 40463->40466 40466->40442 40466->40443 40466->40446 40466->40452 40466->40455 40466->40460 40466->40463 40467 413b81 79 API calls 40466->40467 40469 402a91 28 API calls 40466->40469 40470 4034fa 11 API calls 40466->40470 40471 433426 39 API calls 40466->40471 40473 404804 28 API calls 40466->40473 40474 404779 28 API calls 40466->40474 40475 402178 28 API calls 40466->40475 40478 403509 28 API calls 40466->40478 40481 40d033 31 API calls 40466->40481 40503 40edcd 40466->40503 41007 406ba2 40466->41007 41014 40e8ee 40466->41014 41020 401673 40466->41020 41027 401d6f 40466->41027 41042 40170e connect 40466->41042 41102 401c4f WaitForSingleObject 40466->41102 41118 413d81 GlobalMemoryStatusEx 40466->41118 41119 40dfc6 50 API calls 40466->41119 41120 437a48 20 API calls 40466->41120 41121 40d18b RegOpenKeyExA RegQueryValueExA RegCloseKey 40466->41121 40467->40466 40469->40466 40470->40466 40472 40f48c Sleep 40471->40472 40472->40466 40473->40466 40474->40466 40475->40466 40478->40466 40481->40466 40482 403509 28 API calls 40482->40503 40485 4034cf 22 API calls 40486 40ee4e GetTickCount 40485->40486 41124 41410a 28 API calls 40486->41124 40489 41410a 28 API calls 40489->40503 40492 41429c 28 API calls 40492->40503 40494 406ae8 28 API calls 40494->40503 40495 404804 28 API calls 40495->40503 40496 404779 28 API calls 40496->40503 40498 402091 11 API calls 40498->40503 40499 4034ff 11 API calls 40499->40503 40501 402178 28 API calls 40501->40503 40502 413b81 79 API calls 40502->40503 40503->40466 40503->40482 40503->40485 40503->40489 40503->40492 40503->40494 40503->40495 40503->40496 40503->40498 40503->40499 40503->40501 40503->40502 41122 409344 6 API calls 40503->41122 41123 4141be 28 API calls 40503->41123 41125 414062 GetLastInputInfo GetTickCount 40503->41125 41126 414012 30 API calls ___scrt_get_show_window_mode 40503->41126 41127 40a7d3 29 API calls 40503->41127 41128 4047c1 28 API calls 40503->41128 41129 4018e7 60 API calls 40503->41129 41130 401a3c 112 API calls new 40503->41130 40504->40064 40505->40074 40506->40078 40508->40128 40510 413b57 LoadResource LockResource SizeofResource 40509->40510 40511 40a627 40509->40511 40510->40511 40512 432316 40511->40512 40518 43b5c6 ___crtLCMapStringA 40512->40518 40513 43b604 40529 434256 40513->40529 40514 43b5ef RtlAllocateHeap 40516 43b602 40514->40516 40514->40518 40516->40213 40518->40513 40518->40514 40528 43867f 7 API calls 2 library calls 40518->40528 40520 4021aa 40519->40520 40533 402261 40520->40533 40522 4021b5 40537 4023a6 40522->40537 40524 4021c2 40524->40216 40526 40219f 28 API calls 40525->40526 40527 404978 40526->40527 40527->40223 40528->40518 40532 43c688 20 API calls 3 library calls 40529->40532 40531 43425b 40531->40516 40532->40531 40534 4022bb 40533->40534 40535 40226e 40533->40535 40534->40522 40535->40534 40544 402698 11 API calls std::_Deallocate 40535->40544 40538 4023b6 40537->40538 40539 4023d1 40538->40539 40540 4023bc 40538->40540 40555 402723 40539->40555 40545 402405 40540->40545 40543 4023cf 40543->40524 40544->40534 40566 4026bf 40545->40566 40547 402419 40548 402443 40547->40548 40549 40242e 40547->40549 40551 402723 28 API calls 40548->40551 40571 402879 22 API calls 40549->40571 40554 402441 40551->40554 40552 402437 40572 402818 22 API calls 40552->40572 40554->40543 40556 40272f 40555->40556 40557 402790 40556->40557 40558 402738 40556->40558 40580 4026de 22 API calls 40557->40580 40561 402741 40558->40561 40562 402754 40558->40562 40574 4028ba 40561->40574 40564 402752 40562->40564 40565 402261 11 API calls 40562->40565 40564->40543 40565->40564 40567 4026ca 40566->40567 40568 4026d1 40567->40568 40573 4028af 22 API calls 40567->40573 40568->40547 40571->40552 40572->40554 40575 4028c4 __EH_prolog 40574->40575 40581 402a3e 40575->40581 40577 402261 11 API calls 40579 40299e 40577->40579 40578 402930 40578->40577 40579->40564 40582 402a53 40581->40582 40585 401494 40582->40585 40584 402a62 40584->40578 40586 4014a2 40585->40586 40587 40149e 40585->40587 40588 4014de 40586->40588 40590 4014cc 40586->40590 40587->40584 40593 42bbad 40588->40593 40592 42bbad new 22 API calls 40590->40592 40591 4014d2 40591->40584 40592->40591 40595 42bbb2 40593->40595 40594 432316 new 21 API calls 40594->40595 40595->40594 40596 42bbde 40595->40596 40600 43867f 7 API calls 2 library calls 40595->40600 40601 42c35e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 40595->40601 40602 42cb7e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 40595->40602 40596->40591 40600->40595 40604 4021d1 40603->40604 40605 402261 11 API calls 40604->40605 40606 4021dc 40605->40606 40606->40232 40607->40232 40608->40232 40609->40242 40610->40233 40611->40255 40612->40260 40613->40257 40616 402bae 40615->40616 40617 402723 28 API calls 40616->40617 40618 402bcc 40616->40618 40617->40618 40618->40271 40620 40205b 40619->40620 40623 40251a 40620->40623 40622 40206a 40622->40274 40624 4026bf 22 API calls 40623->40624 40625 40252d 40624->40625 40626 402551 40625->40626 40627 402599 40625->40627 40630 402723 28 API calls 40626->40630 40631 402562 40626->40631 40632 4026de 22 API calls 40627->40632 40630->40631 40631->40622 40634 40204a 40633->40634 40643 40248f 40634->40643 40636 402056 40636->40276 40638 40211c 40637->40638 40639 402261 11 API calls 40638->40639 40640 402136 40639->40640 40655 4025a1 40640->40655 40644 40249f 40643->40644 40645 4024a5 40644->40645 40646 4024ba 40644->40646 40649 40251a 28 API calls 40645->40649 40647 4024d0 40646->40647 40648 402512 40646->40648 40651 402723 28 API calls 40647->40651 40653 4024b8 40647->40653 40654 4026de 22 API calls 40648->40654 40649->40653 40651->40653 40653->40636 40656 4025b3 40655->40656 40657 402261 11 API calls 40656->40657 40658 402147 40657->40658 40658->40279 40659->40280 40660->40293 40662 402255 40661->40662 40662->40297 40664 414414 GetCurrentProcess IsWow64Process 40663->40664 40665 413969 40663->40665 40664->40665 40666 41442b 40664->40666 40667 40d033 RegOpenKeyExA 40665->40667 40666->40665 40668 40d061 RegQueryValueExA RegCloseKey 40667->40668 40669 40d08b 40667->40669 40668->40669 40670 402178 28 API calls 40669->40670 40671 40d0a0 40670->40671 40671->40303 40672->40311 40674 415296 40673->40674 40679 4035a8 40674->40679 40676 4152a1 40683 4153e3 40676->40683 40678 4152ae 40678->40318 40680 403602 40679->40680 40681 4035b5 40679->40681 40680->40676 40681->40680 40690 4036df 11 API calls std::_Deallocate 40681->40690 40684 41541d 40683->40684 40685 4153ef 40683->40685 40702 4026de 22 API calls 40684->40702 40691 403723 40685->40691 40689 4153f9 40689->40678 40690->40680 40692 40372f 40691->40692 40693 403790 40692->40693 40694 403738 40692->40694 40704 4026de 22 API calls 40693->40704 40697 403741 40694->40697 40699 403754 40694->40699 40703 403856 28 API calls __EH_prolog 40697->40703 40700 403752 40699->40700 40701 4035a8 11 API calls 40699->40701 40700->40689 40701->40700 40703->40700 40705->40321 40707 406833 40706->40707 40708 4035a8 11 API calls 40707->40708 40709 4068b5 40708->40709 40709->40321 40711 402395 40710->40711 40712 4023a6 28 API calls 40711->40712 40713 402198 40712->40713 40713->40116 40730 4332b8 40714->40730 40716 43267b 40735 4331e1 40716->40735 40717 432640 40717->40716 40718 432655 40717->40718 40729 43265a __wsopen_s 40717->40729 40720 434256 _free 20 API calls 40718->40720 40720->40729 40722 432687 40723 4326b6 40722->40723 40743 4332fd 39 API calls __Toupper 40722->40743 40724 432722 40723->40724 40744 433264 20 API calls 2 library calls 40723->40744 40745 433264 20 API calls 2 library calls 40724->40745 40727 4327e9 swprintf 40728 434256 _free 20 API calls 40727->40728 40727->40729 40728->40729 40729->40346 40731 4332d0 40730->40731 40732 4332bd 40730->40732 40731->40717 40733 434256 _free 20 API calls 40732->40733 40734 4332c2 __wsopen_s 40733->40734 40734->40717 40736 4331fe 40735->40736 40737 4331f4 40735->40737 40736->40737 40746 43c604 35 API calls 4 library calls 40736->40746 40737->40722 40739 43321f 40747 43cb74 35 API calls __Tolower 40739->40747 40741 433238 40748 43cba1 35 API calls __cftof 40741->40748 40743->40722 40744->40724 40745->40727 40746->40739 40747->40741 40748->40737 40759 4376d7 40749->40759 40751 41511e SetConsoleOutputCP 40752 41509a GetStdHandle GetConsoleScreenBufferInfo SetConsoleTextAttribute 40751->40752 40753 413936 76 API calls 40752->40753 40754 4150ce SetConsoleTextAttribute 40753->40754 40754->40353 40756 413944 40755->40756 40781 413918 40756->40781 40760 4376e3 ___BuildCatchObject 40759->40760 40761 4376f1 40760->40761 40763 437723 40760->40763 40764 437712 40760->40764 40762 434256 _free 20 API calls 40761->40762 40771 4376f6 ___BuildCatchObject __wsopen_s 40762->40771 40763->40761 40766 43773b 40763->40766 40765 434256 _free 20 API calls 40764->40765 40765->40771 40767 43774b 40766->40767 40768 43773f 40766->40768 40778 433f25 EnterCriticalSection 40767->40778 40769 434256 _free 20 API calls 40768->40769 40769->40771 40771->40751 40772 437756 40774 43776f 40772->40774 40779 433b87 62 API calls 2 library calls 40772->40779 40775 4377c5 40774->40775 40777 434256 _free 20 API calls 40774->40777 40780 4377df LeaveCriticalSection 40775->40780 40777->40775 40778->40772 40779->40774 40780->40771 40782 413927 ___scrt_initialize_default_local_stdio_options 40781->40782 40785 437555 40782->40785 40784 40a489 CreateThread 40784->40130 41153 415917 GetModuleFileNameA 40784->41153 40786 437585 40785->40786 40787 43759a 40785->40787 40788 434256 _free 20 API calls 40786->40788 40787->40786 40789 43759e 40787->40789 40791 43758a __wsopen_s 40788->40791 40792 43570f 40789->40792 40791->40784 40795 4356be 40792->40795 40794 435733 40794->40791 40796 4356ca ___BuildCatchObject 40795->40796 40803 433f25 EnterCriticalSection 40796->40803 40798 4356d8 40804 435dee 40798->40804 40802 4356f6 ___BuildCatchObject 40802->40794 40803->40798 40820 43ea83 40804->40820 40807 4331e1 __cftof 35 API calls 40808 435e28 40807->40808 40829 435d7b 40808->40829 40812 435e68 40844 435db0 40812->40844 40818 4356e5 40819 435703 LeaveCriticalSection 40818->40819 40819->40802 40852 43d745 40820->40852 40822 43ea92 40857 447537 40822->40857 40824 43ea98 40828 435e11 40824->40828 40864 43b5c6 40824->40864 40828->40807 40830 435d9a swprintf 40829->40830 40831 434256 _free 20 API calls 40830->40831 40832 435da6 40831->40832 40833 436021 40832->40833 40877 4371a6 20 API calls 2 library calls 40833->40877 40835 436046 40836 434256 _free 20 API calls 40835->40836 40837 436035 __wsopen_s 40836->40837 40837->40812 40840 436031 swprintf 40840->40835 40840->40837 40878 4363be 20 API calls 2 library calls 40840->40878 40879 436c6a 39 API calls swprintf 40840->40879 40880 436512 39 API calls swprintf 40840->40880 40881 43653a 50 API calls 3 library calls 40840->40881 40882 43680c 50 API calls swprintf 40840->40882 40845 43bea5 _free 20 API calls 40844->40845 40846 435dc0 40845->40846 40847 43eb38 40846->40847 40848 43eb43 40847->40848 40849 435e97 40847->40849 40848->40849 40883 4339a0 40848->40883 40851 42c8db 5 API calls ___raise_securityfailure 40849->40851 40851->40818 40853 43d751 40852->40853 40854 43d766 40852->40854 40855 434256 _free 20 API calls 40853->40855 40854->40822 40856 43d756 __wsopen_s 40855->40856 40856->40822 40858 447544 40857->40858 40859 447551 40857->40859 40860 434256 _free 20 API calls 40858->40860 40861 44755d 40859->40861 40862 434256 _free 20 API calls 40859->40862 40863 447549 __wsopen_s 40860->40863 40861->40824 40862->40863 40863->40824 40865 43b604 40864->40865 40869 43b5d4 ___crtLCMapStringA 40864->40869 40867 434256 _free 20 API calls 40865->40867 40866 43b5ef RtlAllocateHeap 40868 43b602 40866->40868 40866->40869 40867->40868 40871 43bea5 40868->40871 40869->40865 40869->40866 40870 43867f new 7 API calls 40869->40870 40870->40869 40872 43beb0 HeapFree 40871->40872 40873 43bed9 _free 40871->40873 40872->40873 40874 43bec5 40872->40874 40873->40828 40875 434256 _free 18 API calls 40874->40875 40876 43becb GetLastError 40875->40876 40876->40873 40877->40840 40878->40840 40879->40840 40880->40840 40881->40840 40882->40840 40884 4339b8 40883->40884 40885 4339b4 40883->40885 40884->40885 40886 43d745 20 API calls 40884->40886 40885->40849 40887 4339d8 40886->40887 40888 43e200 __wsopen_s 59 API calls 40887->40888 40888->40885 40894 40205b 40889->40894 40891 404789 40892 40210e 11 API calls 40891->40892 40893 404798 40892->40893 40893->40369 40895 40251a 28 API calls 40894->40895 40896 40206a 40895->40896 40896->40891 40898 403514 40897->40898 40899 4035a8 11 API calls 40898->40899 40900 40351f 40899->40900 40913 403621 40900->40913 40903 409450 40925 4094b7 40903->40925 40905 409460 40929 406547 40905->40929 40908 407d1f 40950 4067ef 40908->40950 40910 407d2f 40911 406547 11 API calls 40910->40911 40912 407d3e 40911->40912 40912->40387 40914 40362f char_traits 40913->40914 40917 403640 40914->40917 40916 403529 40916->40903 40918 403650 40917->40918 40919 403656 40918->40919 40920 40366d 40918->40920 40924 4037c7 28 API calls 40919->40924 40921 403723 28 API calls 40920->40921 40923 40366b 40921->40923 40923->40916 40924->40923 40926 4094c5 char_traits 40925->40926 40935 4094d7 40926->40935 40928 4094d2 40928->40905 40930 406555 40929->40930 40931 4035a8 11 API calls 40930->40931 40932 40656f 40931->40932 40933 406821 11 API calls 40932->40933 40934 406580 40933->40934 40934->40908 40936 4094e7 40935->40936 40937 409505 40936->40937 40938 4094ed 40936->40938 40939 4026bf 22 API calls 40937->40939 40948 406f79 28 API calls 40938->40948 40940 40950d 40939->40940 40942 409581 40940->40942 40943 409524 40940->40943 40949 4026de 22 API calls 40942->40949 40945 403723 28 API calls 40943->40945 40947 409503 40943->40947 40945->40947 40947->40928 40948->40947 40951 4067fd char_traits 40950->40951 40954 406962 40951->40954 40953 406809 40953->40910 40955 406972 40954->40955 40956 406978 40955->40956 40957 40698f 40955->40957 40965 4069f2 28 API calls 40956->40965 40959 4069a5 40957->40959 40960 4069ea 40957->40960 40962 403723 28 API calls 40959->40962 40964 40698d 40959->40964 40966 4026de 22 API calls 40960->40966 40962->40964 40964->40953 40965->40964 40968 402c77 40967->40968 40971 402dd6 40968->40971 40970 402c84 40970->40393 40972 402de6 40971->40972 40973 402e02 40972->40973 40974 402dec 40972->40974 40975 4026bf 22 API calls 40973->40975 40984 4030b6 28 API calls 40974->40984 40976 402e0a 40975->40976 40978 402e21 40976->40978 40979 402e7d 40976->40979 40981 402723 28 API calls 40978->40981 40983 402e00 40978->40983 40985 4026de 22 API calls 40979->40985 40981->40983 40983->40970 40984->40983 40992 433831 40986->40992 40990 40d352 40989->40990 40991 40d328 RegSetValueExA RegCloseKey 40989->40991 40990->40414 40991->40990 40995 4337b2 40992->40995 40994 4087ed 40994->40412 40996 4337c1 40995->40996 40997 4337d5 40995->40997 40998 434256 _free 20 API calls 40996->40998 41000 4337c6 __alldvrm __wsopen_s 40997->41000 41001 43d386 11 API calls 2 library calls 40997->41001 40998->41000 41000->40994 41001->41000 41005 413e9c ___scrt_get_show_window_mode 41002->41005 41003 402178 28 API calls 41004 40e94e 41003->41004 41004->40420 41005->41003 41006->40437 41008 4021c9 11 API calls 41007->41008 41009 406bb1 41008->41009 41010 402ba1 28 API calls 41009->41010 41011 406bcd 41010->41011 41012 40206e 28 API calls 41011->41012 41013 406bd5 41012->41013 41013->40466 41015 40e907 WSASetLastError 41014->41015 41016 40e8fd 41014->41016 41015->40466 41131 40e783 29 API calls ___std_exception_copy 41016->41131 41018 40e902 41018->41015 41021 40168c socket 41020->41021 41022 40167f 41020->41022 41024 4016a6 CreateEventW 41021->41024 41025 401688 41021->41025 41132 4016e4 WSAStartup 41022->41132 41024->40466 41025->40466 41026 401684 41026->41021 41026->41025 41028 401d83 41027->41028 41030 401e08 41027->41030 41029 401d8c 41028->41029 41031 401dde CreateEventA CreateThread 41028->41031 41032 401d9b GetLocalTime 41028->41032 41029->41031 41030->40466 41031->41030 41134 401f6e 41031->41134 41133 41410a 28 API calls 41032->41133 41034 401daf 41035 402a6d 28 API calls 41034->41035 41036 401dbf 41035->41036 41037 402178 28 API calls 41036->41037 41038 401dce 41037->41038 41039 413b81 79 API calls 41038->41039 41040 401dd3 41039->41040 41041 402091 11 API calls 41040->41041 41041->41031 41043 401861 41042->41043 41044 401734 41042->41044 41045 4017c4 41043->41045 41046 401867 WSAGetLastError 41043->41046 41044->41045 41049 402a91 28 API calls 41044->41049 41069 401769 41044->41069 41045->40466 41046->41045 41047 401877 41046->41047 41050 401778 41047->41050 41051 40187c 41047->41051 41053 401755 41049->41053 41056 402178 28 API calls 41050->41056 41149 414e33 30 API calls 41051->41149 41052 401771 41052->41050 41055 401787 41052->41055 41057 402178 28 API calls 41053->41057 41066 401796 41055->41066 41067 4017cd 41055->41067 41059 4018c6 41056->41059 41060 401764 41057->41060 41058 401886 41061 402a6d 28 API calls 41058->41061 41063 402178 28 API calls 41059->41063 41064 413b81 79 API calls 41060->41064 41062 401896 41061->41062 41065 402178 28 API calls 41062->41065 41068 4018d5 41063->41068 41064->41069 41070 4018a5 41065->41070 41072 402178 28 API calls 41066->41072 41146 419dbe 53 API calls 41067->41146 41073 413b81 79 API calls 41068->41073 41138 4190ba 27 API calls 41069->41138 41074 413b81 79 API calls 41070->41074 41076 4017a5 41072->41076 41073->41045 41077 4018aa 41074->41077 41075 4017d5 41078 40180a 41075->41078 41079 4017da 41075->41079 41080 402178 28 API calls 41076->41080 41081 402091 11 API calls 41077->41081 41148 419255 28 API calls 41078->41148 41082 402178 28 API calls 41079->41082 41083 4017b4 41080->41083 41081->41045 41085 4017e9 41082->41085 41086 413b81 79 API calls 41083->41086 41089 402178 28 API calls 41085->41089 41090 4017b9 41086->41090 41087 401812 41088 40183f CreateEventW CreateEventW 41087->41088 41091 402178 28 API calls 41087->41091 41088->41045 41092 4017f8 41089->41092 41139 419100 41090->41139 41093 401828 41091->41093 41094 413b81 79 API calls 41092->41094 41096 402178 28 API calls 41093->41096 41097 4017fd 41094->41097 41098 401837 41096->41098 41147 419507 51 API calls 41097->41147 41100 413b81 79 API calls 41098->41100 41101 40183c 41100->41101 41101->41088 41103 401c65 SetEvent CloseHandle 41102->41103 41104 401c7c closesocket 41102->41104 41105 401d05 41103->41105 41106 401c89 41104->41106 41105->40466 41107 401c98 41106->41107 41108 401c9f 41106->41108 41152 401eff 83 API calls 41107->41152 41110 401cb1 WaitForSingleObject 41108->41110 41111 401cfb SetEvent CloseHandle 41108->41111 41112 419100 3 API calls 41110->41112 41111->41105 41113 401cc4 SetEvent WaitForSingleObject 41112->41113 41114 419100 3 API calls 41113->41114 41115 401ce0 SetEvent FindCloseChangeNotification FindCloseChangeNotification 41114->41115 41115->41111 41116->40466 41117->40466 41118->40466 41119->40466 41120->40466 41121->40466 41122->40503 41123->40503 41124->40503 41125->40503 41126->40503 41127->40503 41128->40503 41129->40503 41130->40503 41131->41018 41132->41026 41133->41034 41137 401f7f 101 API calls 41134->41137 41136 401f7a 41137->41136 41138->41052 41140 416be2 41139->41140 41141 419108 41139->41141 41142 416bf0 41140->41142 41150 415d1b DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 41140->41150 41141->41045 41151 416912 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 41142->41151 41145 416bf7 41146->41075 41147->41090 41148->41087 41149->41058 41150->41142 41151->41145 41152->41108 41184 4159c9 41153->41184 41156 4159b3 GetMessageA 41157 4159c4 41156->41157 41158 41599f TranslateMessage DispatchMessageA 41156->41158 41158->41156 41161 40a6db 41159->41161 41162 40a776 41161->41162 41164 40a766 Sleep 41161->41164 41181 40a70d 41161->41181 41190 40cfd6 RegOpenKeyExA 41161->41190 41165 403509 28 API calls 41162->41165 41163 403509 28 API calls 41163->41181 41164->41161 41168 40a781 41165->41168 41167 4141da 28 API calls 41167->41181 41169 4141da 28 API calls 41168->41169 41170 40a78d 41169->41170 41195 40d2a7 14 API calls 41170->41195 41173 4034ff 11 API calls 41173->41181 41174 40a79b 41175 4034ff 11 API calls 41174->41175 41177 40a7a7 41175->41177 41176 402178 28 API calls 41176->41181 41178 402178 28 API calls 41177->41178 41179 40a7b4 41178->41179 41182 40d202 14 API calls 41179->41182 41180 40d202 14 API calls 41180->41181 41181->41163 41181->41164 41181->41167 41181->41173 41181->41176 41181->41180 41193 408817 54 API calls ___scrt_get_show_window_mode 41181->41193 41194 40d2a7 14 API calls 41181->41194 41183 40a7c7 ExitProcess 41182->41183 41185 42ec50 ___scrt_get_show_window_mode 41184->41185 41186 4159e0 RegisterClassExA 41185->41186 41187 41593b ExtractIconA lstrcpynA Shell_NotifyIconA 41186->41187 41188 415a20 CreateWindowExA 41186->41188 41187->41156 41188->41187 41189 415a3a GetLastError 41188->41189 41189->41187 41191 40d000 RegQueryValueExA RegCloseKey 41190->41191 41192 40d02d 41190->41192 41191->41192 41192->41161 41194->41181 41195->41174 41473 40b584 70 API calls Concurrency::wait 41590 403f90 86 API calls 41592 423b9c 28 API calls 41476 40d9a0 80 API calls 41594 40afa2 23 API calls 41595 40f7a6 45 API calls 41477 4115a9 GdipAlloc GdipCloneImage 41597 4323a8 49 API calls 5 library calls 41599 42e7b0 6 API calls 4 library calls 41601 40f7b4 65 API calls 41482 433dbb 21 API calls 3 library calls 41483 41edbb WSAGetLastError send 41484 40e5bb 55 API calls 2 library calls 41485 4109bf 49 API calls 41603 40abbe 67 API calls fpos

                  Executed Functions

                  Function 00414EA2 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 164libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414EB5
                  • GetProcAddress.KERNEL32(00000000), ref: 00414EBE
                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414ED9
                  • GetProcAddress.KERNEL32(00000000), ref: 00414EDC
                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414EED
                  • GetProcAddress.KERNEL32(00000000), ref: 00414EF0
                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F05
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F08
                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,0040A1F2), ref: 00414F19
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F1C
                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,0040A1F2), ref: 00414F28
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F2B
                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040A1F2), ref: 00414F3C
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F3F
                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,0040A1F2), ref: 00414F50
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F53
                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,0040A1F2), ref: 00414F64
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F67
                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,0040A1F2), ref: 00414F78
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F7B
                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,0040A1F2), ref: 00414F8C
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F8F
                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,0040A1F2), ref: 00414FA0
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FA3
                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,0040A1F2), ref: 00414FB4
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FB7
                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,0040A1F2), ref: 00414FC8
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FCB
                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,0040A1F2), ref: 00414FD9
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FDC
                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,0040A1F2), ref: 00414FED
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FF0
                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,0040A1F2), ref: 00415001
                  • GetProcAddress.KERNEL32(00000000), ref: 00415004
                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,0040A1F2), ref: 00415015
