Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522718
MD5:6aecfc2ede0f22d0add919214de21a83
SHA1:c2c87ef0d333c4c56cdc2dcb52fd4d7c4902b2ec
SHA256:64aa700db7bb8d9f836e59ce259a47bce371dc0c60cba660ce51edef945d679d
Tags:exeuser-jstrosch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found large amount of non-executed APIs
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6AECFC2EDE0F22D0ADD919214DE21A83)
    • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 3492 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 508 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.0% probability
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004093C8 FindFirstFileW,FindClose,0_2_004093C8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00429570 FindFirstFileW,FindNextFileW,FindClose,0_2_00429570
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E578 FindFirstFileW,FindClose,0_2_0041E578
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408DFC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_00408DFC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DF90 FindFirstFileW,FindNextFileW,FindClose,GetLastError,0_2_0041DF90
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: file.exeString found in binary or memory: https://www.abyssmedia.com
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004080900_2_00408090
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042CAC40_2_0042CAC4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040FCAC0_2_0040FCAC
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 508
Source: file.exe, 00000000.00000000.1696205746.0000000000454000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename" vs file.exe
Source: file.exeBinary or memory string: OriginalFilename" vs file.exe
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: mal60.winEXE@3/6@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004151D0 GetDiskFreeSpaceW,0_2_004151D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042EF38 FindResourceW,LoadResource,LockResource,SizeofResource,FreeResource,0_2_0042EF38
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6644
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\49ad28af-b7ed-4263-8b81-3101fdabf7e2Jump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 55%
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 508
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
Source: file.exeStatic PE information: section name: .didata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00432310 push 004323ADh; ret 0_2_004323A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042F0E0 push 0042F110h; ret 0_2_0042F108
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A9F0 push 0041AA3Eh; ret 0_2_0041AA36
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004119F8 push ecx; mov dword ptr [esp], eax0_2_004119FA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E184 push 0041E1C2h; ret 0_2_0041E1BA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A2A8 push 0041A39Dh; ret 0_2_0041A395
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411ABC push ecx; mov dword ptr [esp], eax0_2_00411ABE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042EB28 push 0042EB60h; ret 0_2_0042EB58
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042DBDC push ecx; mov dword ptr [esp], ecx0_2_0042DBE1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041744C push 004174CDh; ret 0_2_004174C5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042B544 push 0042B592h; ret 0_2_0042B58A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004275FC push 0042775Fh; ret 0_2_004276DD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004275FC push 0042775Fh; ret 0_2_00427757
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411DA8 push 00411DE0h; ret 0_2_00411DD8
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeAPI coverage: 7.3 %
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004093C8 FindFirstFileW,FindClose,0_2_004093C8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00429570 FindFirstFileW,FindNextFileW,FindClose,0_2_00429570
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E578 FindFirstFileW,FindClose,0_2_0041E578
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408DFC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_00408DFC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DF90 FindFirstFileW,FindNextFileW,FindClose,GetLastError,0_2_0041DF90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409C44 GetSystemInfo,0_2_00409C44
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17292
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004056AC cpuid 0_2_004056AC
Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_00409500
Source: C:\Users\user\Desktop\file.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetUserDefaultLCID,GetLocaleInfoW,GetUserDefaultLCID,GetTimeFormatW,0_2_0041B8F0
Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00419880
Source: C:\Users\user\Desktop\file.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004089A0
Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00419A68
Source: C:\Users\user\Desktop\file.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetUserDefaultLCID,GetLocaleInfoW,GetUserDefaultLCID,GetDateFormatW,GetUserDefaultLCID,GetDateFormatW,GetUserDefaultLCID,GetDateFormatW,GetLastError,0_2_0041B374
Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00416CE4
Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00416D30
Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0041AD3C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B8F0 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetUserDefaultLCID,GetLocaleInfoW,GetUserDefaultLCID,GetTimeFormatW,0_2_0041B8F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A8B6 GetVersionExW,0_2_0040A8B6
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets26
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522718 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 60 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 AI detected suspicious sample 2->19 6 file.exe 1 2->6         started        process3 process4 8 WerFault.exe 21 16 6->8         started        11 conhost.exe 6->11         started        file5 13 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->13 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe55%ReversingLabsWin32.Trojan.Ulise
file.exe100%AviraTR/Redcap.cafuo

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.abyssmedia.comfile.exefalse
    		unknown
    http://upx.sf.netAmcache.hve.4.drfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1522718
    Start date and time:2024-09-30 15:57:11 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 16s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:9
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal60.winEXE@3/6@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 93%
    • Number of executed functions: 16
    • Number of non-executed functions: 84
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 52.168.117.173
    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: file.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    09:58:17API Interceptor1x Sleep call for process: WerFault.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_71e4f97fcad7bd8af59197fe7fdb89b6f66cc6a_89969336_9d5f8a6b-4665-44cb-89ec-0ff41a3c22d9\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.7305092461365446
    Encrypted:false
    SSDEEP:192:CA8uPXwTevTPrl0Wj7YcI3jcqzuiFGZ24IO8TVBGi:CU4TwTqWfYbj5zuiFGY4IO8XGi
    MD5:9A8F37BED9E0D1534555FACB5261FD8D
    SHA1:352030F9CF0AF0A1B9CF7B2C7D822C6B0BFEA5F3
    SHA-256:FF59C87BA5217CAB39282508CBFB26EF492CD556CD65E0F7B02DC6323D624EA8
    SHA-512:C772124B2A0490A04BE241633D0CBAB4836CE1DA721F176CBDB99EA7091C113240201EDF1E43E50EA6D26AA99B04C19E517A8BD60CFAEB554F9336E340CCE920
    Malicious:true
    Reputation:low
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.8.2.8.4.6.5.5.9.0.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.7.8.2.8.5.0.3.0.8.7.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.5.f.8.a.6.b.-.4.6.6.5.-.4.4.c.b.-.8.9.e.c.-.0.f.f.4.1.a.3.c.2.2.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.1.d.6.3.a.1.-.2.4.9.4.-.4.b.a.f.-.a.0.e.b.-.8.e.f.f.a.0.1.7.8.6.4.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.4.-.0.0.0.1.-.0.0.1.4.-.a.8.6.a.-.e.8.c.4.4.0.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.2.4.e.5.0.4.b.a.9.3.f.3.7.5.c.4.e.7.b.b.a.f.1.8.7.9.d.7.8.1.e.0.0.0.0.0.9.0.4.!.0.0.0.0.c.2.c.8.7.e.f.0.d.3.3.3.c.4.c.5.6.c.d.c.2.d.c.b.5.2.f.d.4.d.7.c.4.9.0.2.b.2.e.c.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.2.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5517.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Mon Sep 30 13:58:04 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):35816
    Entropy (8bit):1.948888161259869
    Encrypted:false
    SSDEEP:192:Mg3lq6tH8JtOvmNWZ9enGQbw6QxxwF7eMF:vAwJo8sDfQ4F
    MD5:6993E53FAD2C8694ADDD52A170291DCA
    SHA1:E255C3E55F3390413B1D3F7FB172F7AE24130A97
    SHA-256:CE51CFC36F3AC132D29601E9AAC40EF74C329F5047F1A4686B2F5B58B1F8C0C0
    SHA-512:D71988624D96E8D17F8B42CD0453156F6D9D3DAC0DF48509F6BAAB082355468635D7A21D47ECAA48221015B1B8019DEDE0D900EF864DB5418BEA6B2205736AC5
    Malicious:false
    Reputation:low
    Preview:MDMP..a..... .......l..f........................................x ..........T.......8...........T...........`....w..........|...........h...............................................................................eJ..............GenuineIntel............T...........k..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5585.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8264
    Entropy (8bit):3.6892511934779812
    Encrypted:false
    SSDEEP:192:R6l7wVeJICk6m/6Y9KSU9bxegmfBv9WJ1xpr789bX8sf8dm:R6lXJs6m6YQSU9bxegmfz4gXPfL
    MD5:A531809040B905FEFB23FBEFA9A2E208
    SHA1:8B839BFBEC0D4899AD98E521011F164275423412
    SHA-256:D228E00BBE93DA19E797B0872089D3DD561E45772FFC097ACFB458573E2D8F4D
    SHA-512:AD77EB181E999EE29CE7F4C458120E9F62DDDDEBA8E5822A6766F9F4C32D92A579857B4FAF1EBF9762DC65B671B27D18A2844828BD90800D36A63CF7923BEEE7
    Malicious:false
    Reputation:low
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.4.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER55C5.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4537
    Entropy (8bit):4.429274436238106
    Encrypted:false
    SSDEEP:48:cvIwWl8zsYJg77aI9/DrEWpW8VYpYm8M4J6upFSO+q8FjD1F8bVhed:uIjfeI75Drd7VFJCOMubVhed
    MD5:7C5D100DCBC06AEE4B6364E25A98F08D
    SHA1:BA89B082D5556A159B7154DE3CAF25BE9DF07632
    SHA-256:0C2A2958A076B746957038D660A61B6BB1FAAB6C06C90E387E9A17028CDFDE5E
    SHA-512:CFBF2F9E687460E2592CE1E5381711A9857D3EF78C66B97751AEB181755810C9573FED8718DE0AAC1CCA172FA84087B2AEA281971BC60FE830F111958AC93854
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="523020" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\Windows\appcompat\Programs\Amcache.hve

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:MS Windows registry file, NT/2000 or above
    Category:dropped
    Size (bytes):1835008
    Entropy (8bit):4.4653700044436
    Encrypted:false
    SSDEEP:6144:vIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbo:AXD94+WlLZMM6YFH1+o
    MD5:647395672846865397B1707BCAF045E9
    SHA1:CD10C1592B1110D5457E3916DED3621089ACCA49
    SHA-256:C6D0D2E18C11C86B6E17FFF3DB74EC687B693F8DF1F492E8DA47635AA1B6D98F
    SHA-512:70FA31E8E20B2E5F2C3A59B0AFB03EBF69EC6DB3401AC070A6493CC14BA9127AC09FB953C9F7E6313A7F8DD52EF197A1509F32652857A460D10DFB088CEF705C
    Malicious:false
    Reputation:low
    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmBAB.@.................................................................................................................................................................................................................................................................................................................................................U.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    \Device\ConDrv

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):94
    Entropy (8bit):4.362817182138386
    Encrypted:false
    SSDEEP:3:YX7/FCp7/FaBktRNVFDe8yLALwqQFNV0owvn:YXBA1tRHFixLAsXUowvn
    MD5:9D70D97D77237FF5E8E515812D35A794
    SHA1:B12CF9D743825BA7552E6530CD3284D268901D1E
    SHA-256:E28851B7C00C0007E12E148A3669BDDBDA4F5436BA6D8F8CDBEF866F0FD639E3
    SHA-512:391F283B27A1B04C08CEA56577A2A7551D33287A9C7F84C75DE9DC1490A2105D01B66D10E7B4BF982BE234EDE6EE5656712D8E915BF3119810E3A91829C02946
    Malicious:false
    Reputation:low
    Preview:Exception EExternalException in module file.exe at 00032553...External exception 80000001.....

    Static File Info

    General

    File type:PE32 executable (console) Intel 80386, for MS Windows
    Entropy (8bit):6.342809552882167
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.53%
    • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
    • Win16/32 Executable Delphi generic (2074/23) 0.02%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    File name:file.exe
    File size:247'808 bytes
    MD5:6aecfc2ede0f22d0add919214de21a83
    SHA1:c2c87ef0d333c4c56cdc2dcb52fd4d7c4902b2ec
    SHA256:64aa700db7bb8d9f836e59ce259a47bce371dc0c60cba660ce51edef945d679d
    SHA512:4431cbe661c002b003d03707873c83cf45d72e4d6a55fc429983ef9fbfb94bf8a151776afddb4aa33d9e70d4a657b879e813d5ce248ed32bfe0f69e42702e71a
    SSDEEP:3072:EFnAqcUJYKwCRmkuMRub1hKjTBp9q81sAarKzRVk0UwwQFFwBhY7m0R4uvV+sWVX:EFA9D3Cb5BvVurKzR6Ql7PR4uvV+sWVX
    TLSH:A1344B21F6B04C77FCA0363C48B5AE20A83FBF612935585A5AD5CE0DCDA87516C24B6F
    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x432408
    Entrypoint Section:.itext
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows cui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
    DLL Characteristics:
    Time Stamp:0x63FD37C5 [Mon Feb 27 23:07:49 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:a23e906a3949b729caf5252cca3e2436

    Entrypoint Preview

    Instruction
    push ebp
    mov ebp, esp
    mov ecx, 00000005h
    push 00000000h
    push 00000000h
    dec ecx
    jne 00007FAB687F3C2Bh
    push ebx
    push esi
    push edi
    mov eax, dword ptr [00435138h]
    mov byte ptr [eax], 00000001h
    mov eax, 0042F114h
    call 00007FAB687CB639h
    mov esi, 0044EA78h
    xor eax, eax
    push ebp
    push 0043284Ch
    push dword ptr fs:[eax]
    mov dword ptr fs:[eax], esp
    mov edx, 0044EA74h
    mov eax, 0042EB74h
    call 00007FAB687CB377h
    mov eax, dword ptr [00435070h]
    xor edx, edx
    mov dword ptr [eax], edx
    mov eax, dword ptr [00434FDCh]
    mov byte ptr [eax], 00000000h
    mov eax, dword ptr [00434E70h]
    mov byte ptr [eax], 00000001h
    mov al, 01h
    call 00007FAB687C549Bh
    mov eax, dword ptr [00435038h]
    movzx eax, word ptr [eax]
    mov edx, dword ptr [00435008h]
    mov dword ptr [edx], eax
    push 00000000h
    call 00007FAB687DBD78h
    push 00000000h
    mov eax, dword ptr [00434F1Ch]
    mov ecx, 00000001h
    mov edx, dword ptr [0041A4C8h]
    call 00007FAB687C9BA1h
    add esp, 04h
    push 00000000h
    mov eax, dword ptr [00435154h]
    mov ecx, 00000001h
    mov edx, dword ptr [0041A4F8h]
    call 00007FAB687C9B87h
    add esp, 04h
    mov dl, 01h
    mov eax, dword ptr [0042EB8Ch]
    call 00007FAB687F0530h
    mov ebx, eax
    mov cl, 01h
    mov edx, 00432868h
    mov eax, ebx

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x4f0000x1690.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x39c8.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x540000x3bfc.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x530000x18.rdata
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x4f4640x360.idata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x510000x154.didata
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x302780x30400807e6bc6e9d85fffec10d6334d0864eaFalse0.4723324158031088data6.339345262683559IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .itext0x320000x8980xa0021e2297d5d83a14b3c3e6a714602540fFalse0.56640625data5.606376089772764IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x330000x22440x240057356af26eab43fbfb0619f07bb22c81False0.4635416666666667data4.5093245997612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .bss0x360000x18a800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata0x4f0000x16900x18002193ef0275c1f12cfd67fc09fade29dcFalse0.3121744791666667data4.896486827036879IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .didata0x510000x1540x2006de21e24620a89ab2e2905a0e4915a2bFalse0.310546875data2.432645247523557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .tls0x520000xc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rdata0x530000x180x200272af25f48168b97f4538cbb5693615cFalse0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "E"0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x540000x3bfc0x3c009cf473c658767053ad651cc6b3eac91cFalse0.636328125data6.643887780687566IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .rsrc0x580000x39c80x3a001388b5a631f83e74d554866889a09fe5False0.2848195043103448data3.6591492278320907IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_DIALOG0x583b80x28Non-ISO extended-ASCII text, with CR, NEL line terminators1.275
    RT_DIALOG0x583e00x4ISO-8859 text, with no line terminators3.0
    RT_DIALOG0x583e40x80data1.0078125
    RT_STRING0x584640xac4data0.31712626995645865
    RT_STRING0x58f280x6d0data0.34174311926605505
    RT_STRING0x595f80x5d0data0.3326612903225806
    RT_STRING0x59bc80x7e0data0.31398809523809523
    RT_STRING0x5a3a80x310data0.3711734693877551
    RT_STRING0x5a6b80x328data0.3910891089108911
    RT_STRING0x5a9e00x1fcdata0.4862204724409449
    RT_STRING0x5abdc0xc4data0.6428571428571429
    RT_STRING0x5aca00x170data0.5597826086956522
    RT_STRING0x5ae100x328data0.422029702970297
    RT_STRING0x5b1380x354data0.4107981220657277
    RT_STRING0x5b48c0x2b8data0.4367816091954023
    RT_VERSION0x5b7440x27cdataEnglishUnited States0.4481132075471698
    None0x5b9c00x8ASCII text, with no line terminators2.0

    Imports

    DLLImport
    oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
    advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
    user32.dllMessageBoxA, CharNextW, LoadStringW
    kernel32.dllSleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, SwitchToThread, GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
    kernel32.dllGetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
    user32.dllMessageBoxW, LoadStringW, GetUserObjectInformationW, GetThreadDesktop, GetSystemMetrics, GetProcessWindowStation, CharUpperBuffW, CharUpperW
    mpr.dllWNetGetConnectionW, WNetCancelConnection2W, WNetAddConnection2W
    kernel32.dllWriteFile, WriteConsoleW, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, TerminateProcess, SystemTimeToFileTime, SizeofResource, SetLocalTime, SetFilePointer, SetEvent, SetErrorMode, SetEnvironmentVariableW, SetCurrentDirectoryW, SetConsoleTitleW, SetConsoleTextAttribute, SetConsoleMode, SetConsoleCursorPosition, SetConsoleCtrlHandler, SearchPathW, ScrollConsoleScreenBufferW, ResetEvent, ReadFile, ReadConsoleW, MultiByteToWideChar, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, GetWindowsDirectoryW, GetVolumeInformationW, GetVersionExW, GetVersion, GetUserDefaultLCID, GetTimeFormatW, GetThreadLocale, GetSystemTime, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileType, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetEnvironmentStringsW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentDirectoryW, GetConsoleTitleW, GetConsoleScreenBufferInfo, GetConsoleOutputCP, GetConsoleMode, GetCommandLineW, GetCPInfo, GetBinaryTypeW, FreeResource, FreeLibrary, FreeEnvironmentStringsW, FormatMessageW, FlushFileBuffers, FlushConsoleInputBuffer, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FillConsoleOutputAttribute, FileTimeToSystemTime, FileTimeToLocalFileTime, ExitProcess, EnumSystemLocalesW, EnumCalendarInfoW, EnterCriticalSection, DuplicateHandle, DebugBreak, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
    advapi32.dllRegSetValueExW, RegSetValueW, RegQueryValueExW, RegQueryValueW, RegOpenKeyExW, RegOpenKeyW, RegEnumKeyW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey
    kernel32.dllSetThreadUILanguage, SetEnvironmentStringsW, GetVDMCurrentDirectories
    msvcrt.dll_ltow, _ultow, _wtol, wcstoul, wcstol, _getch, _pipe, feof, ferror, fgets, _pclose, _wpopen, fflush, _dup2, _dup, _close, _get_osfhandle, _open_osfhandle
    shell32.dllShellExecuteExW

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Sep 30, 2024 15:58:51.441318989 CEST5362457162.159.36.2192.168.2.4
    Sep 30, 2024 15:58:51.923090935 CEST53600151.1.1.1192.168.2.4

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:09:58:03
    Start date:30/09/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0x400000
    File size:247'808 bytes
    MD5 hash:6AECFC2EDE0F22D0ADD919214DE21A83
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:low
    Has exited:true