                  • GetProcAddress.KERNEL32(00000000), ref: 00415018
                  • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,0040A1F2), ref: 00415029
                  • GetProcAddress.KERNEL32(00000000), ref: 0041502C
                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,0040A1F2), ref: 0041503D
                  • GetProcAddress.KERNEL32(00000000), ref: 00415040
                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,0040A1F2), ref: 00415051
                  • GetProcAddress.KERNEL32(00000000), ref: 00415054
                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,0040A1F2), ref: 00415060
                  • GetProcAddress.KERNEL32(00000000), ref: 00415063
                  • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,0040A1F2), ref: 00415070
                  • GetProcAddress.KERNEL32(00000000), ref: 00415073
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,0040A1F2), ref: 0041507B
                  • GetProcAddress.KERNEL32(00000000), ref: 0041507E
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,0040A1F2), ref: 00415086
                  • GetProcAddress.KERNEL32(00000000), ref: 00415089
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,0040A1F2), ref: 00415091
                  • GetProcAddress.KERNEL32(00000000), ref: 00415094
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad$HandleModule
                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                  • API String ID: 4236061018-3687161714
                  • Opcode ID: 42f43bac1a948978ef40ac34bead5871a9a47ad840c4e162dcb489b325ed74a5
                  • Instruction ID: 89b8a1ca175abfd996f71f5c8e59976d1c4d63ecb14037e58508742e74396472
                  • Opcode Fuzzy Hash: 42f43bac1a948978ef40ac34bead5871a9a47ad840c4e162dcb489b325ed74a5
                  • Instruction Fuzzy Hash: 7F41ABA0E9435876DA107BF25C4EE1F2D5CD965B9A3214937B804931A3E9FC850CCEAF
                  Function 0040A1D6 Relevance: 37.1, APIs: 6, Strings: 15, Instructions: 328threadsleepfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 473 40a1d6-40a24d call 414ea2 GetModuleFileNameW call 40a60c call 4021e0 * 2 call 414339 call 40a9e5 call 4034fa 488 40a2a7-40a326 call 4034cf * 2 call 402a91 call 404804 call 40209b call 402091 * 2 call 4034cf call 402077 call 403f1f call 4087ef 473->488 489 40a24f-40a253 473->489 529 40a328-40a32a 488->529 530 40a33f-40a346 488->530 489->488 491 40a255-40a25b 489->491 491->488 493 40a25d-40a2a2 call 40aa8b call 4034cf call 402028 call 40be14 call 40aa3c call 40a5f9 491->493 518 40a32b-40a33c call 402091 493->518 529->518 531 40a348 530->531 532 40a34a-40a356 call 41395b 530->532 531->532 535 40a358-40a35a 532->535 536 40a35f-40a3b5 call 4034cf call 4141da call 4064d4 call 4034ff call 4034cf * 4 call 402028 532->536 535->536 556 40a3b7-40a3c7 call 4034cf call 402028 536->556 557 40a41e-40a478 call 4034cf call 402028 call 402178 call 402028 call 40d202 call 4034cf call 402028 call 433426 536->557 567 40a3ca-40a3d3 556->567 591 40a47a-40a47c 557->591 592 40a47e-40a480 557->592 567->567 569 40a3d5-40a3d9 567->569 569->557 571 40a3db-40a419 call 4034cf call 402028 call 4034cf call 402028 call 40900f call 4064d4 call 4034ff 569->571 571->557 594 40a484-40a493 call 4150dd CreateThread 591->594 595 40a482 592->595 596 40a495-40a4e0 call 402178 * 2 call 413b81 call 413c9f call 4064d4 call 4034ff 592->596 594->596 595->594 613 40a4e2-40a4e3 SetProcessDEPPolicy 596->613 614 40a4e5-40a4f8 CreateThread 596->614 613->614 615 40a506 614->615 616 40a4fa-40a4fd 614->616 619 40a50b-40a52f call 402178 call 402a6d call 402178 call 413b81 615->619 617 40a540-40a55b call 402028 call 40cf8c 616->617 618 40a4ff-40a504 616->618 628 40a561-40a598 call 4141da call 404c42 call 40d0a8 call 4034ff call 404c42 617->628 629 40a5ee-40a5f8 call 4092fd call 40e92f 617->629 618->619 639 40a534-40a53b call 402091 619->639 649 40a5b1-40a5b6 DeleteFileW 628->649 639->617 650 40a5b8-40a5e9 call 4141da call 404c42 call 40d444 call 4034ff * 2 649->650 651 40a59a-40a59d 649->651 650->629 651->650 652 40a59f-40a5ac Sleep call 404c42 651->652 652->649
                  APIs
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414EB5
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414EBE
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414ED9
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414EDC
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414EED
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414EF0
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F05
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F08
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,0040A1F2), ref: 00414F19
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F1C
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,0040A1F2), ref: 00414F28
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F2B
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040A1F2), ref: 00414F3C
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F3F
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,0040A1F2), ref: 00414F50
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F53
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,0040A1F2), ref: 00414F64
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F67
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,0040A1F2), ref: 00414F78
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F7B
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,0040A1F2), ref: 00414F8C
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F8F
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,0040A1F2), ref: 00414FA0
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414FA3
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,0040A1F2), ref: 00414FB4
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414FB7
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,0040A1F2), ref: 00414FC8
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414FCB
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,0040A1F2), ref: 00414FD9
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414FDC
                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\jcXViWLNuc.exe,00000104), ref: 0040A1FF
                  • CreateThread.KERNELBASE(00000000,00000000,Function_00015917,00000000,00000000,00000000), ref: 0040A493
                  • SetProcessDEPPolicy.KERNEL32(00000000,00000000), ref: 0040A4E3
                  • CreateThread.KERNELBASE(00000000,00000000,Function_0000A6C0,00000000,00000000,00000000), ref: 0040A4EF
                  • DeleteFileW.KERNEL32(00000000), ref: 0040A5B2
                    • Part of subcall function 0040BE14: __EH_prolog.LIBCMT ref: 0040BE19
                  • Sleep.KERNEL32(0000000A), ref: 0040A5A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Module$Handle$LibraryLoad$CreateFileThread$DeleteH_prologNamePolicyProcessSleep
                  • String ID: Access Level: $Administrator$C:\Users\user\Desktop\jcXViWLNuc.exe$Exe$Exe$Remcos Agent initialized$Rmc-MG8NXC$Software\$User$\~F$\~F$del$del$licence$license_code.txt
                  • API String ID: 4062606258-2786783728
                  • Opcode ID: 4e28712fc4b9a8b12147ce51a2f9e7833082a9e1baf3a5730e747a5afa57dc82
                  • Instruction ID: d7fcdb205b9e3cc44b5ec7ae23bc972780870e849d8e3733c4f0c5e7c005d7b2
                  • Opcode Fuzzy Hash: 4e28712fc4b9a8b12147ce51a2f9e7833082a9e1baf3a5730e747a5afa57dc82
                  • Instruction Fuzzy Hash: EBA1A13071430067C619BB768D5BA6E36599BC1709F10493FF6467B2C2EEBC9E09835E
                  Function 0040A6C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0040CFD6: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 0040CFF6
                    • Part of subcall function 0040CFD6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00467F30), ref: 0040D014
                    • Part of subcall function 0040CFD6: RegCloseKey.ADVAPI32(?), ref: 0040D01F
                  • Sleep.KERNELBASE(00000BB8), ref: 0040A76B
                  • ExitProcess.KERNEL32 ref: 0040A7CC
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExitOpenProcessQuerySleepValue
                  • String ID: 5.0.0 Light$C:\Users\user\Desktop\jcXViWLNuc.exe$override
                  • API String ID: 2281282204-1682742498
                  • Opcode ID: de87c53a580f659174bf1bd3754530e609291f3eed815c1919bcd4fa9d9cacbf
                  • Instruction ID: 323f05c9e6b9e9d97ce39f937589ef5f1850760f89f461d1ab376a1f97973b78
                  • Opcode Fuzzy Hash: de87c53a580f659174bf1bd3754530e609291f3eed815c1919bcd4fa9d9cacbf
                  • Instruction Fuzzy Hash: F921AE61F1420067C608BA7A4D4B92E3A699B91719F40853EB901772CBEE7DCE09839F
                  Function 00413B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: | $%02i:%02i:%02i:%03i
                  • API String ID: 481472006-2430845779
                  • Opcode ID: 09fd29e6324a39776a9cc881dc958e0b34cd3948b3a678230b07d70f5a36afbd
                  • Instruction ID: 14a7f7623e9b81fd152da17a30c3428a16553f718532ff7384b8b6c53ca4bb68
                  • Opcode Fuzzy Hash: 09fd29e6324a39776a9cc881dc958e0b34cd3948b3a678230b07d70f5a36afbd
                  • Instruction Fuzzy Hash: 901181725083455BC304FB71D9558ABB3E8AB44305F10093FFA8A920D1FF7CDA88C65A
                  Function 00413C9F Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  • GetComputerNameExW.KERNELBASE(00000001,?,0040A4C5,75570F10), ref: 00413CBC
                  • GetUserNameW.ADVAPI32(?,?), ref: 00413CD4
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Name$ComputerUser
                  • String ID:
                  • API String ID: 4229901323-0
                  • Opcode ID: 144f51ac76a5c22de7d265f40f6e653c0b9b1ffb8aa66d763078f3a739eb3950
                  • Instruction ID: 9575080185fc9b94c1c02c15cbbfd2da0248f6688d841492f30f465e1445ce69
                  • Opcode Fuzzy Hash: 144f51ac76a5c22de7d265f40f6e653c0b9b1ffb8aa66d763078f3a739eb3950
                  • Instruction Fuzzy Hash: 0701FF7590011CABCB05EFD4DC45EDEBB7CAF44309F10017AB505B7191EEB46B898B99
                  Function 0040E92F Relevance: 44.5, APIs: 4, Strings: 21, Instructions: 789sleepnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 5 40e92f-40e977 call 4021c9 call 413e52 call 4021c9 call 4034cf call 402028 call 433426 18 40e986-40e9d2 call 402178 call 4034cf call 4021e0 call 414339 call 4016e4 call 4034cf call 410fbd 5->18 19 40e979-40e980 Sleep 5->19 34 40e9d4-40ea43 call 4034cf call 402020 call 4034cf call 402028 call 4034cf call 402020 call 4034cf call 402028 call 4034cf call 402020 call 4034cf call 402028 call 401585 18->34 35 40ea46-40eae1 call 402178 call 4034cf call 4021e0 call 414339 call 4034cf * 2 call 406ba2 call 404779 call 40209b call 402091 * 2 call 4034cf call 403f83 18->35 19->18 34->35 88 40eaf1-40eaf8 35->88 89 40eae3-40eaef 35->89 90 40eafd-40eb8f call 403f1f call 402a91 call 404804 call 404779 call 402178 call 413b81 call 402091 * 2 call 4034cf call 402028 call 4034cf call 402028 call 40e8ee 88->90 89->90 117 40eb91-40ebd5 WSAGetLastError call 414e33 call 402a6d call 402178 call 413b81 call 402091 90->117 118 40ebda-40ebe8 call 401673 90->118 139 40f460-40f472 call 401c4f call 403583 117->139 123 40ec15-40ec23 call 401d6f call 40170e 118->123 124 40ebea-40ec10 call 402178 * 2 call 413b81 118->124 135 40ec28-40ec2a 123->135 124->139 135->139 140 40ec30-40ed8d call 4034cf * 2 call 402a91 call 404804 call 404779 call 404804 call 404779 call 402178 call 413b81 call 402091 * 4 call 413d81 call 40dfc6 call 403509 * 2 call 437a48 call 4034cf call 4021e0 call 402020 call 402028 * 2 call 40d18b 135->140 153 40f474-40f494 call 4034cf call 402028 call 433426 Sleep 139->153 154 40f49a-40f4a2 call 4034fa 139->154 207 40eda1-40edcb call 402028 call 40d033 140->207 208 40ed8f-40ed9c call 403f1f 140->208 153->154 154->35 214 40edd2-40f45b call 403509 call 409344 call 4141be call 41429c call 41410a call 4034cf GetTickCount call 41410a call 414062 call 41410a call 414012 call 41429c * 5 call 40a7d3 call 41429c call 4047c1 call 406ae8 call 404779 call 406ae8 call 404779 * 3 call 406ae8 call 404779 call 404804 call 404779 call 404804 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 404804 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 404804 call 404779 * 5 call 406ae8 call 404779 call 406ae8 call 404779 * 7 call 406ae8 call 4018e7 call 402091 * 50 call 4034ff call 402091 * 5 call 4034ff call 401a3c call 403ee2 call 402178 * 2 call 413b81 call 402091 * 2 call 4034ff * 2 207->214 215 40edcd-40edcf 207->215 208->207 214->139 215->214
                  APIs
                  • Sleep.KERNEL32(00000000,00000029,00000000,75570F10,00467F30), ref: 0040E980
                  • WSAGetLastError.WS2_32(00000000,00000001), ref: 0040EB91
                  • Sleep.KERNELBASE(00000000,00000002), ref: 0040F494
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep$ErrorLastLocalTime
                  • String ID: | $%I64u$127.0.0.1:2404$5.0.0 Light$C:\Users\user\Desktop\jcXViWLNuc.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-MG8NXC$TLS Off$TLS On $X|F$X|F$\~F$\~F$\~F$hlight$name
                  • API String ID: 524882891-2726430675
                  • Opcode ID: dbed92866c2d51782df0cb33f21d54113799a0477e5918af70d27b9cb65007ac
                  • Instruction ID: c344de4cf0f4a9d4dde5e52d9ce8f823ee96830f3a34fd75b43bb55ba94f9b89
                  • Opcode Fuzzy Hash: dbed92866c2d51782df0cb33f21d54113799a0477e5918af70d27b9cb65007ac
                  • Instruction Fuzzy Hash: F7527D71A002145ACB19F732DD66AEE73759F90308F5041BFB60A771D2EE781F88CA59
                  Function 00415A49 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 663 415a49-415a54 664 415b25-415b3a CreatePopupMenu AppendMenuA 663->664 665 415a5a-415a5f 663->665 666 415b40 664->666 667 415a65-415a6a 665->667 668 415b0a-415b0e 665->668 670 415b42-415b45 666->670 671 415a77-415a7f 667->671 672 415a6c-415a75 667->672 668->666 669 415b10-415b1f Shell_NotifyIconA ExitProcess 668->669 674 415a81-415a84 671->674 675 415ace-415adc IsWindowVisible 671->675 673 415a91-415a9a DefWindowProcA 672->673 673->670 676 415a86-415a8c 674->676 677 415a9f-415acc GetCursorPos SetForegroundWindow TrackPopupMenu 674->677 678 415aee-415b08 ShowWindow SetForegroundWindow 675->678 679 415ade-415aec ShowWindow 675->679 676->673 677->666 678->666 679->666
                  APIs
                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 00415A94
                  • GetCursorPos.USER32(?), ref: 00415AA3
                  • SetForegroundWindow.USER32(?), ref: 00415AAC
                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00415AC6
                  • Shell_NotifyIconA.SHELL32(00000002,00467A48), ref: 00415B17
                  • ExitProcess.KERNEL32 ref: 00415B1F
                  • CreatePopupMenu.USER32 ref: 00415B25
                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 00415B3A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                  • String ID: Close
                  • API String ID: 1657328048-3535843008
                  • Opcode ID: 3e504e962ea3c35dd946fc843adab0da61294b5598716700d26172f26c4c26bb
                  • Instruction ID: b4011587fd3e9a16695e9b898f8ea1d0863b7beb583a21c878b8c8866c2b476e
                  • Opcode Fuzzy Hash: 3e504e962ea3c35dd946fc843adab0da61294b5598716700d26172f26c4c26bb
                  • Instruction Fuzzy Hash: 8F216935548209EFDB198FA4ED0EAEA3F75EB45301F000179FA06944B0D7B6A960EB1E
                  Function 0040170E Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • connect.WS2_32(?,?,?), ref: 00401726
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00401846
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00401854
                  • WSAGetLastError.WS2_32 ref: 00401867
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                  • API String ID: 994465650-2151626615
                  • Opcode ID: aafa84b234a9725ed83c6705888f4c042918f5a93ba48a3ad5cf2dd38e6a19be
                  • Instruction ID: fc3b47e22b7b9638642ab3b7b6a1439c02ffcef2ea28323752025821876101bf
                  • Opcode Fuzzy Hash: aafa84b234a9725ed83c6705888f4c042918f5a93ba48a3ad5cf2dd38e6a19be
                  • Instruction Fuzzy Hash: 82410531B44201B7C7047BBA891F96D7A26AB82309B40416FEC02276D3EA7DAD1587DF
                  Function 00401C4F Relevance: 18.1, APIs: 12, Instructions: 60synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C59
                  • SetEvent.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C68
                  • CloseHandle.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C71
                  • closesocket.WS2_32(000000FF), ref: 00401C7F
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401CB6
                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CCB
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401CD2
                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CE7
                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CEC
                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CF1
                  • SetEvent.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401CFE
                  • CloseHandle.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401D03
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEvent$ObjectSingleWait$ChangeFindHandleNotification$closesocket
                  • String ID:
                  • API String ID: 4074944092-0
                  • Opcode ID: 37cb6d8543e1ee3bb7506ce3e1e55bed7cfd695e0106200a3cd08fc041010aa5
                  • Instruction ID: d4f806c8475b95b6aa7d0dc6c7be9a9421d063fd5854718ccf9566762f00af95
                  • Opcode Fuzzy Hash: 37cb6d8543e1ee3bb7506ce3e1e55bed7cfd695e0106200a3cd08fc041010aa5
                  • Instruction Fuzzy Hash: 84213831544B01AFDB316F21DC49B1ABBA2FF41326F104A2DE0E621AF0CB75E851EB58
                  Function 0044909F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 772 44909f-4490cf call 448e02 775 4490d1-4490dc call 434243 772->775 776 4490ea-4490f6 call 4424c5 772->776 781 4490de-4490e5 call 434256 775->781 782 44910f-449158 call 448d6d 776->782 783 4490f8-44910d call 434243 call 434256 776->783 792 4493c1-4493c7 781->792 790 4491c5-4491ce GetFileType 782->790 791 44915a-449163 782->791 783->781 797 449217-44921a 790->797 798 4491d0-449201 GetLastError call 434220 CloseHandle 790->798 795 449165-449169 791->795 796 44919a-4491c0 GetLastError call 434220 791->796 795->796 801 44916b-449198 call 448d6d 795->801 796->781 799 449223-449229 797->799 800 44921c-449221 797->800 798->781 809 449207-449212 call 434256 798->809 804 44922d-44927b call 44240e 799->804 805 44922b 799->805 800->804 801->790 801->796 815 44927d-449289 call 448f7e 804->815 816 44928b-4492af call 448b20 804->816 805->804 809->781 815->816 823 4492b3-4492bd call 43e620 815->823 821 4492b1 816->821 822 4492c2-449305 816->822 821->823 825 449326-449334 822->825 826 449307-44930b 822->826 823->792 829 4493bf 825->829 830 44933a-44933e 825->830 826->825 828 44930d-449321 826->828 828->825 829->792 830->829 831 449340-449373 CloseHandle call 448d6d 830->831 834 449375-4493a1 GetLastError call 434220 call 4425d7 831->834 835 4493a7-4493bb 831->835 834->835 835->829
                  APIs
                    • Part of subcall function 00448D6D: CreateFileW.KERNELBASE(00000000,00000000,?,00449148,?,?,00000000,?,00449148,00000000,0000000C), ref: 00448D8A
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 004491B3
                  • __dosmaperr.LIBCMT ref: 004491BA
                  • GetFileType.KERNELBASE(00000000), ref: 004491C6
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 004491D0
                  • __dosmaperr.LIBCMT ref: 004491D9
                  • CloseHandle.KERNEL32(00000000), ref: 004491F9
                  • CloseHandle.KERNEL32(00000000), ref: 00449343
                  • GetLastError.KERNEL32 ref: 00449375
                  • __dosmaperr.LIBCMT ref: 0044937C
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                  • String ID: H
                  • API String ID: 4237864984-2852464175
                  • Opcode ID: c2af7d1b06a1212851ce2ec52a34d9d553b4302fcc393fb9b801bedd13947016
                  • Instruction ID: f258471b3737db3756390c2c9d99530eb108cfb44089f59e238bbd3746a2798e
                  • Opcode Fuzzy Hash: c2af7d1b06a1212851ce2ec52a34d9d553b4302fcc393fb9b801bedd13947016
                  • Instruction Fuzzy Hash: A5A13632A041049FEF19DF68D8517AF7BA0AB0A324F14019EF811EB3D1DB799D12DB59
                  Function 00415917 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 48windowstringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00415930
                    • Part of subcall function 004159C9: RegisterClassExA.USER32(00000030), ref: 00415A15
                    • Part of subcall function 004159C9: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00415A30
                    • Part of subcall function 004159C9: GetLastError.KERNEL32 ref: 00415A3A
                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 00415967
                  • lstrcpynA.KERNEL32(Remcos,Remcos,00000080), ref: 00415981
                  • Shell_NotifyIconA.SHELL32(00000000,00467A48), ref: 00415997
                  • TranslateMessage.USER32(?), ref: 004159A3
                  • DispatchMessageA.USER32(?), ref: 004159AD
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004159BA
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                  • String ID: Remcos$Remcos
                  • API String ID: 1970332568-1427383021
                  • Opcode ID: 6840af3b0f868fa075757d5fdcec3e3c970199560f76d4881f8831560035f363
                  • Instruction ID: faf1edc93a5aedac402756c21b5fb189501910e188ddad8ff583182de876f53a
                  • Opcode Fuzzy Hash: 6840af3b0f868fa075757d5fdcec3e3c970199560f76d4881f8831560035f363
                  • Instruction Fuzzy Hash: 250121B1944249EBD7109FE1ED4CEDF7BBCEB86B09F00003AF90592560EBB855458B5A
                  Function 004150DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 846 4150dd-4150fa AllocConsole GetConsoleWindow 847 415105-415144 call 433e83 call 4377e9 SetConsoleOutputCP call 41509a call 42ec50 846->847 848 4150fc-4150ff ShowWindow 846->848 857 415145-41514b 847->857 848->847 857->857 858 41514d-41515a 857->858 859 41515b-415161 858->859 859->859 860 415163-41516e 859->860 861 41516f-415175 860->861 861->861 862 415177-415193 call 413936 861->862
                  APIs
                  • AllocConsole.KERNELBASE(00467E5C), ref: 004150E6
                  • GetConsoleWindow.KERNELBASE ref: 004150EC
                  • ShowWindow.USER32(00000000,00000000), ref: 004150FF
                  • SetConsoleOutputCP.KERNELBASE(000004E4,?,?,?,00000000,75570F10), ref: 00415126
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$Window$AllocOutputShow
                  • String ID: Remcos v$5.0.0 Light$CONOUT$
                  • API String ID: 4067487056-3540875885
                  • Opcode ID: 8206578266f691274023d2364adc21632410c65c9ed2f139aec597bbfef102c3
                  • Instruction ID: ff137b9c6d7fa4733ae12c39c28e9430870264f94df7af7c76d777de9f2de76d
                  • Opcode Fuzzy Hash: 8206578266f691274023d2364adc21632410c65c9ed2f139aec597bbfef102c3
                  • Instruction Fuzzy Hash: 50113D71D047007ACA11EF656C06FCBB799AF92B11F100163FC4C7F152D6E62D4A46AD
                  Function 0041395B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00414407: GetCurrentProcess.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 00414418
                    • Part of subcall function 00414407: IsWow64Process.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 0041441F
                    • Part of subcall function 0040D033: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 0040D057
                    • Part of subcall function 0040D033: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 0040D074
                    • Part of subcall function 0040D033: RegCloseKey.KERNELBASE(?), ref: 0040D07F