    General

    Target ID:1
    Start time:09:58:04
    Start date:30/09/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:4
    Start time:09:58:04
    Start date:30/09/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 508
    Imagebase:0x340000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:2.9%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:8.6%
      Total number of Nodes:2000
      Total number of Limit Nodes:45
      execution_graph 15091 403e10 15092 403e35 15091->15092 15093 403e23 VirtualFree 15092->15093 15094 403e39 15092->15094 15093->15092 15095 403eb5 15094->15095 15096 403e9f VirtualFree 15094->15096 15096->15094 15097 417de0 15113 417be8 VirtualQuery 15097->15113 15100 417ead 15135 4084c0 15100->15135 15101 417e1e 15126 404770 15101->15126 15105 417ec9 LoadStringW MessageBoxW 15106 417ee9 15105->15106 15139 408414 15106->15139 15114 417c48 GetModuleFileNameW 15113->15114 15115 417c2c GetModuleFileNameW 15113->15115 15116 417c66 15114->15116 15115->15114 15115->15116 15119 417c74 15116->15119 15117 4084c0 57 API calls 15118 417cf4 LoadStringW 15117->15118 15145 405718 15118->15145 15119->15117 15123 417d71 15151 406f44 15123->15151 15307 404728 15126->15307 15129 404080 15130 409de4 12 API calls 15129->15130 15131 404088 WideCharToMultiByte 15130->15131 15132 408408 15131->15132 15314 408204 15132->15314 15136 4084cf 15135->15136 15137 4084e5 15135->15137 15136->15137 15401 408478 15136->15401 15137->15105 15140 40844e 15139->15140 15142 40841a 15139->15142 15141 408445 15143 403f48 12 API calls 15141->15143 15142->15140 15142->15141 15666 407ca8 15142->15666 15143->15140 15155 409b7c 15145->15155 15148 415618 15273 415634 15148->15273 15152 406f65 15151->15152 15153 406f4a 15151->15153 15152->15100 15152->15101 15153->15152 15154 403f48 12 API calls 15153->15154 15154->15152 15158 409aec 15155->15158 15159 406f44 12 API calls 15158->15159 15160 409b0d 15159->15160 15161 409b58 15160->15161 15174 4076f0 15160->15174 15163 406f44 12 API calls 15161->15163 15165 40572a 15163->15165 15164 409b1f 15185 409a24 15164->15185 15165->15148 15168 409b46 15171 406f44 12 API calls 15168->15171 15169 409b39 15170 4076f0 12 API calls 15169->15170 15172 409b44 15170->15172 15171->15172 15192 407250 15172->15192 15178 4076fd 15174->15178 15181 407747 15174->15181 15175 406f68 12 API calls 15184 407738 15175->15184 15176 40773b 15207 406eb0 15176->15207 15178->15176 15179 407715 15178->15179 15198 403f60 15179->15198 15181->15175 15182 40771d 15182->15184 15203 406f68 15182->15203 15184->15164 15186 409a39 15185->15186 15187 409a56 15185->15187 15188 409a94 15186->15188 15190 409a41 15186->15190 15187->15168 15187->15169 15272 409c24 MultiByteToWideChar 15188->15272 15271 409c24 MultiByteToWideChar 15190->15271 15193 407254 15192->15193 15196 407264 15192->15196 15195 406eb0 12 API calls 15193->15195 15193->15196 15194 407294 15194->15161 15195->15196 15196->15194 15197 403f48 12 API calls 15196->15197 15197->15194 15199 403f66 15198->15199 15199->15182 15201 403f78 15199->15201 15212 40401c 15199->15212 15201->15182 15204 406f89 15203->15204 15205 406f6e 15203->15205 15204->15184 15205->15204 15261 403f48 15205->15261 15208 406eb4 15207->15208 15209 406ee8 15207->15209 15208->15209 15266 403f2c 15208->15266 15209->15181 15211 406ec3 15211->15181 15213 40402e 15212->15213 15214 404041 15213->15214 15218 409de4 15213->15218 15226 404010 15214->15226 15219 409df3 15218->15219 15220 409e19 TlsGetValue 15218->15220 15219->15214 15221 409e23 15220->15221 15222 409dfe 15220->15222 15221->15214 15229 409da0 15222->15229 15225 409e12 15225->15214 15243 406e88 15226->15243 15230 409da6 15229->15230 15231 409dbf 15230->15231 15238 409dd4 TlsGetValue 15230->15238 15239 406e94 15230->15239 15242 409d8c LocalAlloc 15231->15242 15234 409dc6 15235 409dd6 TlsSetValue 15234->15235 15236 409dca 15234->15236 15235->15238 15237 406e94 11 API calls 15236->15237 15237->15238 15238->15225 15240 406e88 12 API calls 15239->15240 15241 406eac 15240->15241 15241->15231 15242->15234 15246 406d5c 15243->15246 15247 406d73 15246->15247 15248 406d84 15246->15248 15250 406cc4 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 15247->15250 15249 406d8d GetCurrentThreadId 15248->15249 15251 406d9a 15248->15251 15249->15251 15253 406d7d 15250->15253 15252 403fd0 9 API calls 15251->15252 15254 406de1 15252->15254 15253->15248 15255 403fd0 9 API calls 15254->15255 15256 406df9 15254->15256 15255->15254 15257 406e2d FreeLibrary 15256->15257 15258 406e33 15256->15258 15257->15258 15259 406e6f 15258->15259 15260 406e64 ExitProcess 15258->15260 15262 403f56 15261->15262 15263 403f4c 15261->15263 15262->15204 15263->15262 15264 40401c 12 API calls 15263->15264 15265 40407b 15264->15265 15265->15204 15270 403f30 15266->15270 15267 40401c 12 API calls 15268 40407b 15267->15268 15268->15211 15269 403f3a 15269->15211 15270->15211 15270->15267 15270->15269 15271->15187 15272->15187 15274 415646 15273->15274 15276 41562e 15273->15276 15274->15276 15277 4159f8 15274->15277 15276->15123 15280 415a52 15277->15280 15286 415a4b 15277->15286 15279 4163b6 15281 406f44 12 API calls 15279->15281 15299 406fa4 15280->15299 15282 4163be 15281->15282 15282->15276 15283 415534 62 API calls 15283->15286 15284 40761c 12 API calls 15284->15286 15286->15280 15286->15283 15286->15284 15288 414e78 16 API calls 15286->15288 15289 414c48 15286->15289 15296 414cb4 15286->15296 15288->15286 15290 414c62 15289->15290 15291 414c52 15289->15291 15292 41483c 12 API calls 15290->15292 15303 41483c 15291->15303 15295 414c6d 15292->15295 15294 414c5f 15294->15286 15295->15286 15297 41483c 12 API calls 15296->15297 15298 414cc5 15297->15298 15298->15286 15301 406faa 15299->15301 15300 406fd0 15300->15279 15301->15300 15302 403f48 12 API calls 15301->15302 15302->15301 15304 41484e 15303->15304 15305 4076f0 12 API calls 15304->15305 15306 4148c8 15305->15306 15306->15294 15308 404734 15307->15308 15309 404769 15308->15309 15311 4040a0 15308->15311 15309->15129 15312 409de4 12 API calls 15311->15312 15313 4040a8 15312->15313 15313->15309 15315 408227 15314->15315 15319 408242 15314->15319 15316 408232 15315->15316 15333 404068 15315->15333 15336 4081fc 15316->15336 15320 408291 15319->15320 15321 404068 12 API calls 15319->15321 15322 40829f 15320->15322 15324 404068 12 API calls 15320->15324 15321->15320 15323 4082ad 15322->15323 15325 4082e9 15322->15325 15326 403f60 12 API calls 15323->15326 15324->15322 15327 403f2c 12 API calls 15325->15327 15330 4082e1 15326->15330 15328 4082f5 15327->15328 15328->15330 15339 40804c 15328->15339 15329 40823d WideCharToMultiByte GetStdHandle WriteFile GetStdHandle WriteFile 15329->15106 15330->15329 15332 408204 16 API calls 15330->15332 15332->15330 15334 40401c 12 API calls 15333->15334 15335 40407b 15334->15335 15335->15316 15337 408414 14 API calls 15336->15337 15338 408201 15337->15338 15338->15329 15342 407f24 15339->15342 15341 408057 15341->15330 15343 407f68 15342->15343 15344 407f39 15342->15344 15361 407f85 15343->15361 15364 4072ec 15343->15364 15346 407f8a 15344->15346 15347 407f3e 15344->15347 15346->15361 15370 4072c4 15346->15370 15349 407fa1 15347->15349 15350 407f43 15347->15350 15351 407250 12 API calls 15349->15351 15349->15361 15352 407fb5 15350->15352 15353 407f48 15350->15353 15351->15349 15352->15361 15377 407dc4 15352->15377 15354 407fc9 15353->15354 15355 407f4d 15353->15355 15359 407f24 16 API calls 15354->15359 15354->15361 15357 407f56 15355->15357 15358 407fec 15355->15358 15357->15343 15357->15361 15362 40801d 15357->15362 15358->15361 15382 407ddc 15358->15382 15359->15354 15361->15341 15362->15361 15392 408450 15362->15392 15365 4072f0 15364->15365 15366 407304 15364->15366 15365->15366 15396 406ef0 15365->15396 15367 407332 15366->15367 15369 403f48 12 API calls 15366->15369 15367->15343 15369->15367 15371 4072c8 15370->15371 15372 4072eb 15370->15372 15375 4072db SysReAllocStringLen 15371->15375 15376 406f3c 15371->15376 15372->15346 15373 406fa0 15373->15346 15374 406f92 SysFreeString 15374->15373 15375->15372 15375->15376 15376->15373 15376->15374 15378 407dd4 15377->15378 15379 407dcd 15377->15379 15380 404068 12 API calls 15378->15380 15379->15352 15381 407ddb 15380->15381 15381->15352 15383 407f0b 15382->15383 15388 407e01 15382->15388 15383->15358 15384 4072ec 12 API calls 15384->15388 15385 4072c4 2 API calls 15385->15388 15386 407250 12 API calls 15386->15388 15387 407dc4 12 API calls 15387->15388 15388->15383 15388->15384 15388->15385 15388->15386 15388->15387 15389 407f24 16 API calls 15388->15389 15390 407ddc 16 API calls 15388->15390 15391 408450 14 API calls 15388->15391 15389->15388 15390->15388 15391->15388 15393 408457 15392->15393 15394 408414 14 API calls 15393->15394 15395 408471 15393->15395 15394->15395 15395->15362 15397 406ef4 15396->15397 15398 406f32 15396->15398 15397->15398 15399 403f2c 12 API calls 15397->15399 15398->15366 15400 406f04 15399->15400 15400->15366 15402 4084a4 15401->15402 15403 408488 GetModuleFileNameW 15401->15403 15402->15137 15405 4096f0 GetModuleFileNameW 15403->15405 15406 40973e 15405->15406 15415 4095cc 15406->15415 15408 40976a 15409 409784 15408->15409 15410 40977c LoadLibraryExW 15408->15410 15411 406fa4 12 API calls 15409->15411 15410->15409 15412 4097a1 15411->15412 15413 406f44 12 API calls 15412->15413 15414 4097a9 15413->15414 15414->15402 15416 4095ed 15415->15416 15417 406f44 12 API calls 15416->15417 15418 40960a 15417->15418 15431 409675 15418->15431 15441 407298 15418->15441 15420 406fa4 12 API calls 15421 4096e2 15420->15421 15421->15408 15426 409650 15445 409308 15426->15445 15427 409677 GetUserDefaultUILanguage 15453 408cb8 EnterCriticalSection 15427->15453 15428 409668 15429 409434 14 API calls 15428->15429 15429->15431 15431->15420 15435 