                  • StrToIntA.SHLWAPI(00000000,0045F27C,?,00000000,00000000,?,00467E5C,Exe,00000000,0000000E,00000000,004595AC,00000003,00000000), ref: 004139D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  • API String ID: 782494840-2070987746
                  • Opcode ID: 75af28c961aad9f1d3d509f2c99c4ce64697369743e7063e3802c9358b5805d7
                  • Instruction ID: a37e34f24d51fcc0472262b49e2239fb508ed080f0187e6fdbdb8c85dbe76677
                  • Opcode Fuzzy Hash: 75af28c961aad9f1d3d509f2c99c4ce64697369743e7063e3802c9358b5805d7
                  • Instruction Fuzzy Hash: E41129B1A402001AC600F7A5DC4BAAF7B588B44309F54017FF949B31D3EABD1D8E82AF
                  Function 004159C9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 937 4159c9-415a1e call 42ec50 RegisterClassExA 940 415a40 937->940 941 415a20-415a38 CreateWindowExA 937->941 942 415a42-415a48 940->942 941->942 943 415a3a GetLastError 941->943 943->940
                  APIs
                  • RegisterClassExA.USER32(00000030), ref: 00415A15
                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00415A30
                  • GetLastError.KERNEL32 ref: 00415A3A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClassCreateErrorLastRegisterWindow
                  • String ID: 0$MsgWindowClass
                  • API String ID: 2877667751-2410386613
                  • Opcode ID: c1f476043400c0f605409f013886e3c137927802b614bce84191cc775cb47f54
                  • Instruction ID: 8f9955ca044bdc5388bad4111c72a4c8b74e298af81136cfcbc1a21a375cadec
                  • Opcode Fuzzy Hash: c1f476043400c0f605409f013886e3c137927802b614bce84191cc775cb47f54
                  • Instruction Fuzzy Hash: 5F0129B5D00218ABDB00DFD6DCC59EFBBBCFE45395F40053AF814A6240E77459088AA4
                  Function 0041509A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,00415131,?,?,?,00000000,75570F10), ref: 004150A4
                  • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?,?,00415131,?,?,?,00000000,75570F10), ref: 004150B1
                  • SetConsoleTextAttribute.KERNELBASE(00000000,0000000C,?,?,?,?,?,?,00415131,?,?,?,00000000,75570F10), ref: 004150BE
                  • SetConsoleTextAttribute.KERNELBASE(00000000,?,?,?,?,?,?,?,00415131,?,?,?,00000000,75570F10), ref: 004150D1
                  Strings
                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 004150C4
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                  • API String ID: 3024135584-2418719853
                  • Opcode ID: cada3afb149ddae7817ec8520d72f52702fcff0883308cdb62645d729372a309
                  • Instruction ID: dbcdd4267bcad36c6c0ca05fe9f05fc7c46b0a701221cc06fd98f176dd3da12b
                  • Opcode Fuzzy Hash: cada3afb149ddae7817ec8520d72f52702fcff0883308cdb62645d729372a309
                  • Instruction Fuzzy Hash: A0E048B690424477D6102BB5AD4FC6F7B6CE74EA13B100626FE1191193D974540546B5
                  Function 00401D6F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 947 401d6f-401d7d 948 401d83-401d8a 947->948 949 401e08 947->949 950 401d92-401d99 948->950 951 401d8c-401d90 948->951 952 401e0a-401e0f 949->952 953 401dde-401e06 CreateEventA CreateThread 950->953 954 401d9b-401dd9 GetLocalTime call 41410a call 402a6d call 402178 call 413b81 call 402091 950->954 951->953 953->952 954->953
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 00401D9F
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401DEB
                  • CreateThread.KERNELBASE(00000000,00000000,Function_00001F6E,?,00000000,00000000), ref: 00401DFE
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 00401DB2
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$EventLocalThreadTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 2532271599-1507639952
                  • Opcode ID: d936ff517e867ec1494161e1539627597aa1b070665b7b3dd5d23c9b6f5a24f2
                  • Instruction ID: f267d0380031b3e41edc16eb56d039e36effbc4ed9ce718ade574247f38354b6
                  • Opcode Fuzzy Hash: d936ff517e867ec1494161e1539627597aa1b070665b7b3dd5d23c9b6f5a24f2
                  • Instruction Fuzzy Hash: FF11E3319042847BCB20A77B8C0DEAB7FA89BD2714F04056FF841522A2D6B89485C7B6
                  Function 0040D202 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 964 40d202-40d219 RegCreateKeyA 965 40d252 964->965 966 40d21b-40d250 call 402020 call 402028 RegSetValueExA RegCloseKey 964->966 968 40d254-40d262 call 402091 965->968 966->968
                  APIs
                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D211
                  • RegSetValueExA.KERNELBASE(?,00459EE8,00000000,?,00000000,00000000,00467F30,?,?,0040A763,00459EE8,5.0.0 Light), ref: 0040D239
                  • RegCloseKey.KERNELBASE(?,?,?,0040A763,00459EE8,5.0.0 Light), ref: 0040D244
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: 5.0.0 Light
                  • API String ID: 1818849710-1658188269
                  • Opcode ID: 4c11011ed91615ed449d557f2cb5f0cac9017d8dffc854813b342cad1c47c25c
                  • Instruction ID: 6ed167473aa60a37b0250efa5a9f8e70a21de1b3c74ed894fe2200c7977eaecf
                  • Opcode Fuzzy Hash: 4c11011ed91615ed449d557f2cb5f0cac9017d8dffc854813b342cad1c47c25c
                  • Instruction Fuzzy Hash: 6EF0F632900108FBCB00AFA0DC05EEE776CEF05304F10817ABE09A7090D6359E08DA58
                  Function 0040CF8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,time,?,?,0040931D,time), ref: 0040CFA3
                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040931D,time), ref: 0040CFB7
                  • RegCloseKey.KERNELBASE(?,?,?,0040931D,time), ref: 0040CFC2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID: time
                  • API String ID: 3677997916-1872009285
                  • Opcode ID: 3d9336ecc6ccbbaa375e86689aeaf5a7b0e7d31921b6354898293be20d548a3b
                  • Instruction ID: bd5a3b1d52e5f37f2b350d5c8a40c3be414df84fcb0957fc7161f8c9d89f8660
                  • Opcode Fuzzy Hash: 3d9336ecc6ccbbaa375e86689aeaf5a7b0e7d31921b6354898293be20d548a3b
                  • Instruction Fuzzy Hash: 27E06D36901238FBDB208BA29C0DEEB7F6DEF077A4F014165BC08A3150D2314E10E6E5
                  Function 0043EA83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: $YF$(YF
                  • API String ID: 269201875-3076791214
                  • Opcode ID: ea953f86e87fe0253ed0921ec9b28478cf690536176f1fe1b8f882d2ba47c8a4
                  • Instruction ID: f43705692b5ae1b3fe1dc6f6d27c1338305569b831f6e2f488c6916a8aa93b75
                  • Opcode Fuzzy Hash: ea953f86e87fe0253ed0921ec9b28478cf690536176f1fe1b8f882d2ba47c8a4
                  • Instruction Fuzzy Hash: BD110A715063019FE721DF26D442B57B3E8EF18368F20141FE55A87381E779A5418798
                  Function 004087EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040A324,Exe,00000000,0000000E,00000000,004595AC,00000003,00000000), ref: 004087FE
                  • GetLastError.KERNEL32 ref: 00408804
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateErrorLastMutex
                  • String ID: Rmc-MG8NXC
                  • API String ID: 1925916568-2289077741
                  • Opcode ID: 314d4f172206a9eb5b92c906b09b60388ef4e13389a98520ee79ab65053193e3
                  • Instruction ID: 6baf249de0d3dc06267911a2b201103adb64cf56309d4e230eaecd3af38e6972
                  • Opcode Fuzzy Hash: 314d4f172206a9eb5b92c906b09b60388ef4e13389a98520ee79ab65053193e3
                  • Instruction Fuzzy Hash: BEC08C787A42005BE70923609D8EB2C2440FB4870BF10807AF207D40D0CBD48840852A
                  Function 0043E2EB Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b8ac963da1c5267d9bb276a7009a837085d75c1bb0fb8f235009d8ebb18713e5
                  • Instruction ID: 5776729281b571a109ce8e27bcb5eee91fbd24d81232978965dd987dc401f917
                  • Opcode Fuzzy Hash: b8ac963da1c5267d9bb276a7009a837085d75c1bb0fb8f235009d8ebb18713e5
                  • Instruction Fuzzy Hash: 4B51C171E01209ABCB21DFA6C945FEF7BB4AF5D324F10205BF804A72D1D6789901CB69
                  Function 0040D033 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 0040D057
                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 0040D074
                  • RegCloseKey.KERNELBASE(?), ref: 0040D07F
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: fc6920a8ad1e36ab75ba227af96c60f38fc26d49b609ac94cf8df73750947554
                  • Instruction ID: 278ad9154f1ce76a350fae622b85d711f500ae10b988d90d42188caca0eb382b
                  • Opcode Fuzzy Hash: fc6920a8ad1e36ab75ba227af96c60f38fc26d49b609ac94cf8df73750947554
                  • Instruction Fuzzy Hash: 4A01A27AA00118BBCB209BA1DC08DDFBF7DDB45354F000166BF09B3240DA308E1A97A8
                  Function 0040CFD6 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 0040CFF6
                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00467F30), ref: 0040D014
                  • RegCloseKey.ADVAPI32(?), ref: 0040D01F
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: e592611ac1df46e9894313f59dd51c70e2b68ec3ecfd636aaf19af281ba9a101
                  • Instruction ID: 33f623514ab255e65baa477c0dc56520edcd29db8e6df8999e1664f74b13a20f
                  • Opcode Fuzzy Hash: e592611ac1df46e9894313f59dd51c70e2b68ec3ecfd636aaf19af281ba9a101
                  • Instruction Fuzzy Hash: 0DF01776D00218BFDF109FE09C05FEEBBBCEB05714F1080A6FE08E6191E6315A159B98
                  Function 0040D310 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D31E
                  • RegSetValueExA.KERNELBASE(?,00000004,00000000,00000004,?,00000004,?,?,?,00408639,00459A08,00000001), ref: 0040D339
                  • RegCloseKey.KERNELBASE(?,?,?,?,00408639,00459A08,00000001), ref: 0040D344
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID:
                  • API String ID: 1818849710-0
                  • Opcode ID: 14be83db9b41c06429f60159f8658df105e68c100aba706b4cb45cffbce0389c
                  • Instruction ID: a9c042b41267e05b5fe6fbba70f346c59bdfd29fc0071325fc843d2e7531bfd3
                  • Opcode Fuzzy Hash: 14be83db9b41c06429f60159f8658df105e68c100aba706b4cb45cffbce0389c
                  • Instruction Fuzzy Hash: AEE06D76A00208FBDF109FE09C05FEA7B6CEF06B54F104165BF08A7190D2359E18D7A9
                  Function 004028BA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog
                  • String ID: 5.0.0 Light
                  • API String ID: 3519838083-1658188269
                  • Opcode ID: fec3143edbccd31c3091bcec7273a84245e6bd5eb26d5f65487b3e3534025140
                  • Instruction ID: 079cae247f2c36820c9884641081dcb0072b2eb0e780b5d9fb90715d58c40466
                  • Opcode Fuzzy Hash: fec3143edbccd31c3091bcec7273a84245e6bd5eb26d5f65487b3e3534025140
                  • Instruction Fuzzy Hash: B021A271B002055BCB05BFA6869A67E77AAEB84314F10417FF809B73C1DBB85E029799
                  Function 0043DF06 Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,0043E442,0044A1A5,00000000,00000000,00000000,00000000,00000000), ref: 0043DFA1
                  • GetLastError.KERNEL32(?,0043E442,0044A1A5,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043DFCA
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID:
                  • API String ID: 442123175-0
                  • Opcode ID: 2d19c153d1ad6744e2c64f980f6d24ae0948330a4cd427f2ce19eaa6da087db1
                  • Instruction ID: 935321d5817fc7e64479544e29b95db75ca753b5934b14ab3be4d1667a1a2d05
                  • Opcode Fuzzy Hash: 2d19c153d1ad6744e2c64f980f6d24ae0948330a4cd427f2ce19eaa6da087db1
                  • Instruction Fuzzy Hash: DF21A075A002199FCB24CF69D9C0BE9B3F9FB4C302F1044AAE547D3251D674AE85CB68
                  Function 00401673 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                  Download Yara Rule
                  APIs
                  • socket.WS2_32(?,00000001,00000006), ref: 00401698
                  • CreateEventW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001,00000000,?,0040157C), ref: 004016D4
                    • Part of subcall function 004016E4: WSAStartup.WS2_32(00000202,00000000), ref: 004016F9
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEventStartupsocket
                  • String ID:
                  • API String ID: 1953588214-0
                  • Opcode ID: 6f75bc97ffbe4c7096b232534de59367a28b93499fce99047ecfa8fc1d3cba5a
                  • Instruction ID: 7320db740e5de4a067090f785b63afbc9c5e7a6ae68042f9260cdd7fb55c6c09
                  • Opcode Fuzzy Hash: 6f75bc97ffbe4c7096b232534de59367a28b93499fce99047ecfa8fc1d3cba5a
                  • Instruction Fuzzy Hash: 75018471404B809FD7358F79B8856867FE0AB16304F084E6EF4D693BA1D3B1A841CF19
                  Function 00401494 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ba876b942a128ae7585d30a8ed8241bb7ebe32929dbda7c97020cfc4ae0ca7d
                  • Instruction ID: 0b2bdfc656d1a8f1be9913624580b806ffdfaf88d76df6e948d8f045970f806e
                  • Opcode Fuzzy Hash: 5ba876b942a128ae7585d30a8ed8241bb7ebe32929dbda7c97020cfc4ae0ca7d
                  • Instruction Fuzzy Hash: 21F059317041481ACF0C8F359950E7A37458B40324F60473FF02AEA5F0DB3CE841824C
                  Function 0043FCFE Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: __wsopen_s
                  • String ID:
                  • API String ID: 3347428461-0
                  • Opcode ID: abfe0aeb3611c65bc85ac37db8e5cac0b71cb654ba67fe438398fff9b6840577
                  • Instruction ID: 389d575f4576099494b0386ddd5197d9fd21681687e5e665cd1bf7e71215225b
                  • Opcode Fuzzy Hash: abfe0aeb3611c65bc85ac37db8e5cac0b71cb654ba67fe438398fff9b6840577
                  • Instruction Fuzzy Hash: 93115A7190420AAFCF05DF58E94499B7BF4EF48310F0040AAF809EB311E630ED15CBA9
                  Function 0044902E Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: a62dc33c8eb1dacff565b839e906bce7cfff218d1b84778382cb48491322aa9a
                  • Instruction ID: bb924868f552fff002450c2847a37319dc2c09cc7617978b7d9d1612509b7404
                  • Opcode Fuzzy Hash: a62dc33c8eb1dacff565b839e906bce7cfff218d1b84778382cb48491322aa9a
                  • Instruction Fuzzy Hash: BDF09A32410108BBEF105EA6DC02CDB3B6DEF89334F10015AFA2492050DA3A8D20ABA5
                  Function 0043B5C6 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 83a6ad818ff6c53f8a2d04a2b7fff5b2217f6aca838e2851348d419017da65d3
                  • Instruction ID: 1c49de10af20b36cf42706bcee2faa33b4703551abad10f9a5d42b1c0bc37b5e
                  • Opcode Fuzzy Hash: 83a6ad818ff6c53f8a2d04a2b7fff5b2217f6aca838e2851348d419017da65d3
                  • Instruction Fuzzy Hash: 66E0E53120561067EA3026639C02B9B7658DB8A3B8F053127BE18932D2DF28DC0182EE
                  Function 004016E4 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSAStartup.WS2_32(00000202,00000000), ref: 004016F9
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Startup
                  • String ID:
                  • API String ID: 724789610-0
                  • Opcode ID: e50017129938cfbe3221009fc5a66636bc529876c3cda7727663cbcf13723da3
                  • Instruction ID: 157fcaaa1b1371d0012ff25f3652b264474b5e48eafd55f8392509abd46d12fa
                  • Opcode Fuzzy Hash: e50017129938cfbe3221009fc5a66636bc529876c3cda7727663cbcf13723da3
                  • Instruction Fuzzy Hash: 10D012339586484EE610AFB5AC5FCA4775CC313A11F0003BAACB5825D6F640161CC7AB
                  Function 00448D6D Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(00000000,00000000,?,00449148,?,?,00000000,?,00449148,00000000,0000000C), ref: 00448D8A
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: c2e0d357e21f07e3f2a4c2d0d6279b3205c94f284d15d234eff5ee6480b74e43
                  • Instruction ID: d24ee2a4cbda0edcb0d4e7760a9dae8735a6f5960ac27fba7fda53134d690632
                  • Opcode Fuzzy Hash: c2e0d357e21f07e3f2a4c2d0d6279b3205c94f284d15d234eff5ee6480b74e43
                  • Instruction Fuzzy Hash: 3AD06C3200010DBBDF029F84DC06EDA3BAAFB48714F018050FA1856020C772E831AB95

                  Non-executed Functions

                  Function 0040F4A7 Relevance: 63.9, APIs: 31, Strings: 5, Instructions: 929COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountEventTick
                  • String ID: }F$PowrProf.dll$SetSuspendState$X|F$hlight
                  • API String ID: 180926312-747135334
                  • Opcode ID: d40f5866fd22c538191de32dc926dd33d7cef8a7ff9488b12de6a57bf2daebf4
                  • Instruction ID: 35850cb6a3a728cc8f930c61bd9325d2332d1fc2fd63d224cbd8043cb7a6a1bd
                  • Opcode Fuzzy Hash: d40f5866fd22c538191de32dc926dd33d7cef8a7ff9488b12de6a57bf2daebf4
                  • Instruction Fuzzy Hash: DF52D53161430067C615FB72CC5AAAE369A9F90709F00493FF646B71D2EEBC9A48C75E
                  Function 0040511A Relevance: 35.8, APIs: 10, Strings: 10, Instructions: 835filesleepCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 0040513C
                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 0040520A
                  • DeleteFileW.KERNEL32(00000000), ref: 0040522C
                    • Part of subcall function 0041474A: FindFirstFileW.KERNEL32(?,?,00467C58,?), ref: 004147E1
                    • Part of subcall function 0041474A: FindNextFileW.KERNEL32(00000000,?), ref: 00414818
                    • Part of subcall function 0041474A: RemoveDirectoryW.KERNEL32(?), ref: 00414892
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                    • Part of subcall function 004018E7: WaitForSingleObject.KERNEL32(?,00000000,?,00000008,00000004,00000000,0000000C,00000000), ref: 0040196B
                    • Part of subcall function 004018E7: SetEvent.KERNEL32(?), ref: 00401999
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00405619
                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004056FA
                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00405946
                  • DeleteFileA.KERNEL32(?), ref: 00405AD4
                    • Part of subcall function 00405C8E: __EH_prolog.LIBCMT ref: 00405C93
                    • Part of subcall function 00405C8E: FindFirstFileW.KERNEL32(00000000,?,004596B8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D4C
                    • Part of subcall function 00405C8E: __CxxThrowException@8.LIBVCRUNTIME ref: 00405D74
                    • Part of subcall function 00405C8E: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D81
                  • Sleep.KERNEL32(000007D0), ref: 00405B7A
                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00405BBC
                    • Part of subcall function 00414D34: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00414E29
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Find$AttributesDeleteEventFirstNext$DirectoryDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersRemoveShellSingleSleepStringsSystemThrowTimeWaitsend
                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$X|F$open
                  • API String ID: 577278831-3555090288
                  • Opcode ID: aec2215c36828261dda0155639b9b8943aca7c8b8ce1cde43719ca40adfe20b2
                  • Instruction ID: 05b9a50af31d946e475c7671406445b29bc56f919fc344a53d22da7f997295c9
                  • Opcode Fuzzy Hash: aec2215c36828261dda0155639b9b8943aca7c8b8ce1cde43719ca40adfe20b2
                  • Instruction Fuzzy Hash: 2842C0716143006BC604FB76CD5B9AF76A9AF91308F40093FF646671D2EE7C9A0C879A
                  Function 00403B0B Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 275pipesleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 00403B5D
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  • __Init_thread_footer.LIBCMT ref: 00403B9A
                  • CreatePipe.KERNEL32(004697C4,004697AC,004696D0,00000000,004595AC,00000000), ref: 00403C28
                  • CreatePipe.KERNEL32(004697B0,004697CC,004696D0,00000000), ref: 00403C42
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,004696E0,004697B4), ref: 00403CB8
                  • Sleep.KERNEL32(0000012C), ref: 00403D0F
                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00403D32
                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00403D5C
                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00467D08,004595B0), ref: 00403E5C
                    • Part of subcall function 0042BE33: __onexit.LIBCMT ref: 0042BE39
                  • Sleep.KERNEL32(00000064), ref: 00403E78
                  • TerminateProcess.KERNEL32(00000000), ref: 00403E91
                  • CloseHandle.KERNEL32 ref: 00403E9D
                  • CloseHandle.KERNEL32 ref: 00403EA5
                  • CloseHandle.KERNEL32 ref: 00403EB7
                  • CloseHandle.KERNEL32 ref: 00403EBF
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                  • String ID: SystemDrive$cmd.exe
                  • API String ID: 2994406822-3633465311
                  • Opcode ID: eb2144c6879088a7cc0ca26fa3871148f1d44f3064618a89a7974109d603f9cd
                  • Instruction ID: 2e990afcd00a3dea81e5073800be4d4f6bde31a57dadd250b8f1802511b53a5e
                  • Opcode Fuzzy Hash: eb2144c6879088a7cc0ca26fa3871148f1d44f3064618a89a7974109d603f9cd
                  • Instruction Fuzzy Hash: 38919F71A10214EBDB01AFA5ED459AE3B6DEB40706B04403BF501B72E1EBF95E04CB9E
                  Function 00407FDE Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040805D
                  • FindClose.KERNEL32(00000000), ref: 00408077
                  • FindNextFileA.KERNEL32(00000000,?), ref: 004081AE
                  • FindClose.KERNEL32(00000000), ref: 004081D4
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$CloseFile$FirstNext
                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                  • API String ID: 1164774033-3681987949
                  • Opcode ID: a72677bb71a166f414519e8a5b659af094328504ea03926f4c9eda5a675a91fd
                  • Instruction ID: 4f94b8bf480a2d25f60048e0cbb89c7e7dd9d8c7e934bf49c66b8109683cb02a
                  • Opcode Fuzzy Hash: a72677bb71a166f414519e8a5b659af094328504ea03926f4c9eda5a675a91fd
                  • Instruction Fuzzy Hash: F5519230A101299ECB14FB71DE5ADEEB734AF21304F10017FE646761D2EFB85A89CA59
                  Function 004081F9 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 00408271
                  • FindClose.KERNEL32(00000000), ref: 00408287
                  • FindNextFileA.KERNEL32(00000000,?), ref: 004082B1
                  • DeleteFileA.KERNEL32(00000000,00000000), ref: 00408359
                  • GetLastError.KERNEL32 ref: 00408363
                  • FindNextFileA.KERNEL32(00000000,00000010), ref: 00408377
                  • FindClose.KERNEL32(00000000), ref: 0040839D
                  • FindClose.KERNEL32(00000000), ref: 004083BE
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$Close$Next$DeleteErrorFirstLast
                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                  • API String ID: 532992503-432212279
                  • Opcode ID: 46cec3afd8b3d72ed845a21a913d91c7a5ebeaa133da141a060078f1811b4510
                  • Instruction ID: 4185785fb554f999c1faeeb4acac9fdbdfeb737a12451b5992b0b0addca91318
                  • Opcode Fuzzy Hash: 46cec3afd8b3d72ed845a21a913d91c7a5ebeaa133da141a060078f1811b4510
                  • Instruction Fuzzy Hash: C441C530A002199ACB14FBB5DD5A9EE7734AF51704F5040BFF942B21D2EF7C4A89CA99
                  Function 00412E4B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 226serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00468490), ref: 00412E62
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,l)A), ref: 00412EA9
                  • GetLastError.KERNEL32 ref: 00412EB7
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,l)A), ref: 00412EE8
                  • OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,0045F170,00000000,0045F170,00000000,0045F170), ref: 00412FB8
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnumOpenServicesStatus$ErrorLastManagerService
                  • String ID: l)A
                  • API String ID: 2247270020-4212196795
                  • Opcode ID: 96907549ab7fac77e0f00fbabe1c494029951f25acc6c89836a5e24d9ef3990a
                  • Instruction ID: d264db8b8c5d9a478fa0d09f102a3fd09bb1d4c248c32138f15a226e4fea9a1d