4096b9 15435->15431 15490 409500 15435->15490 15436 40969f GetSystemDefaultUILanguage 15437 408cb8 29 API calls 15436->15437 15439 4096ac 15437->15439 15440 409434 14 API calls 15439->15440 15440->15435 15443 40729c 15441->15443 15442 4072c0 15442->15426 15508 407938 15442->15508 15443->15442 15444 403f48 12 API calls 15443->15444 15444->15442 15446 40932a 15445->15446 15450 40933c 15445->15450 15512 408fec 15446->15512 15448 409334 15538 40936c 15448->15538 15451 406f44 12 API calls 15450->15451 15452 40935e 15451->15452 15452->15427 15452->15428 15454 408d04 LeaveCriticalSection 15453->15454 15455 408ce4 15453->15455 15456 406f44 12 API calls 15454->15456 15457 408cf5 LeaveCriticalSection 15455->15457 15458 408d15 IsValidLocale 15456->15458 15459 408da6 15457->15459 15460 408d73 EnterCriticalSection 15458->15460 15461 408d24 15458->15461 15467 406f44 12 API calls 15459->15467 15464 408d8b 15460->15464 15462 408d38 15461->15462 15463 408d2d 15461->15463 15580 4089a0 15462->15580 15561 408b9c GetThreadUILanguage 15463->15561 15471 408d9c LeaveCriticalSection 15464->15471 15470 408dbb 15467->15470 15478 409434 15470->15478 15471->15459 15472 408d4b 15473 408d5c GetSystemDefaultUILanguage 15472->15473 15592 407770 15472->15592 15475 4089a0 15 API calls 15473->15475 15476 408d69 15475->15476 15477 407770 12 API calls 15476->15477 15477->15460 15479 409452 15478->15479 15480 406f44 12 API calls 15479->15480 15481 40946f 15480->15481 15482 4094cd 15481->15482 15484 4094d4 15481->15484 15487 407938 12 API calls 15481->15487 15637 4077c8 15481->15637 15652 4093c8 15481->15652 15483 406f44 12 API calls 15482->15483 15483->15484 15485 406fa4 12 API calls 15484->15485 15486 4094ee 15485->15486 15486->15435 15486->15436 15487->15481 15659 407028 15490->15659 15493 409550 15494 4077c8 12 API calls 15493->15494 15495 40955d 15494->15495 15496 4093c8 14 API calls 15495->15496 15498 409564 15496->15498 15497 40959d 15499 406fa4 12 API calls 15497->15499 15498->15497 15500 4077c8 12 API calls 15498->15500 15501 4095b7 15499->15501 15502 40958b 15500->15502 15503 406f44 12 API calls 15501->15503 15504 4093c8 14 API calls 15502->15504 15505 4095bf 15503->15505 15506 409592 15504->15506 15505->15431 15506->15497 15507 406f44 12 API calls 15506->15507 15507->15497 15509 407943 15508->15509 15661 40709c 15509->15661 15513 409003 15512->15513 15514 409017 GetModuleFileNameW 15513->15514 15515 40902c 15513->15515 15514->15515 15516 409054 RegOpenKeyExW 15515->15516 15517 4091fb 15515->15517 15518 409115 15516->15518 15519 40907b RegOpenKeyExW 15516->15519 15521 406f44 12 API calls 15517->15521 15545 408dfc GetModuleHandleW 15518->15545 15519->15518 15520 409099 RegOpenKeyExW 15519->15520 15520->15518 15523 4090b7 RegOpenKeyExW 15520->15523 15524 409210 15521->15524 15523->15518 15526 4090d5 RegOpenKeyExW 15523->15526 15524->15448 15525 409133 RegQueryValueExW 15527 409151 15525->15527 15528 409184 RegQueryValueExW 15525->15528 15526->15518 15529 4090f3 RegOpenKeyExW 15526->15529 15530 403f2c 12 API calls 15527->15530 15531 4091a0 15528->15531 15536 409182 15528->15536 15529->15517 15529->15518 15533 409159 RegQueryValueExW 15530->15533 15532 403f2c 12 API calls 15531->15532 15534 4091a8 RegQueryValueExW 15532->15534 15533->15536 15534->15536 15535 4091ea RegCloseKey 15535->15448 15536->15535 15537 403f48 12 API calls 15536->15537 15537->15535 15539 409383 15538->15539 15540 409379 15538->15540 15542 4093bc 15539->15542 15543 403f2c 12 API calls 15539->15543 15541 403f48 12 API calls 15540->15541 15541->15539 15542->15450 15544 40939e 15543->15544 15544->15450 15546 408e35 15545->15546 15547 408e24 GetProcAddress 15545->15547 15548 408e4b 15546->15548 15553 408e97 15546->15553 15557 408dd8 15546->15557 15547->15546 15548->15525 15551 408dd8 CharNextW 15551->15553 15552 408dd8 CharNextW 15552->15553 15553->15548 15553->15552 15554 408f1c FindFirstFileW 15553->15554 15556 408f86 lstrlenW 15553->15556 15554->15548 15555 408f38 FindClose lstrlenW 15554->15555 15555->15548 15555->15553 15556->15553 15558 408de6 15557->15558 15559 408df4 15558->15559 15560 408dde CharNextW 15558->15560 15559->15548 15559->15551 15560->15558 15562 408c11 15561->15562 15563 408bb8 15561->15563 15565 408b58 14 API calls 15562->15565 15606 408b58 GetThreadPreferredUILanguages 15563->15606 15571 408c19 15565->15571 15567 408c5a 15568 408cb0 15567->15568 15569 408c60 SetThreadPreferredUILanguages 15567->15569 15568->15460 15572 408b58 14 API calls 15569->15572 15571->15567 15574 403f48 12 API calls 15571->15574 15573 408c76 15572->15573 15575 408c91 SetThreadPreferredUILanguages 15573->15575 15576 408ca1 15573->15576 15574->15567 15575->15576 15577 403f48 12 API calls 15576->15577 15578 408ca8 15577->15578 15579 403f48 12 API calls 15578->15579 15579->15568 15581 406f44 12 API calls 15580->15581 15585 4089db 15581->15585 15582 408a31 15583 408a44 IsValidLocale 15582->15583 15584 408ae7 15582->15584 15583->15584 15586 408a57 GetLocaleInfoW GetLocaleInfoW 15583->15586 15587 406fa4 12 API calls 15584->15587 15585->15582 15611 4088c0 15585->15611 15590 408a92 15586->15590 15588 408b04 GetSystemDefaultUILanguage 15587->15588 15588->15460 15588->15472 15624 407850 15590->15624 15593 4077bf 15592->15593 15594 407774 15592->15594 15593->15473 15595 407250 15594->15595 15596 40777e 15594->15596 15598 407264 15595->15598 15603 406eb0 12 API calls 15595->15603 15596->15593 15599 4077b4 15596->15599 15600 407799 15596->15600 15597 407294 15597->15473 15598->15597 15604 403f48 12 API calls 15598->15604 15602 4076f0 12 API calls 15599->15602 15601 4076f0 12 API calls 15600->15601 15605 40779e 15601->15605 15602->15605 15603->15598 15604->15597 15605->15473 15607 408b92 SetThreadPreferredUILanguages 15606->15607 15608 408b79 15606->15608 15607->15562 15609 403f2c 12 API calls 15608->15609 15610 408b82 GetThreadPreferredUILanguages 15609->15610 15610->15607 15612 4088e6 15611->15612 15613 407298 12 API calls 15612->15613 15614 408968 15612->15614 15615 408912 15613->15615 15617 406fa4 12 API calls 15614->15617 15616 406f44 12 API calls 15615->15616 15622 408919 15616->15622 15618 408982 15617->15618 15618->15582 15619 407850 12 API calls 15619->15622 15620 407298 12 API calls 15620->15622 15622->15614 15622->15619 15622->15620 15623 407938 12 API calls 15622->15623 15633 408854 15622->15633 15623->15622 15625 407866 15624->15625 15626 4078eb 15625->15626 15627 4078b1 15625->15627 15628 407893 15625->15628 15626->15626 15630 406eb0 12 API calls 15627->15630 15629 4076f0 12 API calls 15628->15629 15631 4078a1 15629->15631 15630->15631 15631->15626 15632 407250 12 API calls 15631->15632 15632->15626 15634 408864 15633->15634 15635 406f44 12 API calls 15634->15635 15636 4088af 15635->15636 15636->15622 15638 40783a 15637->15638 15639 4077cc 15637->15639 15640 407250 15639->15640 15641 4077d4 15639->15641 15645 406eb0 12 API calls 15640->15645 15646 407264 15640->15646 15641->15638 15643 4077e3 15641->15643 15644 407250 12 API calls 15641->15644 15642 407294 15642->15481 15643->15638 15647 406eb0 12 API calls 15643->15647 15644->15643 15645->15646 15646->15642 15648 403f48 12 API calls 15646->15648 15649 407804 15647->15649 15648->15642 15650 407250 12 API calls 15649->15650 15651 407836 15650->15651 15651->15481 15653 4093dd 15652->15653 15654 4093fa FindFirstFileW 15653->15654 15655 409410 15654->15655 15656 40940a FindClose 15654->15656 15657 406f44 12 API calls 15655->15657 15656->15655 15658 409425 15657->15658 15658->15481 15660 40702c GetUserDefaultUILanguage GetLocaleInfoW 15659->15660 15660->15493 15662 406eb0 12 API calls 15661->15662 15663 4070ac 15662->15663 15664 406f68 12 API calls 15663->15664 15665 4070c6 15664->15665 15665->15426 15667 407cb1 15666->15667 15693 407cee 15666->15693 15668 407cf3 15667->15668 15669 407cc6 15667->15669 15670 407d04 15668->15670 15671 407cfa 15668->15671 15672 407cca 15669->15672 15673 407d2d 15669->15673 15697 406fd4 15670->15697 15676 406f68 12 API calls 15671->15676 15678 407d10 15672->15678 15679 407cce 15672->15679 15674 407d34 15673->15674 15675 407d3b 15673->15675 15682 406f44 12 API calls 15674->15682 15683 406fa4 12 API calls 15675->15683 15676->15693 15684 407d21 15678->15684 15685 407d17 15678->15685 15680 407cd2 15679->15680 15681 407d44 15679->15681 15686 407d53 15680->15686 15687 407cd6 15680->15687 15681->15693 15708 407c90 15681->15708 15682->15693 15683->15693 15704 407004 15684->15704 15701 406f8c 15685->15701 15692 407ca8 14 API calls 15686->15692 15686->15693 15691 407d71 15687->15691 15696 407cde 15687->15696 15691->15693 15713 407c58 15691->15713 15692->15686 15693->15141 15695 408414 14 API calls 15695->15696 15696->15693 15696->15695 15699 406fda 15697->15699 15698 407000 15698->15693 15699->15698 15700 403f48 12 API calls 15699->15700 15700->15699 15702 406fa0 15701->15702 15703 406f92 SysFreeString 15701->15703 15702->15693 15703->15702 15706 40700a 15704->15706 15705 407010 SysFreeString 15705->15706 15706->15705 15707 407022 15706->15707 15707->15693 15709 407ca0 15708->15709 15710 407c99 15708->15710 15711 404068 12 API calls 15709->15711 15710->15681 15712 407ca7 15711->15712 15712->15681 15714 407c87 15713->15714 15715 407c6e 15713->15715 15714->15691 15715->15714 15716 407ca8 14 API calls 15715->15716 15716->15715 15717 409c44 GetSystemInfo 15718 402aa4 15719 402d04 15718->15719 15720 402abc 15718->15720 15721 402e1c 15719->15721 15722 402cc8 15719->15722 15729 402ace 15720->15729 15732 402b59 Sleep 15720->15732 15723 402e25 15721->15723 15724 40284c VirtualAlloc 15721->15724 15731 402ce2 Sleep 15722->15731 15733 402d22 15722->15733 15726 402887 15724->15726 15727 402877 15724->15727 15725 402add 15742 402804 15727->15742 15729->15725 15730 402bbc 15729->15730 15737 402b9d Sleep 15729->15737 15741 402bc8 15730->15741 