                  • Opcode Fuzzy Hash: 96907549ab7fac77e0f00fbabe1c494029951f25acc6c89836a5e24d9ef3990a
                  • Instruction Fuzzy Hash: C3815C31D00109ABCB19EFA1DC569EEBB38AF14315F20802AF51677191EF786F49CB68
                  Function 004124EF Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0$1$2$3$4$5$6$7
                  • API String ID: 0-3177665633
                  • Opcode ID: 5e13a832282d04adc9dacdba49628d85bf4086f26f455590aac93263adb8a903
                  • Instruction ID: 35f2c05aca6331e3732f54b1b5bc80d0b86fa55a0efc87c60c4c190cdc24fdc2
                  • Opcode Fuzzy Hash: 5e13a832282d04adc9dacdba49628d85bf4086f26f455590aac93263adb8a903
                  • Instruction Fuzzy Hash: 1A71E2B05083019ED315EF21C966FAA77949F44310F10492FF692A72D1DAB89D8DC75B
                  Function 0041474A Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,00467C58,?), ref: 004147E1
                  • FindNextFileW.KERNEL32(00000000,?), ref: 00414818
                  • RemoveDirectoryW.KERNEL32(?), ref: 00414892
                  • FindClose.KERNEL32(00000000), ref: 004148C0
                  • RemoveDirectoryW.KERNEL32(?), ref: 004148C9
                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 004148E6
                  • DeleteFileW.KERNEL32(?), ref: 004148F3
                  • GetLastError.KERNEL32 ref: 0041491B
                  • FindClose.KERNEL32(00000000), ref: 0041492E
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                  • String ID:
                  • API String ID: 2341273852-0
                  • Opcode ID: 1ebe723779194890503f37595d29db6cdbaca6cd5793d8023b4d327d9dbf2b4b
                  • Instruction ID: 59a2a6a0a0dd354fac896b1dee2bd25d777e498892ce3c8d72424d50605989a0
                  • Opcode Fuzzy Hash: 1ebe723779194890503f37595d29db6cdbaca6cd5793d8023b4d327d9dbf2b4b
                  • Instruction Fuzzy Hash: 825109785001598ACF24EF78C8496FBB375BF95304F5041FAE85593250EB758ECACB58
                  Function 0040D9A0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 388registrylibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DA73
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DA7F
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0040DC4F
                  • GetProcAddress.KERNEL32(00000000), ref: 0040DC56
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressCloseCreateLibraryLoadProcsend
                  • String ID: SHDeleteKeyW$Shlwapi.dll
                  • API String ID: 2127411465-314212984
                  • Opcode ID: 6447683f1b1733a961ecda42eb74efba603233e643243340e654287d72e7e6c9
                  • Instruction ID: 9f2fa19e73ec771d4a0adc0517a574324c105796e8dfe951968de96579d08b7c
                  • Opcode Fuzzy Hash: 6447683f1b1733a961ecda42eb74efba603233e643243340e654287d72e7e6c9
                  • Instruction Fuzzy Hash: A1C1F972A1430066C604BB76CD5B96E36A99F91744F40093FF646BB1D3ED7C9A0CC39A
                  Function 004447E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C663
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C670
                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004448EC
                  • IsValidCodePage.KERNEL32(00000000), ref: 00444947
                  • IsValidLocale.KERNEL32(?,00000001), ref: 00444956
                  • GetLocaleInfoW.KERNEL32(?,00001001,0043A127,00000040,?,0043A247,00000055,00000000,?,?,00000055,00000000), ref: 0044499E
                  • GetLocaleInfoW.KERNEL32(?,00001002,0043A1A7,00000040), ref: 004449BD
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                  • String ID: |9E
                  • API String ID: 745075371-2862116995
                  • Opcode ID: 6517d000027fcbf355b133341a61dcf5ff39b3889022135580409da348402ddb
                  • Instruction ID: c92189df352bf76efcbee2e2a3257d68bbccd9af34c5c9e418e2743967608ea8
                  • Opcode Fuzzy Hash: 6517d000027fcbf355b133341a61dcf5ff39b3889022135580409da348402ddb
                  • Instruction Fuzzy Hash: BF51A275E00219ABFB10EFA5DC45BBF73B8EF88705F14002BE910E7290D7789A449769
                  Function 0044460C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0044492B,?,00000000), ref: 004446A5
                  • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0044492B,?,00000000), ref: 004446CE
                  • GetACP.KERNEL32(?,?,0044492B,?,00000000), ref: 004446E3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: +ID$ACP$OCP
                  • API String ID: 2299586839-3856522704
                  • Opcode ID: cd9fadb5b5fbe73cee739787da7e12a62cd3f1960f4a65a8d1d09c9eb58ac8cd
                  • Instruction ID: c6fe66558d1291670d97f1f96fd45a312db4112c26bc7529de6b7212a7c10bee
                  • Opcode Fuzzy Hash: cd9fadb5b5fbe73cee739787da7e12a62cd3f1960f4a65a8d1d09c9eb58ac8cd
                  • Instruction Fuzzy Hash: 7921A126A00104ABF7308F54D901B9B73AAEFD6F65B578466E909DB310E73EDE41C398
                  Function 00407EC0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 00407EFC
                  • GetLastError.KERNEL32 ref: 00407F06
                  Strings
                  • [Chrome StoredLogins not found], xrefs: 00407F20
                  • [Chrome StoredLogins found, cleared!], xrefs: 00407F2C
                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00407EC7
                  • UserProfile, xrefs: 00407ECC
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteErrorFileLast
                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • API String ID: 2018770650-1062637481
                  • Opcode ID: 03905197c63807e49d752704fb3a915704c341a31f53a087d5c142ecebb14106
                  • Instruction ID: 2844ca57af16fbe20e8b2b3324451e36b3965f0c50f9402fd351fcd483c36375
                  • Opcode Fuzzy Hash: 03905197c63807e49d752704fb3a915704c341a31f53a087d5c142ecebb14106
                  • Instruction Fuzzy Hash: D2012631E941069BCA04BB75CE1B8EE7724A961305F50013FFA02731D2ED7E5909C2DB
                  Function 00410D25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000028,00000026,00000000,?,?,?,0040FC02,00000026), ref: 00410D32
                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,0040FC02,00000026), ref: 00410D39
                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00410D4B
                  • AdjustTokenPrivileges.ADVAPI32(00000026,00000000,?,00000000,00000000,00000000), ref: 00410D6A
                  • GetLastError.KERNEL32 ref: 00410D70
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                  • String ID: SeShutdownPrivilege
                  • API String ID: 3534403312-3733053543
                  • Opcode ID: 005ac2fd3aa13d631cc96157393ce89f281683ea659a9513876e66e3ba1009c3
                  • Instruction ID: ffa9c983efe9b31ed6450dac27be982ff06a25f4c9877fb6036920e8f9a7ed49
                  • Opcode Fuzzy Hash: 005ac2fd3aa13d631cc96157393ce89f281683ea659a9513876e66e3ba1009c3
                  • Instruction Fuzzy Hash: 52F05E75901128BBDB109BE0DD0DEEF7FBCEF46319F000061F905A2051D6744A09CBB5
                  Function 004476B8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                  • API String ID: 4168288129-2761157908
                  • Opcode ID: f26a1156701156544b6b5d25301be7810b43124cdce6ee77678dc33005582dd9
                  • Instruction ID: db0babf06ad3de6f7f618d5a7d0c73918af3c5dafe8b3c2b6264871fe941357a
                  • Opcode Fuzzy Hash: f26a1156701156544b6b5d25301be7810b43124cdce6ee77678dc33005582dd9
                  • Instruction Fuzzy Hash: ECC22971E086288FEB25CE289D407EEB7B5EB44305F1545EBD44DE7240EB78AE828F45
                  Function 004072E5 Relevance: 9.3, APIs: 6, Instructions: 316fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 004072EA
                    • Part of subcall function 0040170E: connect.WS2_32(?,?,?), ref: 00401726
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00407382
                  • FindFirstFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004073E0
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00407438
                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?), ref: 0040744F
                    • Part of subcall function 00401C4F: WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C59
                    • Part of subcall function 00401C4F: SetEvent.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C68
                    • Part of subcall function 00401C4F: CloseHandle.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C71
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0040768B
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Close$File$EventException@8FirstH_prologHandleNextObjectSingleThrowWaitconnectsend
                  • String ID:
                  • API String ID: 4178801697-0
                  • Opcode ID: a2a5a5a2fb7719402060d17954d5f187711b51555f2e13b115c5e37fcb2136a2
                  • Instruction ID: 5e4876d4a4a7dc638a55f6d92524dabf71615842e1d611546469fd3dc7bbd544
                  • Opcode Fuzzy Hash: a2a5a5a2fb7719402060d17954d5f187711b51555f2e13b115c5e37fcb2136a2
                  • Instruction Fuzzy Hash: 8BC1AD319001189BDB14EB60DD92AEE7779AF10318F50417EE906B71E1EF38AF49CB99
                  Function 0041311D Relevance: 9.0, APIs: 6, Instructions: 42serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00412DA8,00000000), ref: 00413129
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00412DA8,00000000), ref: 0041313D
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00412DA8,00000000), ref: 0041314A
                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00412DA8,00000000), ref: 00413155
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00412DA8,00000000), ref: 00413167
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00412DA8,00000000), ref: 0041316A
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ManagerStart
                  • String ID:
                  • API String ID: 276877138-0
                  • Opcode ID: 87e9fc9bedbc5a357e8ee31cbec511879b42677facf5d0e240742efbe727e957
                  • Instruction ID: bec7c06133c89f649e2bfd37b6159326400c1dade623c89345cc990071d1831c
                  • Opcode Fuzzy Hash: 87e9fc9bedbc5a357e8ee31cbec511879b42677facf5d0e240742efbe727e957
                  • Instruction Fuzzy Hash: ECF0B4759012187FE2116F259C89DFF3B2CDB863A9B00403AF90593240CE78CD4795B8
                  Function 00443EA8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0043A12E,?,?,?,?,00439B85,?,00000004), ref: 00443F8A
                  • _wcschr.LIBVCRUNTIME ref: 0044401A
                  • _wcschr.LIBVCRUNTIME ref: 00444028
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0043A12E,00000000,0043A24E), ref: 004440CB
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                  • String ID: |9E
                  • API String ID: 4212172061-2862116995
                  • Opcode ID: d9d7672ef082b98a1509e5f820655f2facbea7f7046a1e8d76539270322a7f4e
                  • Instruction ID: 31d34a130b3a729fbb28845095a51c6b44683f80b175821af3f170206089662c
                  • Opcode Fuzzy Hash: d9d7672ef082b98a1509e5f820655f2facbea7f7046a1e8d76539270322a7f4e
                  • Instruction Fuzzy Hash: F6610C71A00206AAFB24AF35CC42BB773A8EF44B15F14046FFA05DB681EB78DD548769
                  Function 00413B3A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 00413B4B
                  • LoadResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413B5F
                  • LockResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413B66
                  • SizeofResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413B75
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindLoadLockSizeof
                  • String ID: SETTINGS
                  • API String ID: 3473537107-594951305
                  • Opcode ID: 263d98506411805d18de30793c85a23ac3b7c2f73439d8eab52d1c55755b40a5
                  • Instruction ID: 49884d02b580b25fa5a7f21f27448669bae6497f2193e2261974fa49dfd00e01
                  • Opcode Fuzzy Hash: 263d98506411805d18de30793c85a23ac3b7c2f73439d8eab52d1c55755b40a5
                  • Instruction Fuzzy Hash: A8E04F7AA00610AFC7212FE1AD8CD0B7EB9EBCA752B140235FD01D7221EA768804CF59
                  Function 00407733 Relevance: 7.7, APIs: 5, Instructions: 245fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00407738
                    • Part of subcall function 00406B5E: char_traits.LIBCPMT ref: 00406B79
                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004077B0
                  • FindNextFileW.KERNEL32(00000000,?), ref: 004077D9
                  • FindClose.KERNEL32(000000FF), ref: 004077F0
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstH_prologNextchar_traits
                  • String ID:
                  • API String ID: 3260228402-0
                  • Opcode ID: 48a812ebe57da1145a3ed2a4e1717bfcafc659f98a68f7f2abbf034b27950549
                  • Instruction ID: fcbc0df6a1822dbcecb7010c47b11ebfa4ac72cdf2e3eb7e4c2cf03aa24a3859
                  • Opcode Fuzzy Hash: 48a812ebe57da1145a3ed2a4e1717bfcafc659f98a68f7f2abbf034b27950549
                  • Instruction Fuzzy Hash: 99914A329000199BCB15FFA1CC929EE7779AF10348F14417BE906B71E1EB39AB49CB59
                  Function 00405C8E Relevance: 7.7, APIs: 5, Instructions: 210fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00405C93
                  • FindFirstFileW.KERNEL32(00000000,?,004596B8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D4C
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00405D74
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D81
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405EE1
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                  • String ID:
                  • API String ID: 1771804793-0
                  • Opcode ID: 4dc10004f8516029f12307610167d6d01f67c603a4dc2334a114a19cb8d2d58e
                  • Instruction ID: 453d059f9ac87b88ae1432b4cf64c859f612644ce6363cecf91ca4319d81190e
                  • Opcode Fuzzy Hash: 4dc10004f8516029f12307610167d6d01f67c603a4dc2334a114a19cb8d2d58e
                  • Instruction Fuzzy Hash: C4716D71900109AACB04FF61CD569EE7769EF20348F50417BF906A71D2EB389B49CB98
                  Function 0040CB6C Relevance: 7.7, APIs: 5, Instructions: 206memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040C60C: SetLastError.KERNEL32(0000000D,0040CB8B,00000000,00000000,?), ref: 0040C612
                  • SetLastError.KERNEL32(000000C1,00000000,00000000,?), ref: 0040CBA2
                  • GetNativeSystemInfo.KERNEL32(?,00000000,00000000,?), ref: 0040CC15
                  • GetProcessHeap.KERNEL32(00000008,00000040), ref: 0040CC81
                  • HeapAlloc.KERNEL32(00000000), ref: 0040CC88
                  • SetLastError.KERNEL32(0000045A), ref: 0040CD9A
                    • Part of subcall function 0040CB1F: VirtualFree.KERNEL32(00008000,00000000,00000000,?,0040CCA1,00000000,00000000,00008000,00000000), ref: 0040CB2B
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
                  • String ID:
                  • API String ID: 486403682-0
                  • Opcode ID: 22395f4933e44b814d9213120d1e83cd35a3ad6338915e567d393491fa60e4ed
                  • Instruction ID: ea73f07de6651c4e82948dc819bc37a2f9300d69118c5b4379de466dbde7bce3
                  • Opcode Fuzzy Hash: 22395f4933e44b814d9213120d1e83cd35a3ad6338915e567d393491fa60e4ed
                  • Instruction Fuzzy Hash: 5B61CF70A00201EBDB109F66C9C2B6ABBB5BF84704F14427AE905BB7C1D77CE941CB99
                  Function 00414D34 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00414E29
                    • Part of subcall function 0040D202: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D211
                    • Part of subcall function 0040D202: RegSetValueExA.KERNELBASE(?,00459EE8,00000000,?,00000000,00000000,00467F30,?,?,0040A763,00459EE8,5.0.0 Light), ref: 0040D239
                    • Part of subcall function 0040D202: RegCloseKey.KERNELBASE(?,?,?,0040A763,00459EE8,5.0.0 Light), ref: 0040D244
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateInfoParametersSystemValue
                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                  • API String ID: 4127273184-3576401099
                  • Opcode ID: 78191bc79f49b320be693b0004d014e668833fe2ef1668b744f9c0e77b77d201
                  • Instruction ID: 14f10faeeb16cbab0ab1cfa950db1497f097791f039d57847ba24a01d1ff5ef1
                  • Opcode Fuzzy Hash: 78191bc79f49b320be693b0004d014e668833fe2ef1668b744f9c0e77b77d201
                  • Instruction Fuzzy Hash: 8A11A472B8020073E905317A4D5BFAE2C059782B91F91016FFE017A6D7D9DE4A5943CF
                  Function 004320EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,C:\Users\user\Desktop\jcXViWLNuc.exe), ref: 004321E4
                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,C:\Users\user\Desktop\jcXViWLNuc.exe), ref: 004321EE
                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,C:\Users\user\Desktop\jcXViWLNuc.exe), ref: 004321FB
                  Strings
                  • C:\Users\user\Desktop\jcXViWLNuc.exe, xrefs: 00432105
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID: C:\Users\user\Desktop\jcXViWLNuc.exe
                  • API String ID: 3906539128-3214969289
                  • Opcode ID: 02b13287a3595de36f67e55b3cb109ba53d031277fde6a3259b414d85e8154b0
                  • Instruction ID: c4d41cae6f202ef3d0728250dde5efdd4fa0880195ef5f8b9763ae35930ad3ae
                  • Opcode Fuzzy Hash: 02b13287a3595de36f67e55b3cb109ba53d031277fde6a3259b414d85e8154b0
                  • Instruction Fuzzy Hash: 7131D574D412289BCB21DF65DD89B9DB7B8BF08310F5042EAE81CA7251E7749B818F49
                  Function 0040A7FF Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00414407: GetCurrentProcess.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 00414418
                    • Part of subcall function 00414407: IsWow64Process.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 0041441F
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A81F
                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040A841
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040A9C8
                  • CloseHandle.KERNEL32(00000000), ref: 0040A9D7
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
                  • String ID:
                  • API String ID: 715332099-0
                  • Opcode ID: 8cea1e09518d7db44a5dac986d4f7b1bf2f649968252413dc2545da2b34be04f
                  • Instruction ID: 521dabc77453bcb0d366b47ad7fe17908ff1c6cc59b4fd0e678ff5608fd382c5
                  • Opcode Fuzzy Hash: 8cea1e09518d7db44a5dac986d4f7b1bf2f649968252413dc2545da2b34be04f
                  • Instruction Fuzzy Hash: B6412031A002299BC715FB61DC56AEEB379AF50304F1041BEF60A721D2EF785EC9CA59
                  Function 00404A3B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157filenetworkCOMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00404B51
                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00404BE8
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: DownloadExecuteFileShell
                  • String ID: open
                  • API String ID: 2825088817-2758837156
                  • Opcode ID: 7352c15f6536f63560b643f24dfb25d26e55f974590ec2649859a29435151220
                  • Instruction ID: 35a4ebca1e0eedd33469471f32abd1b573a6d2d001e2c1539756ec9c34dff70f
                  • Opcode Fuzzy Hash: 7352c15f6536f63560b643f24dfb25d26e55f974590ec2649859a29435151220
                  • Instruction Fuzzy Hash: 1341F47160430066DA15FA31C95AA6E37A99BC1705F40093FBB42BB1D2EE7C9A0CC75A
                  Function 00444293 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C663
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C670
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004442E7
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444338
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004443F8
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorInfoLastLocale$_free$_abort
                  • String ID:
                  • API String ID: 2829624132-0
                  • Opcode ID: 5a697efdbd16430438a37962a99753d2dbef6065a103794a1ee48c219bada2c3
                  • Instruction ID: b7550aed3b493740c364c046e61b81ea2d7e197d2446d9bdf00d9a7a254af881
                  • Opcode Fuzzy Hash: 5a697efdbd16430438a37962a99753d2dbef6065a103794a1ee48c219bada2c3
                  • Instruction Fuzzy Hash: 9561B171A001079BFB28DF25CC82BBA77A8FF84704F1442ABED05C6685EB78D951DB58
                  Function 0042B19B Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000001,?,0042AF52,00000024,00000006,00000000,00000000), ref: 0042B1B0
                  • CryptGenRandom.ADVAPI32(00000000,00000000,?,?,0042AF52,00000024,00000006,00000000,00000000,?,?,?,?,?,?,00425774), ref: 0042B1C5
                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042AF52,00000024,00000006,00000000,00000000,?,?,?,?,?,?,00425774,00000006), ref: 0042B1D7
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$AcquireRandomRelease
                  • String ID:
                  • API String ID: 1815803762-0
                  • Opcode ID: 44790d241726070a8538b1cfb3a01e3b0616d6fed35af51b31dbe4d762727151
                  • Instruction ID: 99b08457bcb1c86eba9384c602cc432831f81beb16bfd056ec796fc6dabe24e6
                  • Opcode Fuzzy Hash: 44790d241726070a8538b1cfb3a01e3b0616d6fed35af51b31dbe4d762727151
                  • Instruction Fuzzy Hash: 7DF09235308220BBEB311F15FC18F673F59DB82BE8F640136FA09E50E4D7628812969C
                  Function 004389B4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000003,?,0043898A,00000003,004619C0,0000000C,00438A9D,00000003,00000002,00000000,?,0043B5C5,00000003), ref: 004389D5
                  • TerminateProcess.KERNEL32(00000000,?,0043898A,00000003,004619C0,0000000C,00438A9D,00000003,00000002,00000000,?,0043B5C5,00000003), ref: 004389DC
                  • ExitProcess.KERNEL32 ref: 004389EE
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 5053c5042ab8a702aed5d37823a3e82b60a3b6d5fbb9c76a68a5d583bca2dd4e
                  • Instruction ID: 9077858e183ca5193bab35e0c6da0670afc4f5376d598408ceef6535c01fa92d
                  • Opcode Fuzzy Hash: 5053c5042ab8a702aed5d37823a3e82b60a3b6d5fbb9c76a68a5d583bca2dd4e
                  • Instruction Fuzzy Hash: 82E04635401248ABCF116F64DC0AA5A7F29FF4A386F005429F8098B222CF39EC42DB48
                  Function 00414085 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004104FF,00000000), ref: 00414090
                  • NtSuspendProcess.NTDLL(00000000), ref: 0041409D
                  • CloseHandle.KERNEL32(00000000,?,?,004104FF,00000000), ref: 004140A6
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpenSuspend
                  • String ID:
                  • API String ID: 1999457699-0
                  • Opcode ID: 98bcb0a75b01a230d3a7b9bce0f5d78367cd9b842b6af71bcdf543dd3dd9526f
                  • Instruction ID: c720cd441d1fb4c363525b0041f600ad16199b9571234511a1c7b87690cb6eba
                  • Opcode Fuzzy Hash: 98bcb0a75b01a230d3a7b9bce0f5d78367cd9b842b6af71bcdf543dd3dd9526f
                  • Instruction Fuzzy Hash: 5BD0A7375041206782301BAA7C0CC9BEDACEFC6AB17060139F505D32109A70880186E4
                  Function 004140B1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004104DA,00000000), ref: 004140BC
                  • NtResumeProcess.NTDLL(00000000), ref: 004140C9
                  • CloseHandle.KERNEL32(00000000,?,?,004104DA,00000000), ref: 004140D2
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpenResume
                  • String ID:
                  • API String ID: 3614150671-0
                  • Opcode ID: 9fad2a502fa7faa9e5f51105b4b9b611271f95e00a70c0f950de53cf66ccd0e7
                  • Instruction ID: b573a9e7073962d667ed29fcfea639aa8662b63cbaacc0304d5545022f3d3f39
                  • Opcode Fuzzy Hash: 9fad2a502fa7faa9e5f51105b4b9b611271f95e00a70c0f950de53cf66ccd0e7
                  • Instruction Fuzzy Hash: 18D0A7375045206382311BAA7C0CC9BED6CEFC6AB27060139F505D32109A70880586E4
                  Function 00440A49 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .
                  • API String ID: 0-248832578
                  • Opcode ID: 33736077106ea9c41a55e7d57557f930262da454b6c215421cb9d1619f4ffb89
                  • Instruction ID: 8b481f37cf34a6864c2d130e8fdcc313354078d9f2934eb3c92a84ffaea2f645
                  • Opcode Fuzzy Hash: 33736077106ea9c41a55e7d57557f930262da454b6c215421cb9d1619f4ffb89
                  • Instruction Fuzzy Hash: 533135719002496FEB24DEB9CC85EFB7BBDDB85308F0401AEFA18D7251E634AE508B54
                  Function 0043D31C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00439B85,?,00000004), ref: 0043D36F
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: GetLocaleInfoEx
                  • API String ID: 2299586839-2904428671
                  • Opcode ID: 64a7c0f2a9de8ab2aaecb69340f8927a81e6880a3c6918ded6173dccb186d561
                  • Instruction ID: 99bc655a3bc1be28c86baa9407a67e1ab84f9eff57967d72aef827ad82e7914b
                  • Opcode Fuzzy Hash: 64a7c0f2a9de8ab2aaecb69340f8927a81e6880a3c6918ded6173dccb186d561
                  • Instruction Fuzzy Hash: 26F0F031E40318BBCB11AF61AC02F6E7B25EF09B11F00001AFD05672A0DE759E10D79E
                  Function 0043B680 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 924d3e53c1e03b780691302e42ee5c6770a1e5cbaa53b05eb7f5580d33f8b10d
                  • Instruction ID: 0b6f7ab68621607683436a4c384d7e772e94304ea69e48c1928831daa74a75f7
                  • Opcode Fuzzy Hash: 924d3e53c1e03b780691302e42ee5c6770a1e5cbaa53b05eb7f5580d33f8b10d
                  • Instruction Fuzzy Hash: 5D023C71E002199BDF14DFA9C8807AEF7F5EF88324F25816AD919E7344D734AA41CB94
                  Function 00404CF3 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00404D0E
                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00404DCE
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$FirstNextsend
                  • String ID:
                  • API String ID: 4113138495-0
                  • Opcode ID: 505f218192b50bd77820bfb60d5f156b65f0f4f4987af29c65fb0a3728c195aa
                  • Instruction ID: 6f49344318bfe85daec384318d0861b169a496eeea52fdc1f4ab8bff2f12ce31
                  • Opcode Fuzzy Hash: 505f218192b50bd77820bfb60d5f156b65f0f4f4987af29c65fb0a3728c195aa
                  • Instruction Fuzzy Hash: DE218071910118AACB04FBA1DC9ADEE7738AF51308F40017BF60A771D1EF786A49CA99
                  Function 004454FB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004454F6,?,?,00000008,?,?,00449C5D,00000000), ref: 00445728
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: 57b167dff027822b40cd9bf0cc99b9618bd263b207ef16c4545e6c5eba121c6f
                  • Instruction ID: d0ea70422cec9f165c84079b10fdce7f9c306530441617810e3d9b208016dc25
                  • Opcode Fuzzy Hash: 57b167dff027822b40cd9bf0cc99b9618bd263b207ef16c4545e6c5eba121c6f
                  • Instruction Fuzzy Hash: 9DB16F31510A08DFEB15CF28C48AB657BE1FF45364F658669E899CF3A2C339D982CB44
                  Function 0042C37B Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042C394
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: FeaturePresentProcessor
                  • String ID:
                  • API String ID: 2325560087-0
                  • Opcode ID: 3e73572192df25099f623df8e9ec90d92daa5c76d3d8bfcedde04a24219424a9
                  • Instruction ID: 06289575ebfd2b144f51e73def67dabbd1ce3b4c491e5894815ca5d526aa7d77
                  • Opcode Fuzzy Hash: 3e73572192df25099f623df8e9ec90d92daa5c76d3d8bfcedde04a24219424a9
                  • Instruction Fuzzy Hash: 4151A071E012259BDB28CF69E9C56AEBBF0FF44314F62806AD815E7350E3789940CB65
                  Function 004444E3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C663
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C670
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444537
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$InfoLocale_abort
                  • String ID:
                  • API String ID: 1663032902-0
                  • Opcode ID: a2d943a086185b7fc15ae0d4757faef8adc798fcf4b9c2ae125c48aeb90dc98f
                  • Instruction ID: 0375e17c0aef0fa5086038b5f7089d8883eb037e1f51a5b42556dae727e64806
                  • Opcode Fuzzy Hash: a2d943a086185b7fc15ae0d4757faef8adc798fcf4b9c2ae125c48aeb90dc98f
                  • Instruction Fuzzy Hash: 7421B37250021ABBFF249F65DC82BBB73A8EB85314F10017BEA01D6281EB799D41CB59
                  Function 0044416B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • EnumSystemLocalesW.KERNEL32(00444293,00000001,00000000,?,0043A127,?,004448C0,00000000,?,?,?), ref: 004441DD
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: 3502736ba63b8e2c7d2c35b1c24bef305e40c3b3e814cca2c2f1ad96b4cddafe
                  • Instruction ID: d817b4c82914c360351b7ae4efef5bcd2a1477d4c4c983c316b00783dbbb98dd
                  • Opcode Fuzzy Hash: 3502736ba63b8e2c7d2c35b1c24bef305e40c3b3e814cca2c2f1ad96b4cddafe
                  • Instruction Fuzzy Hash: 9B11553A2043005FEB189F39D8917BBB792FFC0368B14442EE94697B40D779B842C740
                  Function 00444713 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004444B1,00000000,00000000,?), ref: 0044473F
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$InfoLocale_abort_free
                  • String ID:
                  • API String ID: 2692324296-0
                  • Opcode ID: 0643c3a1bd1a9dd71bf00954fb3fb47e5b33a20a2d41db757f750b7f10676e6f
                  • Instruction ID: c41b3cfd152ec3217f3411773d566e8b8c6644d072675bcfad230fe154c94bdb
                  • Opcode Fuzzy Hash: 0643c3a1bd1a9dd71bf00954fb3fb47e5b33a20a2d41db757f750b7f10676e6f
                  • Instruction Fuzzy Hash: 15F0F936900115BBFB249B258846BBB7758EB81758F04456AEC15A3240EB78BD43C6D4
                  Function 00444206 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • EnumSystemLocalesW.KERNEL32(004444E3,00000001,?,?,0043A127,?,00444884,0043A127,?,?,?,?,?,0043A127,?,?), ref: 00444252
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: a9a1ec533c4e2d1cea5ea59d622ff66105d46555b1406077cbd2a6d00cfb2eaa
                  • Instruction ID: 8685162fc4afcdf5fd098cdcf66e118da8e65faba114f29a95636c84a7f67ac7
                  • Opcode Fuzzy Hash: a9a1ec533c4e2d1cea5ea59d622ff66105d46555b1406077cbd2a6d00cfb2eaa
                  • Instruction Fuzzy Hash: 5AF0C2762043045FEB245F39AC81B7ABB95FFC07A8F15446EFA458B680D6B5AC01C654
                  Function 0043CEB5 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043AD17: EnterCriticalSection.KERNEL32(-00465500,?,004386DA,00000000,004619A0,0000000C,00438695,00000000,?,?,0043AFB5,00000000,?,0043C6B9,00000001,00000364), ref: 0043AD26
                  • EnumSystemLocalesW.KERNEL32(0043CE6F,00000001,00461B48,0000000C), ref: 0043CEED
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalEnterEnumLocalesSectionSystem
                  • String ID:
                  • API String ID: 1272433827-0
                  • Opcode ID: cee707a51fd36459098d413192212e3f916418e3fb2c362fdff28a2d4da702d2
                  • Instruction ID: 934304bcd1dbe48ad47870c6af69179c224af78579b9be482c8ba5d8f89128c7
                  • Opcode Fuzzy Hash: cee707a51fd36459098d413192212e3f916418e3fb2c362fdff28a2d4da702d2
                  • Instruction Fuzzy Hash: 3CF06272A10210EFDB10EF69D886B4D77F1EB48715F10502AF510DB2E1DBB859409F9A
                  Function 00444120 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • EnumSystemLocalesW.KERNEL32(00444077,00000001,?,?,?,004448E2,0043A127,?,?,?,?,?,0043A127,?,?,?), ref: 00444157
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: 137ef4ed3f435a18bd1a40161f596dc9d47b5cf04a749f1b92ca8ae6f06f2a38
                  • Instruction ID: fadf5640887e04a154483176a322383a6a9ac895239db3a81ee7e9225e9547f7
                  • Opcode Fuzzy Hash: 137ef4ed3f435a18bd1a40161f596dc9d47b5cf04a749f1b92ca8ae6f06f2a38
                  • Instruction Fuzzy Hash: A1F0553A30024557DB149F35C849B7B7FA0EFD1B54F06005AEA058BA90C63AA882C754
                  Function 0040A7D3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,0040EF02,00467C58,004685A8,00467C58,00000000,00467C58,00000000,00467C58,5.0.0 Light), ref: 0040A7E7
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID:
                  • API String ID: 2299586839-0
                  • Opcode ID: 6ddfbf7d2207e5d6d8ec799a117bb3087f28e3f41abf0016fa46f88250cd763c
                  • Instruction ID: 9a798ae02f157338c708f63c1b9ad51c28855ef9b4bc681706038201a566eb8d
                  • Opcode Fuzzy Hash: 6ddfbf7d2207e5d6d8ec799a117bb3087f28e3f41abf0016fa46f88250cd763c
                  • Instruction Fuzzy Hash: 10D05B7074011D77D51496859C0EEAA779CD701755F000166BE04D72C0D9F05E0447D1
                  Function 0042C6BD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_0002C6C9,0042C179), ref: 0042C6C2
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 094e6a82d95d6692359290b52c5e995304a6b7eb75435aa066142c39170e18a0
                  • Instruction ID: d9664f68c8221137b110d1ef9bd69654236c1139d3ad4c086aaf65efa94659a4
                  • Opcode Fuzzy Hash: 094e6a82d95d6692359290b52c5e995304a6b7eb75435aa066142c39170e18a0
                  • Instruction Fuzzy Hash:
                  Function 0043680C Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: 00ef9a7d3e26296a65ddfeab7daadc8cf88223517f11c320cda8b7a0b82f5a53
                  • Instruction ID: 30eacb981cb6278b9ede921612644d04ced7297ace774c55fa6f37c82e0ba73a
                  • Opcode Fuzzy Hash: 00ef9a7d3e26296a65ddfeab7daadc8cf88223517f11c320cda8b7a0b82f5a53
                  • Instruction Fuzzy Hash: 8B5176A060164777EF3CA92884567BF67999F0E304F1AF80FD9C2D7382C62C9D06861E
                  Function 00436A3B Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: c4e470230f592cf2ea01b95aa03d306a2ecdbbcafd652f7a80073b6ae47f5522
                  • Instruction ID: 621a70b502a6b5c6d37222a8ff5bbc931b0a3dc879fdfe3d88000f589cd0ccb1
                  • Opcode Fuzzy Hash: c4e470230f592cf2ea01b95aa03d306a2ecdbbcafd652f7a80073b6ae47f5522
                  • Instruction Fuzzy Hash: D551576060060B76DB34696884557BF67D89B0F344F1AF41FD882EB382C50DFD06975E
                  Function 0041FB26 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
                  • Instruction ID: 58a32b67fd52e4b5a0fde5ac6498c231c723e7108e1cbf5630fede9056be8aeb
                  • Opcode Fuzzy Hash: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
                  • Instruction Fuzzy Hash: F341F376D102199BCB04CFA9C5817DEFBF1FF88314F25816AE905B3350D375AA828B84
                  Function 0042E220 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: W3@
                  • API String ID: 0-335922567
                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction ID: ec8441004770c7bd0e6604dddaea9bb83db662958cd391b005bda1a29ca50b28
                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction Fuzzy Hash: 6F112677300071C3DA548A6FF4B47B7A39EEAC63207AD43EBC0434B798C12AA9419528
                  Function 0044B470 Relevance: .7, Instructions: 651COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 39c13eaf2b43764aa064e248018f4039e50bf7bd3b8766448cafaa2500434ee3
                  • Instruction ID: dff000e9ce1d075c872209c3bb3a5f7dfcad922372d6c8f972a731bc3d171017
                  • Opcode Fuzzy Hash: 39c13eaf2b43764aa064e248018f4039e50bf7bd3b8766448cafaa2500434ee3
                  • Instruction Fuzzy Hash: 6E322321D68F450DE7239638C862336A248EFB33C5F55D737E81AB5AA6EF29C4C34145
                  Function 00445C19 Relevance: .6, Instructions: 637COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 27ba41c287480f5b8183f811836f76d7f550f221e5fc56609452204e267aaea9
                  • Instruction ID: 6bb8bb0fec046874f5145361ccca132aba013deabdda64588bf2c44baeb068ef
                  • Opcode Fuzzy Hash: 27ba41c287480f5b8183f811836f76d7f550f221e5fc56609452204e267aaea9
                  • Instruction Fuzzy Hash: 96323731D29F414DE7239634D862336A648AFB73C9F16D737F819B5AA6EB28C4C34105
                  Function 004175D6 Relevance: .6, Instructions: 585COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f25822038f6aa24fa3d9c51f0ef5a40f5636f4ac83753e7b9f54b9c7a827e64b
                  • Instruction ID: 8bb2b10bb431365c82bc5f39601f76eba586852c4335e00b8eeb21bc69606507
                  • Opcode Fuzzy Hash: f25822038f6aa24fa3d9c51f0ef5a40f5636f4ac83753e7b9f54b9c7a827e64b
                  • Instruction Fuzzy Hash: 2022C031A082199BDF15CF68C4817FEB7B5AF44314F18416BEC55AB382DB389E85CB98
                  Function 0042B2A6 Relevance: .5, Instructions: 504COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 093cffccdb6c66a0d7340a85fd8f8add5e90d94a679726dfc5632c4f1750100d
                  • Instruction ID: 342c0cdfdd82e5fbc2c8eda45e65bdb4c87943b50b4ff408f9f5404654bea766
                  • Opcode Fuzzy Hash: 093cffccdb6c66a0d7340a85fd8f8add5e90d94a679726dfc5632c4f1750100d
                  • Instruction Fuzzy Hash: F6123F32F002289BDB04DBA5ED527BDB7F2AF88354F25806AD505B7381DA786E51CB84
                  Function 0041F488 Relevance: .4, Instructions: 411COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab85773646df3c18f5c22ee0a8a28f051c4839798a67329570b83ff2c07864e1
                  • Instruction ID: 9e03052f19126324a91828d089483b46de3fc6043dcbe5a2f4130615f5c6c6e0
                  • Opcode Fuzzy Hash: ab85773646df3c18f5c22ee0a8a28f051c4839798a67329570b83ff2c07864e1
                  • Instruction Fuzzy Hash: C5028E716006618FC318CF2EE89057AB7F1FB8D302744863AE495C7796DB34E922CB98
                  Function 00431217 Relevance: .3, Instructions: 345COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction ID: 96633ae29827aa327625e701ee6e741e90ea856618e9f77abfd30a60d1f46689
                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction Fuzzy Hash: 09C1C6322050930ADF2D467D843403FBAE19EA67B1B1A675FD8B3CB2D4EE18E525D624
                  Function 0041EF91 Relevance: .3, Instructions: 342COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aae66948a7d14490cd8c9109fbf7412b48e3904d3f2339df8b430768c5abf669
                  • Instruction ID: e919e97572e5d898b1d397796e98c471b128834b3b8a1f3d3c79fe5053aedd28
                  • Opcode Fuzzy Hash: aae66948a7d14490cd8c9109fbf7412b48e3904d3f2339df8b430768c5abf669
                  • Instruction Fuzzy Hash: 0BE18574A102688FCB08CF5DE8A18BE73F1FB49302B45456EE542D7392CB35EA16DB94
                  Function 0043164C Relevance: .3, Instructions: 341COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction ID: 655f015dc29df4e564f0b571a5197a72ff42159226e6b164a1f98aab1704f003
                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction Fuzzy Hash: F6C1E6322050930ADF2D467EC43403FBAE19EA67B171E676FD4B2CB2D4EE18E525D624
                  Function 00430DE2 Relevance: .3, Instructions: 331COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction ID: 3881479ca0bd7a27f5bc5d974e6b995f2e0b2f442fb3c81114a012ba865e30ec
                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction Fuzzy Hash: 3BC1C2322050930ADF2D467D843003FFAE19EA67B171A676FD4B3CB2D4EE28E565D624
                  Function 004309CA Relevance: .3, Instructions: 323COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction ID: b13647cfdb381e914d5ee1013fc0bf6decb2f210f91c318e1b774d862af76626
                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction Fuzzy Hash: 7AC1C3322051930ADF2D467D843013FFAE19EA67B171A675FD4B3DB2C4EE28E525C624
                  Function 0041601F Relevance: .3, Instructions: 281COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e1bb503d0bbedacf75994f4392ae90be9d373012142ee5b5dfd7dfd5654fca4
                  • Instruction ID: 43de85b52332da23c8a7353abdbb8753fa52d551abae1b1a77b410637c2692c0
                  • Opcode Fuzzy Hash: 3e1bb503d0bbedacf75994f4392ae90be9d373012142ee5b5dfd7dfd5654fca4
                  • Instruction Fuzzy Hash: 3AB1B4391146969ACB05EF28C0913F27BA1FF6A304F1850B9DC98CFB56D3399512EBB4
                  Function 0041FC69 Relevance: .2, Instructions: 195COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e365e412f8b0de208b0a3a5c36b5aa6c5d091ac7f8fcabe2bda1b0ef33dad1b
                  • Instruction ID: 9395c0c413ac9ed6cbed414acb3e3e2dad0f067879a9039ab3748abd52584a97
                  • Opcode Fuzzy Hash: 3e365e412f8b0de208b0a3a5c36b5aa6c5d091ac7f8fcabe2bda1b0ef33dad1b
                  • Instruction Fuzzy Hash: FF611C31E0020A9BDF08DFB9D4815EFB7B6FF8C314F14853AE515BB250E674AA498B94
                  Function 00411D39 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 330windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00411D54
                  • CreateCompatibleDC.GDI32(00000000), ref: 00411D60
                    • Part of subcall function 004121BD: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 004121F1
                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411DCB
                  • DeleteDC.GDI32(004595D0), ref: 00411DE3
                  • DeleteDC.GDI32(00000000), ref: 00411DE6
                  • DeleteObject.GDI32(?), ref: 00411DEA
                  • SelectObject.GDI32(00000000,00000000), ref: 00411E07
                  • DeleteDC.GDI32(004595D0), ref: 00411E1A
                  • DeleteDC.GDI32(00000000), ref: 00411E1D
                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,004595D0,00000000,00000000,?,?,00CC0020), ref: 00411E41
                  • GetCursorInfo.USER32(?,?,?,00000000), ref: 00411E5C
                  • GetIconInfo.USER32(?,?), ref: 00411E70
                  • DeleteObject.GDI32(?), ref: 00411E95
                  • DeleteObject.GDI32(?), ref: 00411E9E
                  • DrawIcon.USER32(?,00000000,00000000,?), ref: 00411EAD
                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00411ED8
                  • GetObjectA.GDI32(00000000,00000018,?), ref: 00411EFB
                  • LocalAlloc.KERNEL32(00000040,00000001,?,?,00000000), ref: 00411F61
                  • GlobalAlloc.KERNEL32(00000000,?,?,?,00000000), ref: 00411FCA
                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00411FEA
                  • DeleteDC.GDI32(004595D0), ref: 00411FFD
                  • DeleteDC.GDI32(00000000), ref: 00412000
                  • DeleteObject.GDI32(00000000), ref: 00412005
                  • GlobalFree.KERNEL32(?), ref: 0041200F
                  • DeleteObject.GDI32(00000000), ref: 004120B4
                  • GlobalFree.KERNEL32(?), ref: 004120BB
                  • DeleteDC.GDI32(004595D0), ref: 004120CA
                  • DeleteDC.GDI32(00000000), ref: 004120D5
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                  • String ID: DISPLAY
                  • API String ID: 4256916514-865373369
                  • Opcode ID: 4eef245477b2cac1330de91626b8b7de2612fcf0d5592a4cb2291e85346c77b0
                  • Instruction ID: 6754f39ffeb4237899f5a11fba91f3ac5ffa3ca2bb12ebe9639fee6d98070a97
                  • Opcode Fuzzy Hash: 4eef245477b2cac1330de91626b8b7de2612fcf0d5592a4cb2291e85346c77b0
                  • Instruction Fuzzy Hash: B7C16C75E00219AFDB14DFA4DC45BEEBBB9FF09304F00406AEA05E72A0DB74A945CB59
                  Function 004136C3 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041379A
                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 004137AE
                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004137D3
                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00467C58,00000000), ref: 004137E9
                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041382A
                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00413842
                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00413856
                  • SetEvent.KERNEL32 ref: 00413877
                  • WaitForSingleObject.KERNEL32(000001F4), ref: 00413888
                  • CloseHandle.KERNEL32 ref: 00413898
                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 004138BA
                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 004138C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                  • API String ID: 738084811-1354618412
                  • Opcode ID: cae28591a129194fd829c2a9309d6facea740c7026911d0c2981a63167973e0c
                  • Instruction ID: bd2fa42c21b04a4ddea9e7df4cec845cad49f386d966d5b6bb162bea7320357c
                  • Opcode Fuzzy Hash: cae28591a129194fd829c2a9309d6facea740c7026911d0c2981a63167973e0c
                  • Instruction Fuzzy Hash: 1851E4B1A001087FE705BB65DC92CBF3B6CAE51349B10413FF902A71D2EE785E49866E
                  Function 00408AD8 Relevance: 35.2, APIs: 6, Strings: 14, Instructions: 237registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D18B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                    • Part of subcall function 0040D18B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                    • Part of subcall function 0040D18B: RegCloseKey.ADVAPI32(00000000), ref: 0040D1CB
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408B30
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408B43
                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 00408B5F
                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00408B8D
                  • ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408DB0
                  • ExitProcess.KERNEL32 ref: 00408DBC
                    • Part of subcall function 00409474: char_traits.LIBCPMT ref: 00409484
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Attributes$CloseDeleteExecuteExitModuleNameOpenProcessQueryShellValuechar_traits
                  • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                  • API String ID: 1918141659-2254097358
                  • Opcode ID: 229165c8840bd156d5f4d1d4d664171c3e035cefed46bf5ea66966c5fd41dc6b
                  • Instruction ID: c5d0144a2ae36d70927c377d3784265ebcbc611e1e7a997d8d49b6472f4ec663
                  • Opcode Fuzzy Hash: 229165c8840bd156d5f4d1d4d664171c3e035cefed46bf5ea66966c5fd41dc6b
                  • Instruction Fuzzy Hash: F9712A31A01204ABCB09EB61E9529EE7769AF50309B64807FB506771D2EF7C2E0AC65C
                  Function 00408817 Relevance: 35.2, APIs: 6, Strings: 14, Instructions: 216registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D18B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                    • Part of subcall function 0040D18B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                    • Part of subcall function 0040D18B: RegCloseKey.ADVAPI32(00000000), ref: 0040D1CB
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,C:\Users\user\Desktop\jcXViWLNuc.exe,00467F30,5.0.0 Light), ref: 00408880
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408893
                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,C:\Users\user\Desktop\jcXViWLNuc.exe,00467F30,5.0.0 Light), ref: 004088C5
                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,C:\Users\user\Desktop\jcXViWLNuc.exe,00467F30,5.0.0 Light), ref: 004088D3
                  • ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408ACA
                  • ExitProcess.KERNEL32 ref: 00408AD1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Attributes$CloseDeleteExecuteExitModuleNameOpenProcessQueryShellValue
                  • String ID: ")$.vbs$5.0.0 Light$C:\Users\user\Desktop\jcXViWLNuc.exe$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                  • API String ID: 1304132890-51178650
                  • Opcode ID: ad7f4d21e8e8ed2b0c1518bf84c40d22f4f27f9fcfd724d3c3470fa42a23990e
                  • Instruction ID: 50ebfcbe5c1ebcb9165fbe97e2fa56407b44833999517d5f6a7c08225b8befd7
                  • Opcode Fuzzy Hash: ad7f4d21e8e8ed2b0c1518bf84c40d22f4f27f9fcfd724d3c3470fa42a23990e
                  • Instruction Fuzzy Hash: 5B614D31E00204ABCB09FB61ED569EE7769AF50309B64807FB506771D2EE7C2E0AC65C
                  Function 0040E783 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040E7CF
                  • LoadLibraryA.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0040E815
                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0040E82F
                  • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00000000,00000000), ref: 0040E83A
                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E877
                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0040E889
                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E894
                  • GetProcAddress.KERNEL32(00000000,0045EF50), ref: 0040E8A3
                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E8BA
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                  • String ID: PE$\ws2_32$\wship6$\E$getaddrinfo$hE
                  • API String ID: 2490988753-2677158126
                  • Opcode ID: 119303696d228ccd35e595041ed9e773568b2fcf916b89ad7f5f4e0b52eac666
                  • Instruction ID: e2fe4f89bec593c1194b96244b36457e88d8aa3fc30695666a9ebb8fa0cbd204
                  • Opcode Fuzzy Hash: 119303696d228ccd35e595041ed9e773568b2fcf916b89ad7f5f4e0b52eac666
                  • Instruction Fuzzy Hash: 6531D6B3D01218A7DB20AB62DC48A8F77ACAB05704F0049B7EC08B3241D7789E558BEC
                  Function 004415FD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$EnvironmentVariable$_wcschr
                  • String ID:
                  • API String ID: 3899193279-0
                  • Opcode ID: 909bc05674609410ff26f541e5c167ff2ec18223c00ceba45c322b984421b914
                  • Instruction ID: e5e83df4ef68464442205cc1be5f52a6d26416a8e4d4a2ce2ea22800950a0912
                  • Opcode Fuzzy Hash: 909bc05674609410ff26f541e5c167ff2ec18223c00ceba45c322b984421b914
                  • Instruction Fuzzy Hash: ACD149B1A007006BFB20AF75884176B77F8EF45364F0542AFE959973A1EB399880879D
                  Function 0041446B Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?,00000000,?), ref: 00414488
                  • lstrlenW.KERNEL32(?), ref: 004144B0
                  • FindFirstVolumeW.KERNEL32(?,00000104), ref: 004144D7
                  • GetLastError.KERNEL32 ref: 004144E5
                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041455B
                  • lstrcmpW.KERNEL32(?,?), ref: 00414574
                  • FindNextVolumeW.KERNEL32(00000018,?,00000104), ref: 0041458D
                  • FindVolumeClose.KERNEL32(00000018), ref: 004145CD
                  • GetLastError.KERNEL32 ref: 004145E1
                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,00000105,00000105), ref: 00414613
                  • lstrcatW.KERNEL32(?,?), ref: 0041462B
                  • lstrcpyW.KERNEL32(?,?), ref: 00414639
                  • GetLastError.KERNEL32 ref: 00414641
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuerylstrcatlstrcmplstrcpy
                  • String ID: ?