15747 40278c 15730->15747 15731->15733 15735 402cf8 Sleep 15731->15735 15732->15729 15736 402b6f Sleep 15732->15736 15734 402d40 15733->15734 15738 40278c VirtualAlloc 15733->15738 15735->15722 15736->15720 15737->15730 15740 402bb3 Sleep 15737->15740 15738->15734 15740->15729 15743 40284a 15742->15743 15745 40280d 15742->15745 15743->15726 15744 402818 Sleep 15744->15745 15745->15743 15745->15744 15746 402831 Sleep 15745->15746 15746->15745 15751 402720 15747->15751 15749 402794 VirtualAlloc 15750 4027ab 15749->15750 15750->15741 15752 4026c0 15751->15752 15752->15749 15753 406e88 15754 406d5c 12 API calls 15753->15754 15755 406e92 15754->15755 15756 4068da 15757 4068ed 15756->15757 15761 40694e 15756->15761 15758 406905 15757->15758 15759 4068f6 UnhandledExceptionFilter 15757->15759 15760 40690f RtlUnwind 15758->15760 15759->15758 15759->15761 15760->15761 15762 40683c 15760->15762 15762->15761 15763 404010 12 API calls 15762->15763 15764 4068d6 15763->15764 15765 432408 15766 432410 15765->15766 15766->15766 15863 409e30 GetModuleHandleW 15766->15863 15770 43244e 15771 43246e SetThreadUILanguage 15770->15771 15772 408408 16 API calls 15771->15772 15773 43249c 15772->15773 15774 408408 16 API calls 15773->15774 15775 4324b6 15774->15775 15873 42ef38 15775->15873 15777 4324f0 15778 42ef38 21 API calls 15777->15778 15783 4324fe 15778->15783 15779 4324d5 15779->15777 15896 42ee14 15779->15896 15781 43251b 15782 42ef38 21 API calls 15781->15782 15788 432536 15782->15788 15783->15781 15784 42ee14 12 API calls 15783->15784 15784->15781 15785 432818 15789 42c398 168 API calls 15785->15789 15786 4325a7 15910 41a5d0 15786->15910 15787 43257e 15790 409b90 58 API calls 15787->15790 15788->15785 15788->15786 15788->15787 15788->15788 15792 432828 15789->15792 15793 43258b 15790->15793 15795 4325a2 15792->15795 15899 4054c4 15793->15899 15794 4325af 15917 42da90 15794->15917 15797 406fa4 12 API calls 15795->15797 15799 43284b 15797->15799 15803 404080 12 API calls 15803->15795 15804 4325cb 15805 408408 16 API calls 15804->15805 15806 432606 15805->15806 15807 403f2c 12 API calls 15806->15807 15808 432616 15807->15808 15809 43263d _get_osfhandle 15808->15809 15810 403f2c 12 API calls 15809->15810 15811 432688 15810->15811 15812 409b90 58 API calls 15811->15812 15813 4326e2 15812->15813 15814 4054c4 12 API calls 15813->15814 15815 4326ef 15814->15815 15816 4055c4 14 API calls 15815->15816 15817 4326f4 15816->15817 15818 404080 12 API calls 15817->15818 15819 4326f9 15818->15819 15820 409b90 58 API calls 15819->15820 15821 432706 15820->15821 15822 4054c4 12 API calls 15821->15822 15823 432713 15822->15823 15824 4055c4 14 API calls 15823->15824 15825 432718 15824->15825 15826 404080 12 API calls 15825->15826 15827 43271d 15826->15827 15828 409b90 58 API calls 15827->15828 15829 43272a 15828->15829 15830 4054c4 12 API calls 15829->15830 15831 432737 15830->15831 15832 4055c4 14 API calls 15831->15832 15833 43273c 15832->15833 15834 404080 12 API calls 15833->15834 15835 432741 15834->15835 15836 409b90 58 API calls 15835->15836 15837 43274e 15836->15837 15838 4054c4 12 API calls 15837->15838 15839 43275b 15838->15839 15840 4055c4 14 API calls 15839->15840 15841 432760 15840->15841 15842 404080 12 API calls 15841->15842 15843 432765 15842->15843 15920 404dbc 15843->15920 15846 404080 12 API calls 15847 432774 15846->15847 15925 42b5d8 InitializeCriticalSection 15847->15925 15849 432779 15849->15785 15850 4327a7 15849->15850 15984 42c398 15849->15984 15992 421838 15850->15992 15854 4327dd 15856 4327ee 15854->15856 15857 42c398 168 API calls 15854->15857 15855 42c398 168 API calls 15855->15854 16001 423b2c 15856->16001 15857->15856 15862 42c398 168 API calls 15862->15785 15864 409e6b 15863->15864 16033 406a98 15864->16033 15867 409b90 15869 409b98 15867->15869 15868 409be5 15868->15770 15869->15868 15870 4084c0 57 API calls 15869->15870 15871 409bd4 LoadStringW 15870->15871 15872 40709c 12 API calls 15871->15872 15872->15868 15874 42ef56 15873->15874 15875 42ef70 FindResourceW 15874->15875 15876 42ef89 LoadResource 15875->15876 15877 42f0af 15875->15877 15876->15877 15878 42efa2 15876->15878 15879 406f44 12 API calls 15877->15879 16357 42ee28 RegOpenKeyExW 15878->16357 15880 42f0c4 15879->15880 15882 406f44 12 API calls 15880->15882 15884 42f0cc 15882->15884 15883 42efaa 16362 42e8fc 15883->16362 15884->15779 15886 42efb2 15887 42efb7 LockResource SizeofResource 15886->15887 15888 42f084 15887->15888 15889 42efe4 15887->15889 15891 403f2c 12 API calls 15888->15891 15890 403f2c 12 API calls 15889->15890 15895 42efec 15890->15895 15894 42f062 15891->15894 15892 42f0a6 FreeResource 15892->15877 15894->15892 16372 42e9ac 15895->16372 15897 403f48 12 API calls 15896->15897 15898 42ee1f 15897->15898 15898->15777 16393 4054cc 15899->16393 15902 4055c4 15903 4055d7 15902->15903 15904 4055ce 15902->15904 15906 40517c 14 API calls 15903->15906 16486 40517c 15904->16486 15907 4055e0 15906->15907 16497 40477c 15907->16497 16526 40428c 15910->16526 15915 406f44 12 API calls 15916 41a614 15915->15916 15916->15794 16547 42d85c 15917->16547 15919 42da9a 15919->15804 16578 4049a4 15920->16578 15922 404e2b 15922->15846 15923 4049a4 15 API calls 15924 404dd1 15923->15924 15924->15922 15924->15923 16681 42c35c EnterCriticalSection LeaveCriticalSection 15925->16681 15927 42b61d SetConsoleCtrlHandler 15928 42e4a0 10 API calls 15927->15928 15929 42b62e 15928->15929 16682 41c490 15929->16682 15934 41a5d0 14 API calls 15935 42b640 15934->15935 15936 407850 12 API calls 15935->15936 15937 42b668 15936->15937 16702 41e4dc 15937->16702 15939 42b6a4 16707 42c08c 15939->16707 15943 42b717 GetConsoleOutputCP GetCPInfo 16773 41ad3c GetUserDefaultLCID GetLocaleInfoW 15943->16773 15945 42b736 15947 403f2c 12 API calls 15945->15947 15949 42b740 15947->15949 15948 409b90 58 API calls 15950 42b6e1 15948->15950 15951 403f2c 12 API calls 15949->15951 16762 42d674 15950->16762 15953 42b74f 15951->15953 15956 42b786 15953->15956 15957 42b766 GetConsoleTitleW 15953->15957 15958 42b7dc 15956->15958 16803 41e478 _get_osfhandle GetFileType 15956->16803 15957->15956 15959 42b848 GetModuleHandleW 15958->15959 15962 409b90 58 API calls 15958->15962 15961 40a664 14 API calls 15959->15961 15964 42b85d 15961->15964 15965 42b7ef 15962->15965 15968 406fa4 12 API calls 15964->15968 16817 42d5fc 15965->16817 15966 42b7bc 15966->15958 16813 42385c 15966->16813 15967 42b7a7 GetStdHandle GetConsoleScreenBufferInfo 15967->15966 15970 42b87f 15968->15970 15973 406fa4 12 API calls 15970->15973 15976 42b88c 15973->15976 15974 42b823 15974->15959 15978 409b90 58 API calls 15974->15978 15975 42b805 15977 409b90 58 API calls 15975->15977 15976->15849 15979 42b814 15977->15979 15980 42b83b 15978->15980 15981 42d5fc 168 API calls 15979->15981 15982 42d5fc 168 API calls 15980->15982 15983 42b821 15981->15983 15982->15959 15983->15959 15985 42c39b 15984->15985 15987 42c3a6 15985->15987 17270 41f774 15985->17270 17281 427d24 15987->17281 17298 42c600 15992->17298 15994 42184b 15996 4218a0 15994->15996 17304 4218b8 15994->17304 15996->15854 15996->15855 15997 421877 15997->15996 17310 4229f4 15997->17310 15999 42188d 15999->15996 16002 423b49 16001->16002 16003 423b3a 16001->16003 16026 42e4a0 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 16002->16026 16003->16002 16004 423b7d 16003->16004 17640 41cabc 16003->17640 16005 423c48 16004->16005 16006 423b91 16004->16006 16009 423c6c 16005->16009 16010 423ccc 186 API calls 16005->16010 16008 42c6ac 168 API calls 16006->16008 16013 423b9b 16008->16013 16009->16002 16016 423c44 16009->16016 17762 4243b8 16009->17762 16010->16009 16012 423bcb 16021 423c0a 16012->16021 17662 424954 16012->17662 16013->16002 16013->16012 16017 425a84 185 API calls 16013->16017 16015 423bd9 16015->16002 16018 42c6a0 168 API calls 16015->16018 16016->16002 16019 42435c 2 API calls 16016->16019 16017->16012 16020 423bec 16018->16020 16019->16002 16020->16002 17668 423ccc 16021->17668 16027 42e504 _get_osfhandle GetConsoleMode 16026->16027 16028 42e4da 16026->16028 16030 42e55b 16027->16030 16031 42e51c 16027->16031 16028->16027 16029 42e4e7 _get_osfhandle SetConsoleMode 16028->16029 16029->16027 16030->15862 16031->16030 16032 42e536 _get_osfhandle SetConsoleMode 16031->16032 16032->16030 16034 406ad0 16033->16034 16037 406a2c 16034->16037 16038 406a74 16037->16038 16039 406a3c 16037->16039 16038->15867 16039->16038 16041 432310 16039->16041 16042 43232a 16041->16042 16043 432398 16041->16043 16057 406b98 16042->16057 16043->16039 16045 432334 16046 432356 16045->16046 16047 407250 12 API calls 16045->16047 16063 4097e8 16046->16063 16047->16046 16051 43236a 16068 4197d8 GetModuleHandleW 16051->16068 16054 409308 31 API calls 16055 43237b 16054->16055 16073 419114 16055->16073 16059 406ba4 16057->16059 16062 406bd5 16059->16062 16083 406ae0 16059->16083 16088 406b34 16059->16088 16093 406b84 16059->16093 16062->16045 16064 403f2c 12 API calls 16063->16064 16065 4097f5 16064->16065 16066 418ea8 GetVersionExW 16065->16066 16067 418ebf 16066->16067 16067->16051 16069 4197f9 16068->16069 16070 4197e9 16068->16070 16069->16054 16096 40a664 16070->16096 16074 41911c 16073->16074 16074->16074 16103 419080 GetThreadLocale 16074->16103 16079 407ddc 16 API calls 16080 41915d 16079->16080 16081 407c58 14 API calls 16080->16081 16082 41917b 16081->16082 16082->16043 16084 409b90 58 API calls 16083->16084 16085 406b03 16084->16085 16086 406f44 12 API calls 16085->16086 16087 406b27 16086->16087 16087->16059 16089 409b90 58 API calls 16088->16089 16090 406b57 16089->16090 16091 406f44 12 API calls 16090->16091 16092 406b76 16091->16092 16092->16059 16094 409b90 58 API calls 16093->16094 16095 406b93 16094->16095 16095->16059 16097 40a691 16096->16097 16098 40a686 GetProcAddress 16096->16098 16101 