                  • API String ID: 1756451316-1684325040
                  • Opcode ID: 869de8c0f6b6c052ca7256d94f29aceed04532e0509162e956ddf41a741eb0f5
                  • Instruction ID: c30ebbe14cfefa4166e81c7ddb843457e38c02827eab3581fc0647f02b26dd89
                  • Opcode Fuzzy Hash: 869de8c0f6b6c052ca7256d94f29aceed04532e0509162e956ddf41a741eb0f5
                  • Instruction Fuzzy Hash: 40519275D00219ABCF209FA4DC48AEEB7B9EF59304F1045A6E609D3290E7749EC1CB59
                  Function 00443496 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 004434DA
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 004426EF
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442701
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442713
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442725
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442737
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442749
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 0044275B
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 0044276D
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 0044277F
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442791
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 004427A3
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 004427B5
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 004427C7
                  • _free.LIBCMT ref: 004434CF
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 004434F1
                  • _free.LIBCMT ref: 00443506
                  • _free.LIBCMT ref: 00443511
                  • _free.LIBCMT ref: 00443533
                  • _free.LIBCMT ref: 00443546
                  • _free.LIBCMT ref: 00443554
                  • _free.LIBCMT ref: 0044355F
                  • _free.LIBCMT ref: 00443597
                  • _free.LIBCMT ref: 0044359E
                  • _free.LIBCMT ref: 004435BB
                  • _free.LIBCMT ref: 004435D3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID: xAF
                  • API String ID: 161543041-3548281371
                  • Opcode ID: a4f159e0e9c024440b84150d2bdb78644e89f50e34608afc83fb179a3a5121b9
                  • Instruction ID: 92db8032b0720874402903e40b9fb06c435e77b18e2188d4bbe0c893ea4b2b00
                  • Opcode Fuzzy Hash: a4f159e0e9c024440b84150d2bdb78644e89f50e34608afc83fb179a3a5121b9
                  • Instruction Fuzzy Hash: 60315B71600201AFFB21AE3AD846B9B77F8EF44765F10441FE269D7251DB39EE808B58
                  Function 004427D0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: pAF
                  • API String ID: 269201875-3714919331
                  • Opcode ID: 0b5147b3abe51b3ca7e10458fe03aa452a0dc9938cf48847196365733bd2fbca
                  • Instruction ID: 8dededbd5becb74d53d2a95e16b98ad866d25175fdaf3316945a8a0ee90ca501
                  • Opcode Fuzzy Hash: 0b5147b3abe51b3ca7e10458fe03aa452a0dc9938cf48847196365733bd2fbca
                  • Instruction Fuzzy Hash: BBC14475D40204ABEB20DBA9CD43FEE77F8EB49714F54015AFA04FB282D6B8994187A4
                  Function 0043B1E5 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$Info
                  • String ID:
                  • API String ID: 2509303402-0
                  • Opcode ID: 2cbd61164feb8f31ea708ba1c3ec9c9b80fbebdb348a20e61bf8b077109d67d2
                  • Instruction ID: d45b0b2e4fbb5bd969bb37fcfd0237086f40b43bc18fc14bf27d4f7790022adf
                  • Opcode Fuzzy Hash: 2cbd61164feb8f31ea708ba1c3ec9c9b80fbebdb348a20e61bf8b077109d67d2
                  • Instruction Fuzzy Hash: 35B19F71900205AEDB119F69C881BEEBBF8FF0C304F14516EEA95A7342D77999418BA8
                  Function 00406046 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406180
                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 004061B6
                  • __aulldiv.LIBCMT ref: 004061E0
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 004062E6
                  • ReadFile.KERNEL32(?,00000000,000186A0,?,00000000), ref: 00406301
                  • CloseHandle.KERNEL32(?), ref: 004063C4
                  • CloseHandle.KERNEL32(?), ref: 00406400
                  • CloseHandle.KERNEL32(?), ref: 0040644F
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $X|F
                  • API String ID: 3086580692-2448825271
                  • Opcode ID: 234f46f0e51a69f685230f3404a689933db99e5cd62fe8fc99fb9305bb62bee7
                  • Instruction ID: bea1a2075f6bf4ac8efb432577deb3b1b0a73dcb4665b62bfdfcd592466e9e2e
                  • Opcode Fuzzy Hash: 234f46f0e51a69f685230f3404a689933db99e5cd62fe8fc99fb9305bb62bee7
                  • Instruction Fuzzy Hash: D3B1BA31E00118ABCB08FBA5D9929EEB7B5AF44314F10812FF906772D1EF785E458B99
                  Function 00442BF5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 204COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: <VF$<VF$@VF$pAF$tAF
                  • API String ID: 269201875-3149002956
                  • Opcode ID: 6ba1943d00136b9477be9fb8f075363001e3410eaec9203114703f58f8559963
                  • Instruction ID: 1ff29a68be44b64efb4402e980a49073e15b5af391af27e56c8b58b9c5c5d352
                  • Opcode Fuzzy Hash: 6ba1943d00136b9477be9fb8f075363001e3410eaec9203114703f58f8559963
                  • Instruction Fuzzy Hash: AF61D571D00205AFEB20DF69C942B9ABBF4EF45720F50416BF954EB241E7B49D418B98
                  Function 00408DE1 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 147COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D18B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                    • Part of subcall function 0040D18B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                    • Part of subcall function 0040D18B: RegCloseKey.ADVAPI32(00000000), ref: 0040D1CB
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408E36
                  • ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408F95
                  • ExitProcess.KERNEL32 ref: 00408FA1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExecuteExitFileModuleNameOpenProcessQueryShellValue
                  • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                  • API String ID: 2135335499-2411266221
                  • Opcode ID: f901e2d043e8d204b1c9408a99933f1f47392063888bb27a2476831dde7d4a4c
                  • Instruction ID: 55b6c44869765462ce5e00c325246dd343a9294273c7abbd33844619ebd27e2b
                  • Opcode Fuzzy Hash: f901e2d043e8d204b1c9408a99933f1f47392063888bb27a2476831dde7d4a4c
                  • Instruction Fuzzy Hash: 86413A31900118AADB09FB61DC56DEE7729AF50305F14417FF506B70D2EE7C6E4ACA58
                  Function 0040900F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 138COMMON
                  Download Yara Rule
                  APIs
                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040915E
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: LongNamePath
                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                  • API String ID: 82841172-425784914
                  • Opcode ID: fd396b2d4feb2073e271fc861ddaecf4abb2023261153f9ee186aaa4ac6e7966
                  • Instruction ID: ea893111990a9468f4124166bdf4f4bc63fff47cfd0576253bcacca366c7345f
                  • Opcode Fuzzy Hash: fd396b2d4feb2073e271fc861ddaecf4abb2023261153f9ee186aaa4ac6e7966
                  • Instruction Fuzzy Hash: E6410E31901105AADB09FBA2ED578EE77789E24319B20413FB912761E3EF7C2F0D8659
                  Function 004032EE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 0040330D
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004033BD
                  • TranslateMessage.USER32(?), ref: 004033CC
                  • DispatchMessageA.USER32(?), ref: 004033D7
                  • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 0040348F
                  • HeapFree.KERNEL32(00000000,00000000,?), ref: 004034C7
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                  • String ID: CloseChat$DisplayMessage$GetMessage
                  • API String ID: 2956720200-749203953
                  • Opcode ID: c2d6146e2c7cd29e95e1fb93eb0c4c5e4259636daa948a59db1d5b7d4d7413af
                  • Instruction ID: c4fabbcbd06e4aea07cac65f4be45b80aa5bf073acc6ad1f74fa4fa4731dbfc7
                  • Opcode Fuzzy Hash: c2d6146e2c7cd29e95e1fb93eb0c4c5e4259636daa948a59db1d5b7d4d7413af
                  • Instruction Fuzzy Hash: CC41C4326043009BCB00BF76DD9A86F7BA9AB85704F00053EF906A71D1EE7CDA09C75A
                  Function 004131E2 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00412B9E,00000000), ref: 004131F1
                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00412B9E,00000000), ref: 00413208
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412B9E,00000000), ref: 00413215
                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00412B9E,00000000), ref: 00413224
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412B9E,00000000), ref: 00413235
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412B9E,00000000), ref: 00413238
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: a735b932353fbfae41dc522d640d0e0449f4c83599ff4557b0c4dc0a78a6ea00
                  • Instruction ID: ae9598d82f6d429b4cf8f2c9fd722e72ee621a44a1d031857c481a514433e705
                  • Opcode Fuzzy Hash: a735b932353fbfae41dc522d640d0e0449f4c83599ff4557b0c4dc0a78a6ea00
                  • Instruction Fuzzy Hash: 4311C275D41218ABD7106F65AC89DFF7B2CDB4A36AB000066F90593140DB388D47AAB9
                  Function 0043C510 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 0043C524
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 0043C530
                  • _free.LIBCMT ref: 0043C53B
                  • _free.LIBCMT ref: 0043C546
                  • _free.LIBCMT ref: 0043C551
                  • _free.LIBCMT ref: 0043C55C
                  • _free.LIBCMT ref: 0043C567
                  • _free.LIBCMT ref: 0043C572
                  • _free.LIBCMT ref: 0043C57D
                  • _free.LIBCMT ref: 0043C58B
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 3da48a6ce269c97f3ef4d21a8d8036b2a7361a1831b3352f502914f45603e971
                  • Instruction ID: 1cebc71dc2f67862d3e13b1818bde38924e8bb604e876a6b753946dc8a858eb3
                  • Opcode Fuzzy Hash: 3da48a6ce269c97f3ef4d21a8d8036b2a7361a1831b3352f502914f45603e971
                  • Instruction Fuzzy Hash: AF11B9B6510108BFDB11EF59C842DDD3BB9EF48364F4150AABB188F222DB35DE509B88
                  Function 0040E5BB Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 164COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 65535$udp
                  • API String ID: 0-1267037602
                  • Opcode ID: 294e5188d84f63982fac9725afcfcd6b69464ebbb7ea8a39a57d8f816ffa08d2
                  • Instruction ID: 49d50f31532c904576114a46d556afe4d15bd6e05c959a6d923d4506dbea0b6a
                  • Opcode Fuzzy Hash: 294e5188d84f63982fac9725afcfcd6b69464ebbb7ea8a39a57d8f816ffa08d2
                  • Instruction Fuzzy Hash: ED51E235600205ABDB248F2AD809BBB3764EB41340F088C7BEC41A73D1E73ECD619A69
                  Function 00410870 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409474: char_traits.LIBCPMT ref: 00409484
                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004108D0
                    • Part of subcall function 00414995: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149B2
                  • Sleep.KERNEL32(00000064), ref: 004108FC
                  • DeleteFileW.KERNEL32(00000000), ref: 0041092C
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CreateDeleteExecuteShellSleepchar_traits
                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                  • API String ID: 2701014334-2001430897
                  • Opcode ID: 5322e8377441615cfe43036d095e99c03694ce4edc005fe3e5cbd432f67369b1
                  • Instruction ID: 649befc1bdbc967cf37dcd0602f11568b2954d481243b05d7a8e013ad2fb5259
                  • Opcode Fuzzy Hash: 5322e8377441615cfe43036d095e99c03694ce4edc005fe3e5cbd432f67369b1
                  • Instruction Fuzzy Hash: A1316F719101189ADB08FBA1DC92EEE7724AF10304F40017FF506770D2EE785E8ACA58
                  Function 0040BD3E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040BD4B
                  • int.LIBCPMT ref: 0040BD5E
                    • Part of subcall function 00409864: std::_Lockit::_Lockit.LIBCPMT ref: 00409875
                    • Part of subcall function 00409864: std::_Lockit::~_Lockit.LIBCPMT ref: 0040988F
                  • std::locale::_Getfacet.LIBCPMT ref: 0040BD67
                  • std::_Facet_Register.LIBCPMT ref: 0040BD9E
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDA7
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BDC5
                  • __Init_thread_footer.LIBCMT ref: 0040BE06
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
                  • String ID: QF
                  • API String ID: 2409581025-4212332354
                  • Opcode ID: e2264b22f1d783c7bcc0a0d2506abdff25276be16bd236ad74a987be273730e3
                  • Instruction ID: 09e96e7057cbc55d3f4a205848f92d87d3c0cf58768ad79e84684d0470a9d74a
                  • Opcode Fuzzy Hash: e2264b22f1d783c7bcc0a0d2506abdff25276be16bd236ad74a987be273730e3
                  • Instruction Fuzzy Hash: FD210432A006249BCB04EB69E9419DE7768DF44724B60417FF404B73D2EBB89D018BDD
                  Function 0044047C Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6ebcd19dd8ea4aaa66f822712df9da184658bb392bc63acd6694766bb71bde39
                  • Instruction ID: af0672775ae0156a28360151f1c3b7a31f31081405023bcfc625b595f62d43bb
                  • Opcode Fuzzy Hash: 6ebcd19dd8ea4aaa66f822712df9da184658bb392bc63acd6694766bb71bde39
                  • Instruction Fuzzy Hash: 9AC1E970D042459FEF11DFA8D841BAEBBB0BF49310F14409BEA14A7392D7789951CF6A
                  Function 004470B5 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044738E,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00447161
                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044738E,00000000,00000000,?,00000001,?,?,?,?), ref: 004471E4
                  • __alloca_probe_16.LIBCMT ref: 0044721C
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044738E,?,0044738E,00000000,00000000,?,00000001,?,?,?,?), ref: 00447277
                  • __alloca_probe_16.LIBCMT ref: 004472C6
                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044738E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044728E
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044738E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044730A
                  • __freea.LIBCMT ref: 00447335
                  • __freea.LIBCMT ref: 00447341
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                  • String ID:
                  • API String ID: 201697637-0
                  • Opcode ID: fa2af291714716c827d99f9792f2db6a916c2868c8cb06fdb154a1010fbb4181
                  • Instruction ID: 12d0403d258b220dcc3b0481ec1b61b5071a14faeeee8fdcc8ea0df3d1fe83d2
                  • Opcode Fuzzy Hash: fa2af291714716c827d99f9792f2db6a916c2868c8cb06fdb154a1010fbb4181
                  • Instruction Fuzzy Hash: A891C371E082169AFB248E65CC81EEFBBB5AF09714F18455BED00E7341DB28DC42C7A9
                  Function 0043A834 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • _memcmp.LIBVCRUNTIME ref: 0043AADE
                  • _free.LIBCMT ref: 0043AB4F
                  • _free.LIBCMT ref: 0043AB68
                  • _free.LIBCMT ref: 0043AB9A
                  • _free.LIBCMT ref: 0043ABA3
                  • _free.LIBCMT ref: 0043ABAF
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorLast$_abort_memcmp
                  • String ID: C
                  • API String ID: 1679612858-1037565863
                  • Opcode ID: c21c5b9015e533256efbda0bb32b5a4d6ec8f40b43f474bf37c10997b8c74c41
                  • Instruction ID: 0c4d8b62e11b48f220935ba042654483d693afbfc79999ee0a582e562d63e247
                  • Opcode Fuzzy Hash: c21c5b9015e533256efbda0bb32b5a4d6ec8f40b43f474bf37c10997b8c74c41
                  • Instruction Fuzzy Hash: 42B13775A012199FDB24DF18C885BAEB7B5FF48304F1085AEE949A7350E738AE90CF45
                  Function 0040E33B Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: tcp$udp
                  • API String ID: 0-3725065008
                  • Opcode ID: a5d8df89a668cbce1b951fa4099479226ad52a16bf42fdbcbcf2d451977e4a1a
                  • Instruction ID: e41cde888cb84cab5534ebd0c22eadc40ae511836058fd877fedfdbdda4abd49
                  • Opcode Fuzzy Hash: a5d8df89a668cbce1b951fa4099479226ad52a16bf42fdbcbcf2d451977e4a1a
                  • Instruction Fuzzy Hash: 62816E70A0021AEBDF248F96C98566A7BB1EF04305F14887BE805B73D0E778CD61DB99
                  Function 00414A29 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00414A4B
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414CFF
                  • RegCloseKey.ADVAPI32(?), ref: 00414D13
                  Strings
                  • DisplayName, xrefs: 00414ABF
                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00414A3F
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                  • API String ID: 1332880857-3614651759
                  • Opcode ID: 102c754f6db2c918d87e9fad86f8a8ffa0097f2d352cec0743043ea34be09aea
                  • Instruction ID: 43297fea3dedd97e28625b6416bcccf0ab8070b56c23e27658d4eba5031ed536
                  • Opcode Fuzzy Hash: 102c754f6db2c918d87e9fad86f8a8ffa0097f2d352cec0743043ea34be09aea
                  • Instruction Fuzzy Hash: DB8150719000189FDB19EB61DC52AEEB778AF54305F2041BFB50AB7191EF386F4ACA58
                  Function 004110EE Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041133B: __EH_prolog.LIBCMT ref: 00411340
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004111EB
                  • CloseHandle.KERNEL32(00000000), ref: 004111F4
                  • DeleteFileA.KERNEL32(00000000), ref: 00411203
                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004111B7
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                  • String ID: <$@$Temp
                  • API String ID: 1704390241-1032778388
                  • Opcode ID: 2364f98d2105d1c9f75bdf3f5f64019ca18ef37328902b5832c135fa4703618f
                  • Instruction ID: ad04bf931f7867cc53fbebc0e8fffc18bd5d028930098c656fedf11ecfda1b99
                  • Opcode Fuzzy Hash: 2364f98d2105d1c9f75bdf3f5f64019ca18ef37328902b5832c135fa4703618f
                  • Instruction Fuzzy Hash: 9B41B431A002099BDB15FB61DD5AAEE7734AF10305F40417EF606760E2EF781E89CB99
                  Function 00404E08 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406B5E: char_traits.LIBCPMT ref: 00406B79
                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00404E61
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA9
                  • CloseHandle.KERNEL32(00000000), ref: 00404EE3
                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00404EFB
                  • CloseHandle.KERNEL32(?), ref: 00404F1F
                  • DeleteFileW.KERNEL32(00000000), ref: 00404F2E
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
                  • String ID: .part
                  • API String ID: 820096542-3499674018
                  • Opcode ID: 82eaa74071aecc03f03f41c7058cc80d71f3295a554235d2acfe12381442790a
                  • Instruction ID: 5c36687aa40538048aa4780b78d7a9adf0fa4287d792cb94eb1ee9f5321ee973
                  • Opcode Fuzzy Hash: 82eaa74071aecc03f03f41c7058cc80d71f3295a554235d2acfe12381442790a
                  • Instruction Fuzzy Hash: 5C315CB5D00219ABDB04EFA5DD468EEB778FB84311F10857AFA01B3190DB746E48CB98
                  Function 0041317B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00412D30,00000000), ref: 0041318A
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00412D30,00000000), ref: 0041319E
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D30,00000000), ref: 004131AB
                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00412D30,00000000), ref: 004131BA
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D30,00000000), ref: 004131CC
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D30,00000000), ref: 004131CF
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID: 0-A
                  • API String ID: 221034970-4208662379
                  • Opcode ID: 26c269b2b5b415636ec90b355a214fbc3be7e10cc918407cc0eb80d971509374
                  • Instruction ID: 4190613ea1f760789cbad35551d2ce1ddae63fac486eef5c4cb23c6bf5310e8a
                  • Opcode Fuzzy Hash: 26c269b2b5b415636ec90b355a214fbc3be7e10cc918407cc0eb80d971509374
                  • Instruction Fuzzy Hash: FEF0F635A012187FD2106F259C89EBF7B6CDB86365F000076FD0593141DF289E4795B9
                  Function 004132E6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00412C3A,00000000), ref: 004132F5
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00412C3A,00000000), ref: 00413309
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C3A,00000000), ref: 00413316
                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00412C3A,00000000), ref: 00413325
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C3A,00000000), ref: 00413337
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C3A,00000000), ref: 0041333A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID: :,A
                  • API String ID: 221034970-3998721020
                  • Opcode ID: 7290b1de14312650045ba83e55dcc57750f0edd5e6043cc5f61598c88f1327a8
                  • Instruction ID: 15d15653b68353dd679e809e6ec4728b72dbc48d278b86db564465cb233afa91
                  • Opcode Fuzzy Hash: 7290b1de14312650045ba83e55dcc57750f0edd5e6043cc5f61598c88f1327a8
                  • Instruction Fuzzy Hash: 75F0F6759012187BD2116F25AC49EBF3B6CDB86265F00006AFE0997141DF38CE4795BD
                  Function 0043CC07 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00436E4A,00436E4A,?,?,?,0043CE58,00000001,00000001,23E85006), ref: 0043CC61
                  • __alloca_probe_16.LIBCMT ref: 0043CC99
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0043CE58,00000001,00000001,23E85006,?,?,?), ref: 0043CCE7
                  • __alloca_probe_16.LIBCMT ref: 0043CD7E
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043CDE1
                  • __freea.LIBCMT ref: 0043CDEE
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  • __freea.LIBCMT ref: 0043CDF7
                  • __freea.LIBCMT ref: 0043CE1C
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                  • String ID:
                  • API String ID: 3864826663-0
                  • Opcode ID: aa72fb37263ec7774e26f631fb98f19815b435717cb4ad8385503ed5a82bf28c
                  • Instruction ID: 0912c9ce66cd9b2932528824e70a82a690157903a232b8cd9281ba3b8db62955
                  • Opcode Fuzzy Hash: aa72fb37263ec7774e26f631fb98f19815b435717cb4ad8385503ed5a82bf28c
                  • Instruction Fuzzy Hash: 3151B472A00216ABDB258F64CC81EAB7BAAEB48754F15563AF905F6240DB38DC50C758
                  Function 00412844 Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 00412878
                  • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00412896
                  • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004128B3
                  • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004128C5
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 004128DC
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 004128F9
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 00412915
                  • SendInput.USER32(00000001,?,0000001C,?), ref: 00412932
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: InputSend
                  • String ID:
                  • API String ID: 3431551938-0
                  • Opcode ID: 587c2c9c09c8a70936073821a9182f181da1d14b611035e4b063ad142e6f8d31
                  • Instruction ID: b65633c945fab3acf205a051b09c2427f02832200925faa26f4ab4285d26be98
                  • Opcode Fuzzy Hash: 587c2c9c09c8a70936073821a9182f181da1d14b611035e4b063ad142e6f8d31
                  • Instruction Fuzzy Hash: 2C313071D5025DA9FB109BD5CC46FFFBB78AF18714F04000AE600AA1C2D6E995858BE5
                  Function 0040C3EC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 152COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Event
                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                  • API String ID: 4201588131-168337528
                  • Opcode ID: 74a6e9d38416634356b6872006514cb5c36970034d5b4ab2db1b6ccd0ce19543
                  • Instruction ID: c92056b20dc9bf3fae846537b07ab36f7947da9daa6e81f239864184b9ec0149
                  • Opcode Fuzzy Hash: 74a6e9d38416634356b6872006514cb5c36970034d5b4ab2db1b6ccd0ce19543
                  • Instruction Fuzzy Hash: C7419231A143109BC604BB35CD5AA6E3A95AB41714F40463FF905B72D2EFBC9909C78E
                  Function 0043DC70 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0043E3E5,0044A1A5,00000000,00000000,00000000,00000000,00000000), ref: 0043DCB2
                  • __fassign.LIBCMT ref: 0043DD2D
                  • __fassign.LIBCMT ref: 0043DD48
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0043DD6E
                  • WriteFile.KERNEL32(?,00000000,00000000,0043E3E5,00000000,?,?,?,?,?,?,?,?,?,0043E3E5,0044A1A5), ref: 0043DD8D