40a6a8 GetProcAddress 16097->16101 16099 40a6b1 16098->16099 16100 406f68 12 API calls 16099->16100 16102 40a6c6 16100->16102 16101->16099 16102->16069 16104 4190ab 16103->16104 16105 4190ec 16104->16105 16182 419024 GetCPInfo 16104->16182 16107 416d5c 16105->16107 16108 416d64 16107->16108 16108->16108 16109 416d6b IsValidLocale 16108->16109 16110 416d93 16109->16110 16111 416d8c GetThreadLocale 16109->16111 16112 408408 16 API calls 16110->16112 16111->16110 16113 416dab 16112->16113 16184 417560 16113->16184 16122 407250 12 API calls 16123 416de5 16122->16123 16124 416ce4 13 API calls 16123->16124 16125 416dfa 16124->16125 16126 416ce4 13 API calls 16125->16126 16127 416e1c 16126->16127 16237 416d30 GetLocaleInfoW 16127->16237 16130 416d30 GetLocaleInfoW 16131 416e53 16130->16131 16132 416ce4 13 API calls 16131->16132 16133 416e6f 16132->16133 16134 416d30 GetLocaleInfoW 16133->16134 16135 416e8c 16134->16135 16239 417880 16135->16239 16138 407250 12 API calls 16139 416eb3 16138->16139 16140 417880 14 API calls 16139->16140 16141 416ecd 16140->16141 16142 407250 12 API calls 16141->16142 16143 416ed8 16142->16143 16144 416d30 GetLocaleInfoW 16143->16144 16145 416ee8 16144->16145 16146 416ce4 13 API calls 16145->16146 16147 416f01 16146->16147 16148 407250 12 API calls 16147->16148 16149 416f0c 16148->16149 16150 416ce4 13 API calls 16149->16150 16151 416f21 16150->16151 16152 407250 12 API calls 16151->16152 16153 416f2c 16152->16153 16154 406f44 12 API calls 16153->16154 16155 416f34 16154->16155 16156 406f44 12 API calls 16155->16156 16157 416f3c 16156->16157 16158 416ce4 13 API calls 16157->16158 16159 416f51 16158->16159 16160 416f5f 16159->16160 16161 416f6e 16159->16161 16162 407298 12 API calls 16160->16162 16163 407298 12 API calls 16161->16163 16164 416f6c 16162->16164 16163->16164 16165 416ce4 13 API calls 16164->16165 16167 416f90 16165->16167 16166 416fce 16168 407850 12 API calls 16166->16168 16167->16166 16169 416ce4 13 API calls 16167->16169 16170 416ff8 16168->16170 16171 416fb3 16169->16171 16172 407850 12 API calls 16170->16172 16174 416fc1 16171->16174 16175 416fd0 16171->16175 16173 417013 16172->16173 16176 416d30 GetLocaleInfoW 16173->16176 16177 407298 12 API calls 16174->16177 16178 407298 12 API calls 16175->16178 16179 417023 16176->16179 16177->16166 16178->16166 16180 406fa4 12 API calls 16179->16180 16181 41704a 16180->16181 16181->16079 16183 41903d 16182->16183 16183->16105 16262 40608c 16184->16262 16191 408408 16 API calls 16192 4175c7 16191->16192 16193 416ce4 13 API calls 16192->16193 16194 4175df 16193->16194 16195 4175f8 GetThreadLocale EnumCalendarInfoW 16194->16195 16196 41764b 16194->16196 16203 417615 16195->16203 16197 41771f 16196->16197 16198 408408 16 API calls 16196->16198 16201 408408 16 API calls 16197->16201 16199 417678 16198->16199 16202 407250 12 API calls 16199->16202 16200 417633 GetThreadLocale EnumCalendarInfoW 16200->16197 16204 417742 16201->16204 16205 41768a 16202->16205 16203->16200 16203->16203 16207 41777f 16204->16207 16211 407ddc 16 API calls 16204->16211 16287 416bc8 16205->16287 16210 408408 16 API calls 16207->16210 16208 4176b8 16209 4176bd GetThreadLocale EnumCalendarInfoW 16208->16209 16215 4176ec 16209->16215 16212 417796 16210->16212 16211->16204 16291 406338 16212->16291 16213 41770c GetThreadLocale EnumCalendarInfoW 16213->16197 16215->16213 16215->16215 16217 417248 16220 41727b 16217->16220 16218 417814 59 API calls 16218->16220 16219 407250 12 API calls 16219->16220 16220->16218 16220->16219 16221 4172d8 16220->16221 16222 406fa4 12 API calls 16221->16222 16223 416dc0 16222->16223 16224 417304 16223->16224 16227 41732e 16224->16227 16225 407250 12 API calls 16225->16227 16226 417814 59 API calls 16226->16227 16227->16225 16227->16226 16228 41737e 16227->16228 16229 406fa4 12 API calls 16228->16229 16230 416dc9 16229->16230 16231 416ce4 GetLocaleInfoW 16230->16231 16232 416d0b 16231->16232 16233 416d1d 16231->16233 16234 40709c 12 API calls 16232->16234 16235 407250 12 API calls 16233->16235 16236 416d1b 16234->16236 16235->16236 16236->16122 16238 416d4c 16237->16238 16238->16130 16240 406f44 12 API calls 16239->16240 16241 4178bb 16240->16241 16242 416ce4 13 API calls 16241->16242 16243 4178cc 16242->16243 16244 416ce4 13 API calls 16243->16244 16245 4178e1 16244->16245 16246 4178fa 16245->16246 16260 417969 16245->16260 16247 417951 16246->16247 16255 417916 16246->16255 16248 407250 12 API calls 16247->16248 16250 41794f 16248->16250 16249 419dd0 CompareStringW 16249->16260 16251 406fa4 12 API calls 16250->16251 16252 417aa7 16251->16252 16254 406f44 12 API calls 16252->16254 16256 416ea8 16254->16256 16255->16250 16258 407770 12 API calls 16255->16258 16351 40761c 16255->16351 16256->16138 16258->16255 16259 407770 12 API calls 16259->16260 16260->16249 16260->16250 16260->16259 16261 40761c 12 API calls 16260->16261 16354 419ff8 16260->16354 16261->16260 16263 406095 16262->16263 16264 40609c 16262->16264 16265 404068 12 API calls 16263->16265 16266 4063c0 16264->16266 16265->16264 16267 4063c7 16266->16267 16268 4063e2 16267->16268 16298 4060b8 16267->16298 16272 406158 16268->16272 16270 4063d4 16270->16268 16271 403f48 12 API calls 16270->16271 16271->16268 16280 406166 16272->16280 16274 4061b4 16274->16191 16275 40618f GetTickCount 16275->16280 16276 406202 GetTickCount 16276->16274 16276->16280 16277 406239 GetTickCount 16323 406350 16277->16323 16278 4061a7 GetTickCount 16278->16274 16278->16280 16280->16274 16280->16275 16280->16276 16280->16277 16280->16278 16282 4061d7 GetCurrentThreadId 16280->16282 16311 4063f4 GetCurrentThreadId 16280->16311 16316 405f08 16280->16316 16282->16274 16283 406263 GetTickCount 16284 406249 16283->16284 16284->16277 16284->16283 16285 4062cd 16284->16285 16285->16274 16286 4062d3 GetCurrentThreadId 16285->16286 16286->16274 16288 416be0 16287->16288 16289 416bee 16288->16289 16327 4146bc 16288->16327 16289->16208 16292 40608c 12 API calls 16291->16292 16293 406340 16292->16293 16294 4063c0 15 API calls 16293->16294 16295 406347 16294->16295 16342 4062f0 16295->16342 16299 4060c1 16298->16299 16301 4060c6 16298->16301 16302 405f90 GetModuleHandleW GetProcAddress 16299->16302 16301->16270 16303 405fb9 16302->16303 16308 40600e 16302->16308 16304 405fc8 GetLastError 16303->16304 16303->16308 16305 405fd2 16304->16305 16304->16308 16306 403f2c 12 API calls 16305->16306 16307 405fda 16306->16307 16307->16308 16309 403f48 12 API calls 16307->16309 16308->16301 16310 40603b 16309->16310 16310->16301 16312 406401 16311->16312 16313 406408 16311->16313 16312->16280 16314 40642f 16313->16314 16315 40641c GetCurrentThreadId 16313->16315 16314->16280 16315->16314 16317 405f13 16316->16317 16318 405f42 16317->16318 16319 405f39 Sleep 16317->16319 16320 405f61 16317->16320 16321 405f51 Sleep 16318->16321 16322 405f5a SwitchToThread 16318->16322 16319->16320 16320->16280 16321->16320 16322->16320 16324 4063a9 16323->16324 16325 406362 16323->16325 16324->16284 16325->16324 16326 406390 Sleep 16325->16326 16326->16325 16332 418058 16327->16332 16329 4146cd 16336 406730 16329->16336 16333 41805f 16332->16333 16334 409b90 58 API calls 16333->16334 16335 418077 16334->16335 16335->16329 16337 406734 16336->16337 16338 40673e 16336->16338 16339 406e94 12 API calls 16337->16339 16340 404004 12 API calls 16338->16340 16341 40677c 16338->16341 16339->16338 16340->16341 16347 4060a0 GetCurrentThreadId 16342->16347 16344 406327 16344->16217 16346 406350 Sleep 16346->16344 16348 4060b4 16347->16348 16349 4060ad 16347->16349 16348->16344 16348->16346 16350 404068 12 API calls 16349->16350 16350->16348 16352 40709c 12 API calls 16351->16352 16353 407629 16352->16353 16353->16255 16355 407938 12 API calls 16354->16355 16356 41a014 16355->16356 16356->16260 16358 42ee7b 16357->16358 16359 42ee57 RegQueryValueExW 16357->16359 16358->15883 16359->16358 16360 42ee7f RegOpenKeyExW 16359->16360 16360->16358 16361 42ee9a RegQueryValueExW 16360->16361 16361->16358 16363 42e90b 16362->16363 16364 407250 12 API calls 16363->16364 16365 42e93a 16364->16365 16366 403f2c 12 API calls 16365->16366 16367 42e970 16366->16367 16375 42e5a4 16367->16375 16370 406f44 12 API calls 16371 42e9a1 16370->16371 16371->15886 16373 403f48 12 API calls 16372->16373 16374 42e9b6 16373->16374 16374->15894 16376 407298 12 API calls 16375->16376 16377 42e5d1 16376->16377 16378 40761c 12 API calls 16377->16378 16379 407770 12 API calls 16377->16379 16386 42e607 16377->16386 16378->16377 16379->16377 16380 42e683 16381 406f44 12 API calls 16380->16381 16382 42e698 16381->16382 16383 406f44 12 API calls 16382->16383 16385 42e6a0 16383->16385 16385->16370 16386->16380 16387 4073fc 16386->16387 16388 407374 16387->16388 16389 406eb0 12 API calls 16388->16389 16390 4073af 16388->16390 16391 40738b 16389->16391 16390->16386 16391->16390 16392 403f48 12 API calls 16391->16392 16392->16390 16394 4054f3 16393->16394 16395 405504 16393->16395 16412 40502c 16394->16412 16397 405515 16395->16397 16431 404f94 16395->16431 16398 405522 16397->16398 16404 40554f 16397->16404 16401 40502c 12 API calls 16398->16401 16400 4054fd 16402 406f68 12 API calls 16400->16402 16405 405537 16401->16405 16403 4054cb 16402->16403 16403->15902 16404->16400 16406 40502c 12 API calls 16404->16406 16437 404fd8 16405->16437 16407 405588 16406->16407 16444 407404 16407->16444 16411 404fd8 12 API calls 16411->16400 16413 405097 16412->16413 16414 40504d 16412->16414 16416 407518 12 API calls 16413->16416 16430 4050c9 16413->16430 16450 407518 16414->16450 16418 4050a7 16416->16418 16421 407404 12 API calls 16418->16421 16419 407404 12 API calls 16422 405064 16419->16422 16420 406f68 12 API calls 16423 4050e5 16420->16423 16424 4050af 16421->16424 16422->16413 16429 409de4 12 API calls 16422->16429 16422->16430 16459 40534c 16422->16459 16423->16400 16425 40534c 12 API calls 16424->16425 16427 4050c4 16425->16427 16428 409de4 12 API calls 16427->16428 16428->16430 16429->16422 16430->16420 16432 404f9f 16431->16432 16433 404fb9 16432->16433 16470 4043e8 16432->16470 16435 404fd2 16433->16435 16436 4040a0 12 API calls 16433->16436 16435->16397 16436->16435 16438 404fe4 16437->16438 16441 404fec 16437->16441 16439 404f94 12 API calls 16438->16439 16439->16441 16440 405023 16440->16400 16441->16440 16442 4040a0 12 API calls 16441->16442 16443 40501e 16442->16443 16443->16400 16445 4073b8 16444->16445 16446 406ef0 12 API calls 16445->16446 16447 405590 16445->16447 16448 4073d3 16446->16448 16447->16411 16448->16447 16449 403f48 12 API calls 16448->16449 16449->16447 16451 40752a 16450->16451 16458 407567 16450->16458 16453 407559 16451->16453 16456 40753e 16451->16456 16452 406f68 12 API calls 16454 40505c 16452->16454 16455 406ef0 12 API calls 16453->16455 16454->16419 16455->16458 16457 403f60 12 API calls 16456->16457 16457->16454 16458->16452 16460 405373 16459->16460 16461 40538a 16460->16461 16463 404f94 12 API calls 16460->16463 16467 4053b8 16460->16467 16464 4053bc 16461->16464 16468 40539b 16461->16468 16462 406f44 12 API calls 16465 4053e7 16462->16465 16463->16461 16466 4054c4 12 API calls 16464->16466 16465->16422 16466->16467 16467->16462 16469 404fd8 12 API calls 16468->16469 16469->16467 16473 404378 16470->16473 16476 404388 16473->16476 16477 40438e 16473->16477 16474 4043d5 16474->16433 16475 4040a0 12 API calls 16475->16474 16476->16477 16479 404788 16476->16479 16477->16474 16477->16475 16480 4047c7 16479->16480 16481 404798 16479->16481 16482 4047c5 16480->16482 16483 4040a0 12 API calls 16480->16483 16481->16480 16484 40479e 16481->16484 16482->16477 16483->16482 16484->16482 16485 4040a0 12 API calls 16484->16485 16485->16482 16487 405195 16486->16487 16488 40519d 16486->16488 16489 404f94 12 API calls 16487->16489 16490 4051c4 16488->16490 16491 4051af 16488->16491 16489->16488 16493 40522c IsDBCSLeadByteEx 16490->16493 16494 4051ea 16490->16494 16492 404fd8 12 API calls 16491->16492 16495 4051bf 16492->16495 16493->16494 16494->16495 16500 4050f8 16494->16500 16495->15903 16498 404728 12 API calls 16497->16498 16499 404784 16498->16499 16499->15803 16507 407128 16500->16507 16503 4054c4 12 API calls 16504 405140 16503->16504 16505 406f44 12 API calls 16504->16505 16506 40516f 16505->16506 16506->16495 16508 407143 16507->16508 16509 40714c 16507->16509 16510 406f44 12 API calls 16508->16510 16511 407185 16509->16511 16522 407080 16509->16522 16513 405132 16510->16513 16512 4076f0 12 API calls 16511->16512 16515 407191 16512->16515 16513->16503 16517 407080 MultiByteToWideChar 16515->16517 16519 4071a2 16517->16519 16518 407174 16520 40709c 12 API calls 16518->16520 16521 4076f0 12 API calls 16519->16521 16520->16513 16521->16513 16525 409c24 MultiByteToWideChar 16522->16525 16524 407094 16524->16511 16524->16518 16525->16524 16527 406f44 12 API calls 16526->16527 16528 4042a0 16527->16528 16529 4042c2 GetCommandLineW 16528->16529 16530 4042a4 GetModuleFileNameW 16528->16530 16531 4042c9 16529->16531 16532 40709c 12 API calls 16530->16532 16533 4042c0 16531->16533 16543 4041d0 16531->16543 16532->16533 16535 415070 16533->16535 16536 4150a0 16535->16536 16537 419ff8 12 API calls 16536->16537 16538 4150cb 16537->16538 16539 4077c8 12 API calls 16538->16539 16540 4150d7 16539->16540 16541 406f44 12 API calls 16540->16541 16542 4150ec 16541->16542 16542->15915 16544 4041d8 16543->16544 16545 4076f0 12 API calls 16544->16545 16546 40423f 16545->16546 16546->16531 16548 42d88e 16547->16548 16555 42d8a0 16547->16555 16549 42d8e3 CreateFileW 16548->16549 16550 42d95c CreateFileW 16548->16550 16548->16555 16551 42d913 CreateFileW 16549->16551 16552 42d9a5 _open_osfhandle 16549->16552 16550->16552 16553 42d980 GetLastError 16550->16553 16551->16552 16554 42d937 GetLastError 16551->16554 16552->16555 16556 42d9be 16552->16556 16553->16555 16554->16555 16555->15919 16568 41e3bc _get_osfhandle GetFileType 16556->16568 16559 42d9cd GetFileSize 16559->16555 16560 42d9dd SetFilePointer GetLastError 16559->16560 16561 42da26 ReadFile 16560->16561 16562 42da0c 16560->16562 16564 42da40 SetFilePointer 16561->16564 16565 42da55 16561->16565 16562->16561 16563 42da15 16562->16563 16563->16555 16566 42da1a _close 16563->16566 16564->16565 16565->16555 16567 42da5d SetFilePointer 16565->16567 16566->16555 16567->16555 16569 41e410 16568->16569 16570 41e3da 16568->16570 16569->16555 16569->16559 16571 41e3e6 GetStdHandle 16570->16571 16572 41e3df 16570->16572 16575 41e405 GetConsoleMode 16571->16575 16573 41e3f1 GetStdHandle 16572->16573 16574 41e3e1 16572->16574 16573->16575 16576 41e3e4 16574->16576 16577 41e3fc GetStdHandle 16574->16577 16575->16569 16576->16575 16577->16575 16579 4049d6 16578->16579 16585 4049df 16578->16585 16579->16585 16595 407038 16579->16595 16580 404a6a 16605 404b6c 16580->16605 16581 404a4d 16599 4048b8 16581->16599 16585->16580 16585->16581 16594 404a29 16585->16594 16586 406f68 12 API calls 16587 404b2a 16586->16587 16587->15924 16588 404aa6 16588->16594 16631 4071cc 16588->16631 16589 404a78 16589->16588 16591 404b6c 15 API calls 16589->16591 16589->16594 16591->16588 16592 404ace 16593 407404 12 API calls 16592->16593 16592->16594 16593->16594 16594->16586 16596 407044 16595->16596 16644 409bfc WideCharToMultiByte 16596->16644 16598 40705d 16598->16585 16600 4048cc 16599->16600 16602 4048d3 16599->16602 16645 40487c 16600->16645 16603 4040a0 12 API calls 16602->16603 16604 4048ed 16602->16604 16603->16604 16604->16594 16606 404ba6 16605->16606 16607 404b9d 16605->16607 16609 404c12 16606->16609 16610 404c2f 16606->16610 16630 404bf3 16606->16630 16607->16606 16608 407080 MultiByteToWideChar 16607->16608 16608->16606 16654 40492c 16609->16654 16612 4048b8 12 API calls 16610->16612 16613 404c38 16612->16613 16616 404c8e IsDBCSLeadByteEx 16613->16616 16618 404c54 16613->16618 16613->16630 16614 406f44 12 API calls 16615 404d72 16614->16615 16617 406f68 12 API calls 16615->16617 16616->16618 16619 404d7a 16617->16619 16620 407518 12 API calls 16618->16620 16619->16589 16621 404cba 16620->16621 16660 407a34 16621->16660 16624 407404 12 API calls 16625 404cd3 16624->16625 16626 4048b8 12 API calls 16625->16626 16627 404d0c 16625->16627 16628 407404 12 API calls 16625->16628 16626->16625 16629 4073fc 12 API calls 16627->16629 16627->16630 16628->16625 16629->16630 16630->16614 16632 4071e6 16631->16632 16633 4071ef 16631->16633 16634 406f68 12 API calls 16632->16634 16635 407038 WideCharToMultiByte 16633->16635 16643 4071ed 16634->16643 16636 40720f 16635->16636 16637 407518 12 API calls 16636->16637 16638 40721c 16637->16638 16639 407220 16638->16639 16640 40723e 16638->16640 16641 407038 WideCharToMultiByte 16639->16641 16642 406f68 12 API calls 16640->16642 16641->16643 16642->16643 16643->16592 16644->16598 16646 404887 16645->16646 16647 404899 16645->16647 16651 4043dc 16646->16651 16649 4048b2 16647->16649 16650 4040a0 12 API calls 16647->16650 16649->16602 16650->16649 16652 404378 12 API calls 16651->16652 16653 4043e5 16652->16653 16653->16647 16655 404942 16654->16655 16657 404949 16654->16657 16656 40487c 12 API calls 16655->16656 16656->16657 16658 4040a0 12 API calls 16657->16658 16659 404963 16657->16659 16658->16659 16659->16630 16661 407a62 16660->16661 16662 407b4a 16661->16662 16666 407a9c 16661->16666 16674 407b48 16661->16674 16675 4073b8 16662->16675 16663 406f44 12 API calls 16665 404ccb 16663->16665 16665->16624 16667 407298 12 API calls 16666->16667 16668 407ab9 16666->16668 16667->16668 16669 407038 WideCharToMultiByte 16668->16669 16670 407af3 16669->16670 16671 407518 12 API calls 16670->16671 16672 407b00 16671->16672 16673 407038 WideCharToMultiByte 16672->16673 16672->16674 16673->16674 16674->16663 16676 4073f5 16675->16676 16677 4073be 16675->16677 16676->16674 16677->16676 16678 406ef0 12 API calls 16677->16678 16679 4073d3 16678->16679 16679->16676 16680 403f48 12 API calls 16679->16680 16680->16676 16681->15927 16823 41c444 GetEnvironmentStringsW 16682->16823 16687 42b8f4 16688 42b918 16687->16688 16689 42b928 RegOpenKeyW 16688->16689 16691 42b991 RegQueryValueExW 16688->16691 16692 42b638 16688->16692 16693 42b9d4 RegQueryValueExW 16688->16693 16694 42b981 _wtol 16688->16694 16695 42ba17 RegQueryValueExW 16688->16695 16696 42ba5e RegQueryValueExW 16688->16696 16697 42b9c4 _wtol 16688->16697 16698 42baa5 RegCloseKey 16688->16698 16699 42ba07 _wtol 16688->16699 16700 42ba48 wcstol 16688->16700 16701 42ba8f wcstol 16688->16701 16689->16688 16690 42b93e RegQueryValueExW 16689->16690 16690->16688 16690->16691 16691->16688 16691->16693 16692->15934 16693->16688 16693->16695 16694->16691 16695->16688 16695->16696 16696->16688 16696->16698 16697->16693 16698->16688 16699->16695 16700->16696 16701->16698 16703 41e4f9 16702->16703 16704 41e4ea GetCurrentDirectoryW 16702->16704 16856 41c4b8 GetEnvironmentVariableW 16703->16856 16706 41e52c 16704->16706 16706->15939 16989 41c71c 16707->16989 16710 42c6ac 168 API calls 16711 42c0ed 16710->16711 16712 42c119 GetModuleFileNameW 16711->16712 16714 409b90 58 API calls 16711->16714 16713 41c4b8 168 API calls 16712->16713 16715 42c130 16713->16715 16716 42c102 16714->16716 16718 42c143 16715->16718 16991 41c740 16715->16991 16717 42d674 168 API calls 16716->16717 16719 42c10f 16717->16719 16721 41c4b8 168 API calls 16718->16721 16722 42c398 168 API calls 16719->16722 16723 42c14d 16721->16723 16722->16712 16724 42c160 16723->16724 16725 41c740 15 API calls 16723->16725 16726 41c4b8 168 API calls 16724->16726 16725->16724 16727 42c16a 16726->16727 16728 42c17d 16727->16728 16729 41c740 15 API calls 16727->16729 16730 