                  • WriteFile.KERNEL32(?,0044A1A5,00000001,0043E3E5,00000000,?,?,?,?,?,?,?,?,?,0043E3E5,0044A1A5), ref: 0043DDC6
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID:
                  • API String ID: 1324828854-0
                  • Opcode ID: b0842eb0f3a19637c26f20ab8a3a0f438c03f7ac224a8ecb38f271b88ece1a51
                  • Instruction ID: f9ff8145c7802d69b68e0807d832188e1e7334bcf18ca1b04f1e67c0e13b88ac
                  • Opcode Fuzzy Hash: b0842eb0f3a19637c26f20ab8a3a0f438c03f7ac224a8ecb38f271b88ece1a51
                  • Instruction Fuzzy Hash: 4851BFB1E00609AFCB10CFA8E881AEEBBB5FF0D300F14456AE551E7291E7749951CB69
                  Function 004083D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D033: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 0040D057
                    • Part of subcall function 0040D033: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 0040D074
                    • Part of subcall function 0040D033: RegCloseKey.KERNELBASE(?), ref: 0040D07F
                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 00408457
                  • PathFileExistsA.SHLWAPI(?), ref: 00408464
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                  • API String ID: 1133728706-4073444585
                  • Opcode ID: 07ec844a35af1eab60777bde60706366a64d5fec3982bd01d4ac9b07599154bc
                  • Instruction ID: d4c107e0a2a60d174b8eb14a8049b3fa6967e586068c38da7eb9b938dd98d54a
                  • Opcode Fuzzy Hash: 07ec844a35af1eab60777bde60706366a64d5fec3982bd01d4ac9b07599154bc
                  • Instruction Fuzzy Hash: 4821A571A0021596CB04FBB1CE5BDEE77289F55308F84003FBA41772C2EE7C5949C699
                  Function 0044A01D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f8d67d838cba7ae6643fc231b92a3ea0e4a27433a772fcaf6ae334517963e3ec
                  • Instruction ID: d4fb6aa5a6f4f3f6f26ae499fe221ed113336c66fb169326c0f6f0770eed75ad
                  • Opcode Fuzzy Hash: f8d67d838cba7ae6643fc231b92a3ea0e4a27433a772fcaf6ae334517963e3ec
                  • Instruction Fuzzy Hash: 49115732504114BBEB206F769C0596B7A6CEFCA774F10065AF825D3291DA3CC8009269
                  Function 00413A15 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkfileCOMMON
                  Download Yara Rule
                  APIs
                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00413A3D
                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 00413A54
                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 00413A6B
                  • InternetCloseHandle.WININET(00000000), ref: 00413AAB
                  • InternetCloseHandle.WININET(?), ref: 00413AB0
                  Strings
                  • http://geoplugin.net/json.gp, xrefs: 00413A4B
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleOpen$FileRead
                  • String ID: http://geoplugin.net/json.gp
                  • API String ID: 3121278467-91888290
                  • Opcode ID: 1d35924211fd6d3ca7fd81e902c68168a7243ae8d72f4add1dc609e780773222
                  • Instruction ID: 0c70c8ff12340d49335c6931f1b45108ae4ea8819ebf5f5e342574acd6559fd7
                  • Opcode Fuzzy Hash: 1d35924211fd6d3ca7fd81e902c68168a7243ae8d72f4add1dc609e780773222
                  • Instruction Fuzzy Hash: 73119335901214BBCB24ABA69D49DEF7FBCDF06764F20007EF905B2281DA785E40C6A5
                  Function 004430CA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00442E11: _free.LIBCMT ref: 00442E3A
                  • _free.LIBCMT ref: 00443118
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 00443123
                  • _free.LIBCMT ref: 0044312E
                  • _free.LIBCMT ref: 00443182
                  • _free.LIBCMT ref: 0044318D
                  • _free.LIBCMT ref: 00443198
                  • _free.LIBCMT ref: 004431A3
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: a8cd47d3cfa0aed6907b9f5707d3247d80cbe860e9efca63a93b6f0d316e7495
                  • Instruction ID: 514b17becd18eddbe0435b57e08186c78f646e4a9e344aa64bfce05e92a373ce
                  • Opcode Fuzzy Hash: a8cd47d3cfa0aed6907b9f5707d3247d80cbe860e9efca63a93b6f0d316e7495
                  • Instruction Fuzzy Hash: C2115E31540704AAE620B7B2CD07FDB77AC9F04705F80082EB7996A053D7BAA5144654
                  Function 00431C95 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,00431C8C,0042EED4), ref: 00431CA3
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00431CB1
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00431CCA
                  • SetLastError.KERNEL32(00000000,?,00431C8C,0042EED4), ref: 00431D1C
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: d95248e79e9614f468323e3478d543c470c5e6b9e0e37615c035713204aef643
                  • Instruction ID: 2c398e4a0ffb902d7d0625a3abf4894a61d5cdd8f58e9f020c870dbfa0318f37
                  • Opcode Fuzzy Hash: d95248e79e9614f468323e3478d543c470c5e6b9e0e37615c035713204aef643
                  • Instruction Fuzzy Hash: 4701D83220D2315EEB1417B67C85A672765EB8A379F30223FF624451F1EF994C01A14D
                  Function 0043C688 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(C:\Users\user\Desktop\jcXViWLNuc.exe,00000000,00000000,00432251,00000000,00467F30,?,004322D5,00000000,00000000,00000000,00000000,00000000,?,00467F30), ref: 0043C68D
                  • _free.LIBCMT ref: 0043C6C2
                  • _free.LIBCMT ref: 0043C6E9
                  • SetLastError.KERNEL32(00000000), ref: 0043C6F6
                  • SetLastError.KERNEL32(00000000), ref: 0043C6FF
                  Strings
                  • C:\Users\user\Desktop\jcXViWLNuc.exe, xrefs: 0043C68C
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID: C:\Users\user\Desktop\jcXViWLNuc.exe
                  • API String ID: 3170660625-3214969289
                  • Opcode ID: ce95754dfb230c17aea5217a948b11656378896c81104db7b960cfcb3f4f63c4
                  • Instruction ID: 34688c5844deaaeeec10bcaec9d50f835338e08310b160136632a4be31570924
                  • Opcode Fuzzy Hash: ce95754dfb230c17aea5217a948b11656378896c81104db7b960cfcb3f4f63c4
                  • Instruction Fuzzy Hash: 1501F97664070127D21127766CCBD6B266DABDE379F20302BF915B2292FFACCC02426D
                  Function 00407F4F Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 00407F8B
                  • GetLastError.KERNEL32 ref: 00407F95
                  Strings
                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 00407F56
                  • UserProfile, xrefs: 00407F5B
                  • [Chrome Cookies found, cleared!], xrefs: 00407FBB
                  • [Chrome Cookies not found], xrefs: 00407FAF
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteErrorFileLast
                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  • API String ID: 2018770650-304995407
                  • Opcode ID: 7c10d4d9d26ab4ea89e017dda8363944b3ac029fca86a6095bd209b9c10ae5af
                  • Instruction ID: 36b5ec7ebb08f88df80414dce8d663d215cea798eb143d3842aa7d4b43224e9c
                  • Opcode Fuzzy Hash: 7c10d4d9d26ab4ea89e017dda8363944b3ac029fca86a6095bd209b9c10ae5af
                  • Instruction Fuzzy Hash: B101F231A90106AACA047B75CE1B8AE7B24A912704B50013FE902731D2FD795909C29F
                  Function 0043AD88 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: __cftoe
                  • String ID:
                  • API String ID: 4189289331-0
                  • Opcode ID: 5f28df8446c64383e0fb99689a724a51342c162445d8cc4573d67065744f944e
                  • Instruction ID: d6fa3fd3494dd5afb9895fef6f42023dfbfc37a7ed478dd002862769998016d6
                  • Opcode Fuzzy Hash: 5f28df8446c64383e0fb99689a724a51342c162445d8cc4573d67065744f944e
                  • Instruction Fuzzy Hash: AB513D72980205ABDB249B59CC46FAF77A9EF4C334F24511FF46496282DB3CDD20866E
                  Function 0041334D Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00412AAC,00000000), ref: 0041335D
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00412AAC,00000000), ref: 00413371
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AAC,00000000), ref: 0041337E
                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00412AAC,00000000), ref: 004133B3
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AAC,00000000), ref: 004133C5
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AAC,00000000), ref: 004133C8
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                  • String ID:
                  • API String ID: 493672254-0
                  • Opcode ID: f60e354ca2734c3379f2a6acb23284ac257847baf88861f2f9be3148c85afd4d
                  • Instruction ID: 959de3c3bf8d9ae695044ebb566e596cbf9f8d07e58be1ed1af2b16a345cf1d1
                  • Opcode Fuzzy Hash: f60e354ca2734c3379f2a6acb23284ac257847baf88861f2f9be3148c85afd4d
                  • Instruction Fuzzy Hash: 8A0126315451187AE3100F299C0EEBB3A1CDB42372F00036BFA35932C0DE688E46956D
                  Function 0043F12C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: __alldvrm$_strrchr
                  • String ID: h^C
                  • API String ID: 1036877536-1919427450
                  • Opcode ID: 99551d99d789d1ca47556baa7f2ff8747541ea2f48037bd72a7d33b1b1679a7a
                  • Instruction ID: f620496ad163df25df2412e30276aa4f29c064a19c3155cfd93c0ae27050d73d
                  • Opcode Fuzzy Hash: 99551d99d789d1ca47556baa7f2ff8747541ea2f48037bd72a7d33b1b1679a7a
                  • Instruction Fuzzy Hash: E2A14876D002869FEB11CE58C8517AFBBA1EF69314F1441BFE8949B381C23C8D4AC759
                  Function 0040C032 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040C03F
                  • int.LIBCPMT ref: 0040C052
                    • Part of subcall function 00409864: std::_Lockit::_Lockit.LIBCPMT ref: 00409875
                    • Part of subcall function 00409864: std::_Lockit::~_Lockit.LIBCPMT ref: 0040988F
                  • std::locale::_Getfacet.LIBCPMT ref: 0040C05B
                  • std::_Facet_Register.LIBCPMT ref: 0040C092
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C09B
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C0B9
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                  • String ID:
                  • API String ID: 2243866535-0
                  • Opcode ID: e293553077d95529c3f6ea8edd9ad7722701d123e02e8ef06f56877080a85670
                  • Instruction ID: b1e87804a3da1979fd3ed1427e76ffb0bbb4b318f8e10319d424f090478dbc6a
                  • Opcode Fuzzy Hash: e293553077d95529c3f6ea8edd9ad7722701d123e02e8ef06f56877080a85670
                  • Instruction Fuzzy Hash: 5F012632A00218D7CB14EBA5D8818DE776C9F41714F60426FF405B72D1EBB89E05C789
                  Function 0043C604 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                  • _free.LIBCMT ref: 0043C63B
                  • _free.LIBCMT ref: 0043C663
                  • SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C670
                  • SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                  • _abort.LIBCMT ref: 0043C682
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: e2941afc180c402d96ae15d3b4ea7baeb11baaa35d5f76cb1be1e232cc70365a
                  • Instruction ID: 3be8201feea6bf6bb5de18f8a738b530b1a6a28b783f59b30d90beda1ae83eb3
                  • Opcode Fuzzy Hash: e2941afc180c402d96ae15d3b4ea7baeb11baaa35d5f76cb1be1e232cc70365a
                  • Instruction Fuzzy Hash: E1F0A975A4060026D6112735AC8BF5B37699BDB779F24342FF924B2391EF6CC802429E
                  Function 0041327F Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00412CB5,00000000), ref: 0041328E
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00412CB5,00000000), ref: 004132A2
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412CB5,00000000), ref: 004132AF
                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00412CB5,00000000), ref: 004132BE
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412CB5,00000000), ref: 004132D0
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412CB5,00000000), ref: 004132D3
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: 68959f6d476b02a2d4bd0685734bbe45e7fe8639f39039e1a591674eaa023496
                  • Instruction ID: 087c9ab69ee31a6f8daf18e3e04703c1a612111ee6bc2c946994c72f918a64da
                  • Opcode Fuzzy Hash: 68959f6d476b02a2d4bd0685734bbe45e7fe8639f39039e1a591674eaa023496
                  • Instruction Fuzzy Hash: AEF0F6759012187BD2107F259C4AEBF3B6CDF86365F00006AFE0993141DF389D4795B9
                  Function 004382C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: `1E
                  • API String ID: 0-2004721823
                  • Opcode ID: 0e0fe858824e10f649b933378dfe4155e1adb50c97024238f48701cb155f15ad
                  • Instruction ID: 2b4cc18daa85f4ffdc1879148ab6e5cf02e60df96b600b3f13a9bbe2c431b9f6
                  • Opcode Fuzzy Hash: 0e0fe858824e10f649b933378dfe4155e1adb50c97024238f48701cb155f15ad
                  • Instruction Fuzzy Hash: 1B411871A00704AFE7249F78CC41BABFBA4EB8C714F10956FF551DB781DA7AA9018788
                  Function 0040D2A7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0040D2B6
                  • RegSetValueExW.ADVAPI32(?,pth_unenc,00000000,00000001,00000000,00000000,00467F30,?,?,0040A737,?,C:\Users\user\Desktop\jcXViWLNuc.exe), ref: 0040D2E6
                  • RegCloseKey.ADVAPI32(?,?,?,0040A737,?,C:\Users\user\Desktop\jcXViWLNuc.exe), ref: 0040D2F1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: 5.0.0 Light$pth_unenc
                  • API String ID: 1818849710-2723400672
                  • Opcode ID: dcd796d3a80aaa852048ad7e6e15e5f030d87b7b49a9196caa6b4c3fd4bdc3fd
                  • Instruction ID: 7eee0f012153a7c6d52e4884b7171e92e4526d01c1b8fc011fff58cca42e9c8a
                  • Opcode Fuzzy Hash: dcd796d3a80aaa852048ad7e6e15e5f030d87b7b49a9196caa6b4c3fd4bdc3fd
                  • Instruction Fuzzy Hash: 8AF0F071940218BBDB00EFA0EE4AFEE372CEF41745F10417AFE05AB090EA359E08DA54
                  Function 00409743 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040974E
                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040978D
                    • Part of subcall function 0042CF50: _Yarn.LIBCPMT ref: 0042CF6F
                    • Part of subcall function 0042CF50: _Yarn.LIBCPMT ref: 0042CF93
                  • std::bad_exception::bad_exception.LIBCMT ref: 004097A5
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004097B3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
                  • String ID: bad locale name
                  • API String ID: 3706160523-1405518554
                  • Opcode ID: 15a7b32a131201402dd865909ee179b5b16b0a696004c1ae9dab52c47e4665a7
                  • Instruction ID: ffbff063383fe23e94ebe57dbcd2a0e23ae783865e760775647f7c29c34d57b7
                  • Opcode Fuzzy Hash: 15a7b32a131201402dd865909ee179b5b16b0a696004c1ae9dab52c47e4665a7
                  • Instruction Fuzzy Hash: 3CF081326403046BC324FB62F952ADA73649F20714F50493FB406224D2AF78BD1DCA8E
                  Function 004389F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004389EA,00000003,?,0043898A,00000003,004619C0,0000000C,00438A9D,00000003,00000002), ref: 00438A15
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00438A28
                  • FreeLibrary.KERNEL32(00000000,?,?,?,004389EA,00000003,?,0043898A,00000003,004619C0,0000000C,00438A9D,00000003,00000002,00000000), ref: 00438A4B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-1276376045
                  • Opcode ID: 87515925092e057153ae902580594a0c2c5f5c3ad0d9c3cf281cad2f882ad6bb
                  • Instruction ID: 1f282a31e2d2b3d8d3a5b905a62784bed157f9ed9507b937d6498d621a979c2f
                  • Opcode Fuzzy Hash: 87515925092e057153ae902580594a0c2c5f5c3ad0d9c3cf281cad2f882ad6bb
                  • Instruction Fuzzy Hash: 46F04434A40218BBDF11AF91DC49BAEBFB4EB04715F50406AF905A3260DF745D45CB98
                  Function 00401EFF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00401F3D
                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401C9F,00000001), ref: 00401F49
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00401C9F,00000001), ref: 00401F54
                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401C9F,00000001), ref: 00401F5D
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                  • String ID: KeepAlive | Disabled
                  • API String ID: 2993684571-305739064
                  • Opcode ID: 9216991e524eb423775f2d511b24cf8265e41072f5b84d40bd5b236a793ec886
                  • Instruction ID: 05426b89b39311fc6b1a4499981160552c526912bf77f3db129fae5ba89f8a36
                  • Opcode Fuzzy Hash: 9216991e524eb423775f2d511b24cf8265e41072f5b84d40bd5b236a793ec886
                  • Instruction Fuzzy Hash: 46F0F6719043007FDB103BB59D0E9AA7F98BB07315F00067FF882922E1D6B9881497AA
                  Function 0041348A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 004134BC
                  • PlaySoundW.WINMM(00000000,00000000), ref: 004134CA
                  • Sleep.KERNEL32(00002710), ref: 004134D1
                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 004134DA
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: PlaySound$HandleLocalModuleSleepTime
                  • String ID: Alarm triggered
                  • API String ID: 614609389-2816303416
                  • Opcode ID: 43da0d24cd9be820e81f49cc6f5c522dd00ea267ab0e19fdf8c6c36e240344da
                  • Instruction ID: d88f56672ffd95dd1f3023d0de0fb03f99ced2c18b84ec6d1a820ca83e35030f
                  • Opcode Fuzzy Hash: 43da0d24cd9be820e81f49cc6f5c522dd00ea267ab0e19fdf8c6c36e240344da
                  • Instruction Fuzzy Hash: 3BE01236F4411077951037AAAD0FCAF2E28DAC7B65742006FFA0557192AD94081596FB
                  Function 0043501A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ea2c0ca77701ee66aca15fca350035c8294e49c267af900b10b39bccae1ff736
                  • Instruction ID: 5c6df0b487007ae904879081ec7617269124ad3821740f4d3d485af116931e8e
                  • Opcode Fuzzy Hash: ea2c0ca77701ee66aca15fca350035c8294e49c267af900b10b39bccae1ff736
                  • Instruction Fuzzy Hash: 4F71D331A00A169BCF21CF98C8846BFBB75FF4A350F2452ABE81167291D7748D41CFA9
                  Function 0043A3B6 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  • _free.LIBCMT ref: 0043A4C1
                  • _free.LIBCMT ref: 0043A4D8
                  • _free.LIBCMT ref: 0043A4F7
                  • _free.LIBCMT ref: 0043A512
                  • _free.LIBCMT ref: 0043A529
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$AllocateHeap
                  • String ID:
                  • API String ID: 3033488037-0
                  • Opcode ID: 255d9df6a254b4633535bb750cb6ccd32443d26d05b93512046de53ee7cdbf1d
                  • Instruction ID: b16d38981e88ef72ed12bebeed39b9dcd3fbf5643ff0528eae97547cfcb50721
                  • Opcode Fuzzy Hash: 255d9df6a254b4633535bb750cb6ccd32443d26d05b93512046de53ee7cdbf1d
                  • Instruction Fuzzy Hash: 5B51E131A40204AFDB20DF2ACC42B6B73F4EF5C324F14556EE949D7260E779E9118B8A
                  Function 004394D3 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: e9835ae56a244f5074000d35558d2977c3339b6476f911fa7f099dc8384a9a1a
                  • Instruction ID: 1c4facacc9319b5af637dce9b274d2dc7f4a7e0bc1f07f671580ede517550de4
                  • Opcode Fuzzy Hash: e9835ae56a244f5074000d35558d2977c3339b6476f911fa7f099dc8384a9a1a
                  • Instruction Fuzzy Hash: 0B410232A00210AFDB20DF79C981A5AB7F5EF88314F1545AEE616EB351D774ED01CB84
                  Function 004432FC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00433381,?,00000000,?,00000001,?,?,00000001,00433381,?), ref: 00443349
                  • __alloca_probe_16.LIBCMT ref: 00443381
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004433D2
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004326AF,?), ref: 004433E4
                  • __freea.LIBCMT ref: 004433ED
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                  • String ID:
                  • API String ID: 313313983-0
                  • Opcode ID: ac73b4dbc564fac465e639a70d8e35d3349518101969a2c5831969f2d80d58e6
                  • Instruction ID: 227b09b5a0415fcda7925f72784349bb925bafd8ee503336e3856371f42e8684
                  • Opcode Fuzzy Hash: ac73b4dbc564fac465e639a70d8e35d3349518101969a2c5831969f2d80d58e6
                  • Instruction Fuzzy Hash: CA31F032A0021AABEF249F65DC81EAF7BA5EF00B11F04016AFC04D7250EB39CE50CB94
                  Function 0044152A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 00441533
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00441556
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044157C
                  • _free.LIBCMT ref: 0044158F
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044159E
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: 2640d237faaf47cc70c28b7f029483beb7db1d113b1a2b1929460cd6034bb440
                  • Instruction ID: f73c0bf9238608795cb32e4e8d0003afd7538bff95bfb1d2b7ba72dccb9883b4
                  • Opcode Fuzzy Hash: 2640d237faaf47cc70c28b7f029483beb7db1d113b1a2b1929460cd6034bb440
                  • Instruction Fuzzy Hash: 3301D476A016117F732117AA5C88CBB6A7DDEC7BA4314016BFD09C3210DA78CD4285B9
                  Function 0041464E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000018,00000000), ref: 00414666
                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000018,00000000), ref: 00414679
                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000018,00000000), ref: 00414699
                  • CloseHandle.KERNEL32(00000000,?,00000000,00000018,00000000), ref: 004146A4
                  • CloseHandle.KERNEL32(00000000,?,00000000,00000018,00000000), ref: 004146AC
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpen$FileImageName
                  • String ID:
                  • API String ID: 2951400881-0
                  • Opcode ID: 16a6d8cfbfee2755745b56803ebd396b13524c53808eb881416faea08590364d
                  • Instruction ID: f5ed9c6f9d7783d97b98f553fe4e59a66d132221586fc0b7fa3c6c0a30003d5e
                  • Opcode Fuzzy Hash: 16a6d8cfbfee2755745b56803ebd396b13524c53808eb881416faea08590364d
                  • Instruction Fuzzy Hash: B00149752403056BD610A7949C09FFBB76CDBC6769F100276FA44D32A1EFA88C854A6D
                  Function 00442B8C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00442BA4
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 00442BB6
                  • _free.LIBCMT ref: 00442BC8
                  • _free.LIBCMT ref: 00442BDA
                  • _free.LIBCMT ref: 00442BEC
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: ea4dff25bd54c28631a95cdf9e32d462a3c87d505c88a532845b9ffae75ba0ed
                  • Instruction ID: 2b677973e017b7456cdbcfd4c966873ec84b9437ff3aa36df5ef1351a893ce0f
                  • Opcode Fuzzy Hash: ea4dff25bd54c28631a95cdf9e32d462a3c87d505c88a532845b9ffae75ba0ed
                  • Instruction Fuzzy Hash: 61F04F32404240ABEA20EF69E986D9773FDFAA5320795480AF114D7640DBB8FCC086AC
                  Function 00439722 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00439740
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 00439752
                  • _free.LIBCMT ref: 00439765
                  • _free.LIBCMT ref: 00439776
                  • _free.LIBCMT ref: 00439787
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 870d1761e84191853836d8f5bcf5c4eac0a45a77dcb24126359806675ebc8ac3
                  • Instruction ID: d26ed51eb094939ae4387241796b3820ca6b94c5b119c0c03f17c8d3b7c2945d
                  • Opcode Fuzzy Hash: 870d1761e84191853836d8f5bcf5c4eac0a45a77dcb24126359806675ebc8ac3
                  • Instruction Fuzzy Hash: 33F01DB4412A51CFDB457F18FC424563BB4E74E734B14112BF12456261F7A808698FDE
                  Function 0040D476 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040D4DD
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 0040D50C
                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0040D5AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Enum$InfoQueryValue
                  • String ID: [regsplt]
                  • API String ID: 3554306468-4262303796
                  • Opcode ID: 3ef2b667b991be9ee52755482a2dbd5bc07ae57db2d272eff767d8c393d4a8ca
                  • Instruction ID: c6e4ca0603a531f3ae889d5de2eae162bb32faec5efd7b55f4c15866cd6b230b
                  • Opcode Fuzzy Hash: 3ef2b667b991be9ee52755482a2dbd5bc07ae57db2d272eff767d8c393d4a8ca
                  • Instruction Fuzzy Hash: F3514D71900219AADB11EBE1DC96EEFB77CAF04304F10017AF605B2181EF786B49CB69
                  Function 004408B9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                  Download Yara Rule
                  APIs
                  • _strpbrk.LIBCMT ref: 00440908
                  • _free.LIBCMT ref: 00440A25
                    • Part of subcall function 004322E3: IsProcessorFeaturePresent.KERNEL32(00000017,004322B5,00000000,00000000,00467F30,00000000,00000000,00000000,00467F30,?,004322D5,00000000,00000000,00000000,00000000,00000000), ref: 004322E5
                    • Part of subcall function 004322E3: GetCurrentProcess.KERNEL32(C0000417), ref: 00432307
                    • Part of subcall function 004322E3: TerminateProcess.KERNEL32(00000000), ref: 0043230E
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                  • String ID: *?$.
                  • API String ID: 2812119850-3972193922
                  • Opcode ID: a8b92bf08f0cfa7e9facfc28388615578e418344234b08a946953fb2a66d511f
                  • Instruction ID: 9fffe9e5b2cccac2811af7b364faccd8b700eecf7a76a2a5a388f77b9ad2ae92
                  • Opcode Fuzzy Hash: a8b92bf08f0cfa7e9facfc28388615578e418344234b08a946953fb2a66d511f
                  • Instruction Fuzzy Hash: 6B51D171E00209EFEF14DFA9C881AAEF7B5EF98314F24416EE544E7301E6799E118B54
                  Function 00437E45 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00437F9E
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00437FB3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: ~C$ ~C
                  • API String ID: 885266447-903778833
                  • Opcode ID: 66b4d4b1bf1e79b8032c6644e9e345940b330c16ba83ada0981b87e367946d73
                  • Instruction ID: cb442a11e599da5c690acaa02b9a0632f92e669d80b169b7daead3c9ed003e5d
                  • Opcode Fuzzy Hash: 66b4d4b1bf1e79b8032c6644e9e345940b330c16ba83ada0981b87e367946d73
                  • Instruction Fuzzy Hash: A451AEB1A04149AFCF24CF59C884AAEBBB2FF88364F19819AF85897361D735DD01CB44
                  Function 004043A7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: <$S@@<
                  • API String ID: 0-2148528575
                  • Opcode ID: 96d8b63d7d5fac6b5416afa671e72d341464fef38aa46b057e5c69fc7c6bad02
                  • Instruction ID: 1de478b76fd8c0d77115a3783af98f4c9c649dc9e6c06432943695562a8f0642
                  • Opcode Fuzzy Hash: 96d8b63d7d5fac6b5416afa671e72d341464fef38aa46b057e5c69fc7c6bad02
                  • Instruction Fuzzy Hash: B341A571900218ABCB15EBA1D986AEEB374AF44714F20406FF602B71D1EFB81E45CB59
                  Function 00438AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\jcXViWLNuc.exe,00000104), ref: 00438B30
                  • _free.LIBCMT ref: 00438BFB
                  • _free.LIBCMT ref: 00438C05
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Users\user\Desktop\jcXViWLNuc.exe
                  • API String ID: 2506810119-3214969289
                  • Opcode ID: 7f57eaab2729b4cc0946ac209535d878f2c68db1228286d325ae82aa6d241096
                  • Instruction ID: 70664c5bde541978665effa2530710d226aabc141cdd11ee7943148819d16b35
                  • Opcode Fuzzy Hash: 7f57eaab2729b4cc0946ac209535d878f2c68db1228286d325ae82aa6d241096
                  • Instruction Fuzzy Hash: FE31A2B1A01349EBDB21DB99988199FFBBCEB89314F1050AFF50497310DA785E448B99
                  Function 00401F7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00401F7A), ref: 00401F96
                  • CloseHandle.KERNEL32(?), ref: 00401FED
                  • SetEvent.KERNEL32(?), ref: 00401FFC
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandleObjectSingleWait
                  • String ID: Connection Timeout
                  • API String ID: 2055531096-499159329
                  • Opcode ID: ae5bc6e26d28bd96e34e00aad8011417cdc6de2e214e1c40e182376b639a4296
                  • Instruction ID: 4132f8b51f10a03e2f6dde1d6e0fb76fb6a2fdef53c168242a3f39f5db6f161b
                  • Opcode Fuzzy Hash: ae5bc6e26d28bd96e34e00aad8011417cdc6de2e214e1c40e182376b639a4296
                  • Instruction Fuzzy Hash: 9F01D431A84B41AFD7256B768C9686ABBE1BF05306700097FE58352AB1DBB89800DB59
                  Function 00409FC3 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040A031
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Exception@8Throw
                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 2005118841-1866435925
                  • Opcode ID: e704f714e4679a7b451c4a3b6f3721c3965dc6a755d26d75ca4b81400ef99aec
                  • Instruction ID: 3108494a97143dcb30bf540093841c5617afb240aa1655eecc42209d4e30229e
                  • Opcode Fuzzy Hash: e704f714e4679a7b451c4a3b6f3721c3965dc6a755d26d75ca4b81400ef99aec
                  • Instruction Fuzzy Hash: 9A01DB6164030CAAEB14EA51C843FBA73685B0070AF20803BB906B50C3EA7C6C56872F
                  Function 0040F7EC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0040F82E
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell
                  • String ID: /C $cmd.exe$open
                  • API String ID: 587946157-3896048727
                  • Opcode ID: 9f634ed811d01c93b01b9f4d912010342c3c0bed2ecdf687d27e1c27c34cfd06
                  • Instruction ID: b9b5919498ba485fb8f6930109a7034d9cba9b0480c4b6652f0920fc7d9d687c
                  • Opcode Fuzzy Hash: 9f634ed811d01c93b01b9f4d912010342c3c0bed2ecdf687d27e1c27c34cfd06
                  • Instruction Fuzzy Hash: D7F062311082016AC215FB22D8569BFB7A9ABD1705F00483FB546A20D2EF7C5A4ED61E
                  Function 0040D0A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,75570F10), ref: 0040D0CE
                  • RegQueryValueExW.ADVAPI32(?,del,00000000,00000000,?,00000400), ref: 0040D0EF
                  • RegCloseKey.ADVAPI32(?), ref: 0040D0F8
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID: del
                  • API String ID: 3677997916-3960539263
                  • Opcode ID: 88088da061e935542d602ed9a60ee80de08d29cd97cf1e62666c939df0226ecc
                  • Instruction ID: c651590824b85597b39781336d71b7838d7c867fbe8f572be816a2f15c875255
                  • Opcode Fuzzy Hash: 88088da061e935542d602ed9a60ee80de08d29cd97cf1e62666c939df0226ecc
                  • Instruction Fuzzy Hash: 9EF06275A40218FBDB109B90DC06FDD7B7CEB04705F2000B6BA45F6191DBB46E499BD8
                  Function 0044A0E4 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: fa5d2a8faf2fe628d058e6a4fe2f0af0d4f8ff292432a2b74dc80dafd4f9834b
                  • Instruction ID: 3ef33ea84dd1cf6f344852fb1a73c90a82761da2feee4d6795020f546570a538
                  • Opcode Fuzzy Hash: fa5d2a8faf2fe628d058e6a4fe2f0af0d4f8ff292432a2b74dc80dafd4f9834b
                  • Instruction Fuzzy Hash: D9411E31A801006BF7216ABA8C46AAF37A8FF49374F14019BF428D6391D67D4951966F
                  Function 00401AEF Relevance: 6.1, APIs: 4, Instructions: 128synchronizationthreadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,?), ref: 00401BDC
                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00401BEF
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00401AC2,00000000,?,?,?,00000000,00000000), ref: 00401BFA
                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00401AC2,00000000,?,?,?,00000000,00000000), ref: 00401C03
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                  • String ID:
                  • API String ID: 3360349984-0
                  • Opcode ID: 2816b86d6f7458ba1161e834096ab8bc7bd248e1979f12b57ffdc3d931af871e
                  • Instruction ID: 966eea02b2a93e457dd0c13575889c4ab86b932002f96d98d8ed952a890acd02
                  • Opcode Fuzzy Hash: 2816b86d6f7458ba1161e834096ab8bc7bd248e1979f12b57ffdc3d931af871e
                  • Instruction Fuzzy Hash: B9417171A00318ABDF11EBA1CD459EEB7BDAF14328F04013AF952B32D1DB78A905C764
                  Function 004084F3 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • [Cleared browsers logins and cookies.], xrefs: 004085CB
                  • Cleared browsers logins and cookies., xrefs: 004085DC
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep
                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                  • API String ID: 3472027048-1236744412
                  • Opcode ID: aaa965d27c1f7c76d1c1fe5b5e673f2742d7c9977007ba8c415083749b236131
                  • Instruction ID: 20defb9733c1219c4c8a2599ca5aef24f296d1e236a042d3d024b8038190efd8
                  • Opcode Fuzzy Hash: aaa965d27c1f7c76d1c1fe5b5e673f2742d7c9977007ba8c415083749b236131
                  • Instruction Fuzzy Hash: CD31A41464C38079C61167B51E567AB7B910A93758F09487FE8C42B3C3DDBA4809936F
                  Function 00413DA0 Relevance: 6.1, APIs: 4, Instructions: 65timesleepCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTimes.KERNEL32(?,?,?,00468138,?,00467C58), ref: 00413DB5
                  • Sleep.KERNEL32(000003E8,?,00467C58), ref: 00413DC0
                  • GetSystemTimes.KERNEL32(?,?,?,?,00467C58), ref: 00413DD2
                  • __aulldiv.LIBCMT ref: 00413E38
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: SystemTimes$Sleep__aulldiv
                  • String ID:
                  • API String ID: 188215759-0
                  • Opcode ID: af12388a144a6519f74332cc38b033842487ffc626d7b6449c11266e36e9a79f
                  • Instruction ID: 664e20bae110cd4fa9275364a011bdc36a99db3762e2da6226042cd1183b7a6f
                  • Opcode Fuzzy Hash: af12388a144a6519f74332cc38b033842487ffc626d7b6449c11266e36e9a79f
                  • Instruction Fuzzy Hash: DC115E77E00318AADB04EBF9DC85DFEB77CAB48644F05062AF605F3140ED385A488AA4
                  Function 004390EE Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 58266adce5fe98948b2ae2cdcb5eb7aac101841803ca74cd59dc5555995d5507
                  • Instruction ID: e293933edf47bc404921b9782ae6bdf2530dae4187b182b77bf7cc4bdb1aff01
                  • Opcode Fuzzy Hash: 58266adce5fe98948b2ae2cdcb5eb7aac101841803ca74cd59dc5555995d5507
                  • Instruction Fuzzy Hash: E701A2B26096173EFA2016796CC9F67235DDB993B9F31232BF621612D1DBA8CC014169
                  Function 0043916D Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d9484003af8c7f76f3537911751fc69ba13e48c1f0aa44cd003a8177e25c73c8
                  • Instruction ID: 4c4e0230044f540d0dfa141600ad540ca831ff66076231662328a578ba525b5c
                  • Opcode Fuzzy Hash: d9484003af8c7f76f3537911751fc69ba13e48c1f0aa44cd003a8177e25c73c8
                  • Instruction Fuzzy Hash: 8201D6B26092133EBB1016796CC5E6B735CEF993B9B24233BF535612D1DBB8CC404169
                  Function 0043D017 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0043CFBE,00000000,00000000,00000000,00000000,?,0043D2EA,00000006,FlsSetValue), ref: 0043D049
                  • GetLastError.KERNEL32(?,0043CFBE,00000000,00000000,00000000,00000000,?,0043D2EA,00000006,FlsSetValue,00453058,00453060,00000000,00000364,?,0043C6D6), ref: 0043D055
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0043CFBE,00000000,00000000,00000000,00000000,?,0043D2EA,00000006,FlsSetValue,00453058,00453060,00000000), ref: 0043D063
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 595891c980301c2c73905729bbe73c7249954adc15224a50436924359eb8ce7d
                  • Instruction ID: a0defaa7bfad2e823c90b49b53e3435581b1221e674054a2feddefd619599400
                  • Opcode Fuzzy Hash: 595891c980301c2c73905729bbe73c7249954adc15224a50436924359eb8ce7d
                  • Instruction Fuzzy Hash: 5901FC36F012229BC7254B68BC44A577768AF0DF69F100632F916D7240D724D803C6EC
                  Function 00414995 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149B2
                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149C6
                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149EB
                  • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,004108FA), ref: 004149F9
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleReadSize
                  • String ID:
                  • API String ID: 3919263394-0
                  • Opcode ID: 0908160d546d984776c4034bd17207c1f934702e7f6a1384d07143587f6b8751
                  • Instruction ID: f0ddd2d46cb65e41b6d6a3277f6bfdf1228b339456a25c00275a264c9c935e20
                  • Opcode Fuzzy Hash: 0908160d546d984776c4034bd17207c1f934702e7f6a1384d07143587f6b8751
                  • Instruction Fuzzy Hash: 5501D6B5941108BFE7105B759C89EFF776CEB86394F10026AFD01A3280CA755E059674
                  Function 0041227E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(0000004C), ref: 0041228E
                  • GetSystemMetrics.USER32(0000004D), ref: 00412294
                  • GetSystemMetrics.USER32(0000004E), ref: 0041229A
                  • GetSystemMetrics.USER32(0000004F), ref: 004122A1
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem
                  • String ID:
                  • API String ID: 4116985748-0
                  • Opcode ID: dc41238271d61d062b424b9f78800828ee9edd3412daac05195af5ccd8a0ba4b
                  • Instruction ID: 734442f2042c8065209044c06ea4daf6e2b581a17a484543afd8213bfd6dd57c
                  • Opcode Fuzzy Hash: dc41238271d61d062b424b9f78800828ee9edd3412daac05195af5ccd8a0ba4b
                  • Instruction Fuzzy Hash: 7801AC71F002286BCB109FA9CC41AAD7BA5DF44760F10406BFE0CEB340D9B8AD4147C8
                  Function 0042FA1E Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0042FA35
                    • Part of subcall function 0043006D: ___AdjustPointer.LIBCMT ref: 004300B7
                  • _UnwindNestedFrames.LIBCMT ref: 0042FA4C
                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 0042FA5E
                  • CallCatchBlock.LIBVCRUNTIME ref: 0042FA82
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                  • String ID:
                  • API String ID: 2633735394-0
                  • Opcode ID: 6a7b41a67f6b5d6162d44e2b17d28e3b82f582da003bb732735d339659016d48
                  • Instruction ID: a384c467a5cf0005642e118325ee09c1ca88ba2ea93b3fe8868d3066c3d62e86
                  • Opcode Fuzzy Hash: 6a7b41a67f6b5d6162d44e2b17d28e3b82f582da003bb732735d339659016d48
                  • Instruction Fuzzy Hash: C3011732100119BBCF12AF96DC01EDA7FBAFF48754F55412AF91861120C37AE861ABA8
                  Function 0042E723 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0042E723
                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0042E728
                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0042E72D
                    • Part of subcall function 00431D75: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00431D86
                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0042E742
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                  • String ID:
                  • API String ID: 1761009282-0
                  • Opcode ID: 56622d154af70104b395c77cc287e29f40d35fe8c70cadda5cf720b00b0514e6
                  • Instruction ID: 013349ac7a2fe7e9152e47b6c51a3b7e8f8268fb679fa9501f4f8a9e11b9c919
                  • Opcode Fuzzy Hash: 56622d154af70104b395c77cc287e29f40d35fe8c70cadda5cf720b00b0514e6
                  • Instruction Fuzzy Hash: E4C04C04704125606DA57AB772031AE43201CEB3CCFD474DBE8521712BDD0E241B553F
                  Function 0043BC9D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                  Download Yara Rule
                  APIs
                  • __startOneArgErrorHandling.LIBCMT ref: 0043BD2D
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorHandling__start
                  • String ID: pow
                  • API String ID: 3213639722-2276729525
                  • Opcode ID: 38187daa67ab9e37275724fcbbdf11ac224d73fef389725b2515faf0432880bd
                  • Instruction ID: 2fbfe7b6d49e86fd3dc1b6acd5d8ee94abeffcde9bfe552af4cad49e3d2ca66b
                  • Opcode Fuzzy Hash: 38187daa67ab9e37275724fcbbdf11ac224d73fef389725b2515faf0432880bd
                  • Instruction Fuzzy Hash: B951BC61A0460196EB117B18C9813AB2B90DB45B41F209D6FF1D5863AAEF3C8CD59E8F
                  Function 00421E39 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memcmp
                  • String ID: 0B
                  • API String ID: 2931989736-2745533139
                  • Opcode ID: dde02da2657a13ac2c474c204eb5deeae0ef938a7f7fe63f8f2d8705779ed6d0
                  • Instruction ID: c353d1a7b62108d64f5f19d3a53e18fe02b6802cfcab92c213679ae9b53e50ff
                  • Opcode Fuzzy Hash: dde02da2657a13ac2c474c204eb5deeae0ef938a7f7fe63f8f2d8705779ed6d0
                  • Instruction Fuzzy Hash: E451B631B00622ABCB21CF66DA80A7BF7B5FF64310B56812ADD5997321D735ED11CB88
                  Function 0040D72E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?), ref: 0040D763
                    • Part of subcall function 0040D476: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040D4DD
                    • Part of subcall function 0040D476: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 0040D50C
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  • RegCloseKey.ADVAPI32(?,00459594,00459594,0045962C,0045962C), ref: 0040D8B7
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumInfoOpenQuerysend
                  • String ID: X|F
                  • API String ID: 3114080316-2178643013
                  • Opcode ID: f89718502645b7ab19a5bbbab08464fad555f615672693b7c00859fef62b1d15
                  • Instruction ID: 8116fabb2d85eb0cd33b9d71b80c948f76b574c3f971d7d1f6fc2c92bebc6ff4
                  • Opcode Fuzzy Hash: f89718502645b7ab19a5bbbab08464fad555f615672693b7c00859fef62b1d15
                  • Instruction Fuzzy Hash: E641BE71A002285ACB04F776DCA6AEE77649F51308F40817FF60A771D2EF781E89C65A
                  Function 0040424F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: E@@
                  • API String ID: 0-263559340
                  • Opcode ID: 459347a91358f46872176e380f669f73c4093dfe1cd6feb0cca5c06579f60336
                  • Instruction ID: f03ecd794946583929f208bd859942677592bdc48cb2f3ff9744e4cd59c4d472
                  • Opcode Fuzzy Hash: 459347a91358f46872176e380f669f73c4093dfe1cd6feb0cca5c06579f60336
                  • Instruction Fuzzy Hash: 4F41B471A00208ABCB14EBA1D996AEEB374AF44318F20406FF602771C1EF785E44CB59
                  Function 004044FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                  • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000), ref: 00404544
                  • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000), ref: 0040456A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExtendedTable
                  • String ID: a@@
                  • API String ID: 2407854163-821130896
                  • Opcode ID: 403b7417141a6e3ab0469ce16749893ad844add1f190e6520086f4a8e01444fb
                  • Instruction ID: 8fc58d0faab8546e2ae9b4570367c64f21be51e55399899536b09486aaef41c4
                  • Opcode Fuzzy Hash: 403b7417141a6e3ab0469ce16749893ad844add1f190e6520086f4a8e01444fb
                  • Instruction Fuzzy Hash: 88318471A00218ABCB14EBA1DD969EEB374AF44304F20446FF702771D1EFB95E45CA59
                  Function 0040463C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                  • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000017,00000001,00000000), ref: 00404681
                  • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000017,00000001,00000000), ref: 004046A7
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExtendedTable
                  • String ID: l@@
                  • API String ID: 2407854163-942269891
                  • Opcode ID: 2e96147060371ac98eed0650a99ef5ed7475b9f0c053ad1149b626ce4cc91f18
                  • Instruction ID: 2ec4b1d0b07e77987f732c33211abe948ea1a39192b25ce75c5c0795d41247b7
                  • Opcode Fuzzy Hash: 2e96147060371ac98eed0650a99ef5ed7475b9f0c053ad1149b626ce4cc91f18
                  • Instruction Fuzzy Hash: 86318471A00218AACB14EBA1D985AEEB378AF44704F20406FF702771D1EFB85E45CB59
                  Function 004119A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                  Download Yara Rule
                  APIs
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,00000000), ref: 004119D0
                    • Part of subcall function 00411573: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00411589
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,00000000), ref: 00411A15
                    • Part of subcall function 004115EB: GdipSaveImageToStream.GDIPLUS(?,?,?,?), ref: 004115FD
                    • Part of subcall function 00411599: GdipDisposeImage.GDIPLUS(?,0041154D), ref: 004115A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                  • String ID: image/jpeg
                  • API String ID: 1291196975-3785015651
                  • Opcode ID: f1760caa1cc837f2a22b7184847d6685a1f39e41d9d40200acebcfd92b9434fc
                  • Instruction ID: ef5b11e11035bddaf631a761f834e810763e5e11838f5a19257ff1a0f99910ce
                  • Opcode Fuzzy Hash: f1760caa1cc837f2a22b7184847d6685a1f39e41d9d40200acebcfd92b9434fc
                  • Instruction Fuzzy Hash: 35318B31900218AFCB01EFA4CC84DEEBBB9EF49314F10406AF906E7251DB74AE45CBA4
                  Function 00443D07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00443F62,?,00000050,?,?,?,?,?), ref: 00443DE2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ACP$OCP
                  • API String ID: 0-711371036
                  • Opcode ID: b463a79c31a7c10f4098bdec5a78729edffff5adbcbc4555e4af9816c6e94504
                  • Instruction ID: f3f47050c9d98aff9bb1a4a1382f066ea7fa27275a19905ea58b4da3876d1d77
                  • Opcode Fuzzy Hash: b463a79c31a7c10f4098bdec5a78729edffff5adbcbc4555e4af9816c6e94504
                  • Instruction Fuzzy Hash: BA21F1A2E00100A6FB248E148902BD772A6EF54F63F56846AED09D7304E73AEF01C358
                  Function 00411A97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                  Download Yara Rule
                  APIs
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,00000000), ref: 00411AB5
                    • Part of subcall function 00411573: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00411589
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,00000000), ref: 00411AD8
                    • Part of subcall function 004115EB: GdipSaveImageToStream.GDIPLUS(?,?,?,?), ref: 004115FD
                    • Part of subcall function 00411599: GdipDisposeImage.GDIPLUS(?,0041154D), ref: 004115A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                  • String ID: image/png
                  • API String ID: 1291196975-2966254431
                  • Opcode ID: bae890b8d3371da378f3e37d71e19cd327cf3b67a299fcfbf9a2e0d8530876e7
                  • Instruction ID: 3d3f12b83bccf21c12e870e82d42f33b435d328513d3b2a06635348d3a180fbc
                  • Opcode Fuzzy Hash: bae890b8d3371da378f3e37d71e19cd327cf3b67a299fcfbf9a2e0d8530876e7
                  • Instruction Fuzzy Hash: EB217C35A00128BBCB11EBA5CC89CEEBBBDFF49315B10015AF606A3251DB745945CBA5
                  Function 00401E12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 00401E49
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  • GetLocalTime.KERNEL32(?), ref: 00401EA1
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 00401E3E
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 481472006-1507639952
                  • Opcode ID: d95bc88be679ab2795d1e3ee3956b9446fa9e4b61f9f08a43b0abdd1d014c7d8
                  • Instruction ID: b6501f059e2151b164add168212f41ddb3557997af1fb79251cdb559bb53ca58
                  • Opcode Fuzzy Hash: d95bc88be679ab2795d1e3ee3956b9446fa9e4b61f9f08a43b0abdd1d014c7d8
                  • Instruction Fuzzy Hash: 6921D172E0414067CB00B7BADD0A7EE7B645792349F54417EEC01232E2EEB85949C7AB
                  Function 00433DBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: XAF
                  • API String ID: 269201875-3946003707
                  • Opcode ID: 56830ea015d4febb486afa971ba8605d51d7b7488d7a89142c8e124551d8de94
                  • Instruction ID: 789fddf153a2b0b51eb9e63a47b227dc4857ab3bce67e7ee6682b2e599235b10
                  • Opcode Fuzzy Hash: 56830ea015d4febb486afa971ba8605d51d7b7488d7a89142c8e124551d8de94
                  • Instruction Fuzzy Hash: 1111E9B1A1070046E7209F2DAC06B5673949758B74F142227FA24CB3D0F3F8DD814B8E
                  Function 00414062 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountInfoInputLastTick
                  • String ID: X|F
                  • API String ID: 3478931382-2178643013
                  • Opcode ID: b385247edad76a24db9e68dfc1a14740e99aba5bcf4cd9ea178d25a246bab336
                  • Instruction ID: 171dbf0f5cfc22f21d8f68f6b7b2537727de2b88679f19cea7dddd8e5cbb1d76
                  • Opcode Fuzzy Hash: b385247edad76a24db9e68dfc1a14740e99aba5bcf4cd9ea178d25a246bab336
                  • Instruction Fuzzy Hash: 98D0127580020CFFDB14DFE4DD4D99DBFBCEB01216F0042E9EC0593210EE726A448AA9
                  Function 0043490A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004349A0
                  • GetLastError.KERNEL32(?,?), ref: 004349AE
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?), ref: 00434A09
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$ErrorLast
                  • String ID:
                  • API String ID: 1717984340-0
                  • Opcode ID: 11f973e380e1e97874fd796f57fcd641ccecc41f1c0becbf414744d79cde42ba
                  • Instruction ID: e009d7546e55733e8e71cd5b89f7b57e1fa12a08878b1e74594c44e6a6326e64
                  • Opcode Fuzzy Hash: 11f973e380e1e97874fd796f57fcd641ccecc41f1c0becbf414744d79cde42ba
                  • Instruction Fuzzy Hash: B4410935A00201AFDF219F65C844BFBBBA4EFCA310F1451AAF859572A1D738AD01C75C
                  Function 0040C9C0 Relevance: 5.1, APIs: 4, Instructions: 125COMMON
                  Download Yara Rule
                  APIs
                  • IsBadReadPtr.KERNEL32(?,00000014,00000001,00000000,?,?,?,?,0040CD60), ref: 0040C9EE
                  • IsBadReadPtr.KERNEL32(?,00000014,?,0040CD60), ref: 0040CAC3
                  • SetLastError.KERNEL32(0000007F), ref: 0040CADE
                  • SetLastError.KERNEL32(0000007E,?,0040CD60), ref: 0040CAF7
                  Memory Dump Source
                  • Source File: 00000001.00000002.3817124990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.3817106503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817195760.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.3817234925.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_jcXViWLNuc.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastRead
                  • String ID:
                  • API String ID: 4100373531-0
                  • Opcode ID: 2107795d61710c673144fc153abc3f8462d2ce2fa3ff22c3decacbf6cad935fe
                  • Instruction ID: e1be155fad3850883f817a0f1cca8f73026838c0112b34f29781b835d56552cf
                  • Opcode Fuzzy Hash: 2107795d61710c673144fc153abc3f8462d2ce2fa3ff22c3decacbf6cad935fe
                  • Instruction Fuzzy Hash: 08416671B00209DFDB24CF99D884B6AB7F5EF48310F10856AE506A7291EB78E801CF54