41c4b8 168 API calls 16728->16730 16729->16728 16734 42c187 16730->16734 16731 42c1ff 16732 41c4b8 168 API calls 16731->16732 16733 42c209 16732->16733 17002 41e918 16733->17002 16734->16731 16743 42c1b3 16734->16743 16998 414708 16734->16998 16736 41c740 15 API calls 16736->16731 16738 41c67c 168 API calls 16740 42c239 16738->16740 16741 406fa4 12 API calls 16740->16741 16742 42b6a9 16741->16742 16744 42bbb4 16742->16744 16743->16736 16759 42bbbd 16744->16759 16745 406fa4 12 API calls 16746 42b6b3 16745->16746 16746->15943 16746->15948 16747 42c398 168 API calls 16747->16759 16748 42bc7c 16750 42c6ac 168 API calls 16748->16750 16749 409b90 58 API calls 16749->16759 16752 42bca4 16750->16752 16751 42d674 168 API calls 16751->16759 16753 409b90 58 API calls 16752->16753 16760 42bcd9 16752->16760 16754 42bcbc 16753->16754 16755 42d674 168 API calls 16754->16755 16756 42bccf 16755->16756 16757 42c398 168 API calls 16756->16757 16757->16760 16758 42bdd2 16758->16745 16759->16747 16759->16748 16759->16749 16759->16751 16759->16758 16760->16758 17040 425a84 16760->17040 16763 42d683 16762->16763 16763->16763 17251 42d6ac 16763->17251 16766 41e900 16767 41e904 16766->16767 16768 41e90c 16766->16768 16769 41e6c0 168 API calls 16767->16769 16770 41e6c0 168 API calls 16768->16770 16771 41e90b 16769->16771 16772 41e916 16770->16772 16771->15943 16772->15943 16774 41ad5d 16773->16774 16775 41ad7a GetLocaleInfoW 16774->16775 16776 41ada3 GetLocaleInfoW 16775->16776 16777 41ad8c 16775->16777 16778 41adb2 16776->16778 16777->16776 16779 41adcf GetLocaleInfoW 16778->16779 16780 41adde 16779->16780 16781 41adfb GetLocaleInfoW 16780->16781 16782 41ae78 GetLocaleInfoW 16781->16782 16785 41ae14 16781->16785 16783 41ae87 16782->16783 16784 41aea4 GetLocaleInfoW 16783->16784 16786 41aeb3 16784->16786 16785->16782 16787 41aed0 GetLocaleInfoW 16786->16787 16788 41aedf 16787->16788 16789 41aefc GetLocaleInfoW 16788->16789 16790 41af0b 16789->16790 16791 41af28 GetLocaleInfoW 16790->16791 16792 41af37 16791->16792 16793 41af54 GetLocaleInfoW 16792->16793 16794 41af63 16793->16794 16795 41af80 GetLocaleInfoW 16794->16795 16796 41af8f 16795->16796 16797 41afac GetLocaleInfoW 16796->16797 16798 41afbb 16797->16798 16799 41afd8 GetLocaleInfoW 16798->16799 16800 41afe7 16799->16800 16801 41b004 GetLocaleInfoW 16800->16801 16802 41b013 16801->16802 16802->15945 16804 41e496 16803->16804 16807 41e4cc 16803->16807 16805 41e4a2 GetStdHandle 16804->16805 16806 41e49b 16804->16806 16810 41e4c1 GetConsoleMode 16805->16810 16808 41e4ad GetStdHandle 16806->16808 16809 41e49d 16806->16809 16807->15958 16807->15966 16807->15967 16808->16810 16811 41e4a0 16809->16811 16812 41e4b8 GetStdHandle 16809->16812 16810->16807 16811->16810 16812->16810 16814 423881 GetStdHandle GetConsoleScreenBufferInfo 16813->16814 16816 42387a 16813->16816 16815 423899 FillConsoleOutputAttribute SetConsoleTextAttribute 16814->16815 16814->16816 16815->16816 16816->15958 16818 42d60c 16817->16818 16819 42d6ac 168 API calls 16818->16819 16820 42d646 16819->16820 16821 406f44 12 API calls 16820->16821 16822 42b7fc 16821->16822 16822->15974 16822->15975 16824 41c489 16823->16824 16825 41c455 16823->16825 16829 41c67c 16824->16829 16826 403f2c 12 API calls 16825->16826 16828 41c465 16826->16828 16827 41c483 FreeEnvironmentStringsW 16827->16824 16828->16827 16842 42c6ac 16829->16842 16832 41c444 14 API calls 16835 41c6aa 16832->16835 16833 406f44 12 API calls 16834 41c49f 16833->16834 16834->16687 16836 409b90 58 API calls 16835->16836 16841 41c6a1 16835->16841 16837 41c6c1 16836->16837 16838 42d674 168 API calls 16837->16838 16839 41c6ce 16838->16839 16851 42c644 16839->16851 16841->16833 16843 403f2c 12 API calls 16842->16843 16844 42c6ce 16843->16844 16845 409b90 58 API calls 16844->16845 16850 42c6fb 16844->16850 16847 42c6ee 16845->16847 16846 406f44 12 API calls 16848 41c69b 16846->16848 16849 42d674 168 API calls 16847->16849 16848->16832 16848->16841 16849->16850 16850->16846 16852 42c69c 16851->16852 16853 42c649 16851->16853 16852->16841 16853->16852 16854 403f48 12 API calls 16853->16854 16855 42c689 16854->16855 16855->16841 16857 41c4d4 16856->16857 16858 41c4db 16856->16858 16857->16706 16858->16857 16859 41c509 16858->16859 16860 41c4f9 16858->16860 16862 41c533 16859->16862 16863 41c519 _ltow 16859->16863 16861 41e4dc 163 API calls 16860->16861 16861->16857 16864 41c543 _ultow 16862->16864 16865 41c557 16862->16865 16863->16857 16864->16857 16866 41c573 16865->16866 16867 41c567 GetCommandLineW 16865->16867 16868 41c5a0 16866->16868 16869 41c583 16866->16869 16867->16857 16871 41c5b0 16868->16871 16873 41c5cd 16868->16873 16877 41b374 16869->16877 16912 41b8f0 16871->16912 16873->16857 16934 4042ec QueryPerformanceCounter 16873->16934 16875 41c5e2 16876 41c5ec _ultow 16875->16876 16876->16857 16878 403f2c 12 API calls 16877->16878 16879 41b3ae 16878->16879 16880 41b6fd 16879->16880 16881 41b3e9 16879->16881 16882 41b3cb GetSystemTime SystemTimeToFileTime 16879->16882 16945 416c48 FormatMessageW 16880->16945 16937 41c34c 16881->16937 16883 41b408 FileTimeToLocalFileTime FileTimeToSystemTime 16882->16883 16886 41b518 GetUserDefaultLCID GetLocaleInfoW 16883->16886 16893 41b433 16883->16893 16907 41b53c 16886->16907 16887 41b75c 16888 42d674 155 API calls 16887->16888 16890 41b76f 16888->16890 16889 41b688 GetUserDefaultLCID GetDateFormatW 16891 41b6b5 16889->16891 16892 41b6bf GetUserDefaultLCID GetDateFormatW 16889->16892 16894 403f48 12 API calls 16890->16894 16891->16892 16904 41b510 16891->16904 16895 41b733 GetLastError 16892->16895 16896 41b6e2 16892->16896 16941 41a77c 16893->16941 16898 41b777 16894->16898 16895->16880 16899 403f60 12 API calls 16896->16899 16901 406f44 12 API calls 16898->16901 16900 41b6f7 16899->16900 16900->16880 16902 41b709 GetUserDefaultLCID GetDateFormatW 16900->16902 16903 41b89b 16901->16903 16902->16895 16902->16904 16903->16857 16905 41b857 16904->16905 16906 41b80f 16904->16906 16911 41b79f 16904->16911 16909 41ebe0 155 API calls 16905->16909 16949 41ebe0 16906->16949 16907->16889 16909->16911 16910 403f48 12 API calls 16910->16898 16911->16910 16913 41b904 GetSystemTime SystemTimeToFileTime 16912->16913 16914 41b91c 16912->16914 16915 41b924 FileTimeToLocalFileTime FileTimeToSystemTime 16913->16915 16916 41c34c 2 API calls 16914->16916 16917 41b947 16915->16917 16918 41ba8c 16915->16918 16916->16915 16920 41b9eb 16917->16920 16921 41b94f 16917->16921 16919 41bb9e GetUserDefaultLCID GetLocaleInfoW 16918->16919 16925 41ba9a 16918->16925 16933 41bbc5 16919->16933 16923 41a77c 62 API calls 16920->16923 16922 41ebe0 160 API calls 16921->16922 16932 41b9e4 16922->16932 16923->16932 16924 41bc7c GetUserDefaultLCID GetTimeFormatW 16926 41bca3 16924->16926 16927 41bb31 16925->16927 16928 41bad7 16925->16928 16931 41ebe0 160 API calls 16926->16931 16926->16932 16930 41a77c 62 API calls 16927->16930 16929 41ebe0 160 API calls 16928->16929 16929->16932 16930->16932 16931->16932 16932->16857 16933->16924 16935 404304 GetTickCount 16934->16935 16936 4042f9 16934->16936 16935->16875 16936->16875 16938 41c356 GetSystemTime 16937->16938 16939 41c35e 16937->16939 16940 41c3a3 SystemTimeToFileTime 16938->16940 16939->16940 16940->16883 16942 41a78f 16941->16942 16943 415618 62 API calls 16942->16943 16944 41a7aa 16943->16944 16944->16904 16946 416c79 16945->16946 16947 40709c 12 API calls 16946->16947 16948 416ca0 LocalFree 16947->16948 16948->16887 16950 41ebf8 16949->16950 16950->16950 16951 41a77c 62 API calls 16950->16951 16952 41ec29 16951->16952 16953 41e478 6 API calls 16952->16953 16981 41ece8 16952->16981 16954 41ec3d 16953->16954 16956 41ec41 _get_osfhandle WriteConsoleW 16954->16956 16957 41ec70 16954->16957 16955 406fa4 12 API calls 16958 41ed54 16955->16958 16959 41ec66 GetLastError 16956->16959 16960 41ec88 16956->16960 16982 41e1c4 _get_osfhandle 16957->16982 16958->16911 16959->16960 16962 41eca9 GetLastError 16960->16962 16960->16981 16963 41ecb7 16962->16963 16964 41e3bc 6 API calls 16963->16964 16965 41ecc8 16964->16965 16966 41ecea 16965->16966 16967 41eccc 16965->16967 16988 41e450 _get_osfhandle GetFileType 16966->16988 16968 409b90 58 API calls 16967->16968 16971 41ecdb 16968->16971 16970 41ecf4 16972 41ed16 16970->16972 16973 41ecf8 16970->16973 16974 42d674 164 API calls 16971->16974 16976 416c48 14 API calls 16972->16976 16975 409b90 58 API calls 16973->16975 16974->16981 16977 41ed07 16975->16977 16978 41ed23 16976->16978 16979 42d674 164 API calls 16977->16979 16980 42d674 164 API calls 16978->16980 16979->16981 16980->16981 16981->16955 16983 41e24b 16982->16983 16984 41e1ec WideCharToMultiByte WriteFile 16982->16984 16985 41e23d 16983->16985 16986 41e24f WideCharToMultiByte WriteFile 16983->16986 16984->16985 16987 41e239 16984->16987 16985->16960 16986->16985 16987->16983 16987->16984 16987->16985 16988->16970 16990 41c722 VirtualQuery 16989->16990 16990->16710 16992 41c755 16991->16992 16993 41c75b SetEnvironmentVariableW 16992->16993 16994 403f48 12 API calls 16993->16994 16995 41c76e 16994->16995 16996 41c444 14 API calls 16995->16996 16997 41c773 16996->16997 16997->16718 16999 414715 16998->16999 17000 4076f0 12 API calls 16999->17000 17001 414725 17000->17001 17001->16743 17005 41e6c0 17002->17005 17006 41e6d1 17005->17006 17030 41e6d8 17006->17030 17031 41e698 17006->17031 17008 41e6e7 17009 41e71f GetCurrentDirectoryW 17008->17009 17008->17030 17012 41e73e 17009->17012 17010 41e785 GetFullPathNameW 17011 41e7b6 GetLastError 17010->17011 17016 41e7c0 17010->17016 17011->17030 17012->17010 17013 41e834 GetFileAttributesW 17014 41e843 GetLastError 17013->17014 17015 41e84d 17013->17015 17014->17015 17017 41e870 17015->17017 17015->17030 17035 41e578 17015->17035 17016->17013 17016->17030 17019 41e875 GetFileAttributesW 17017->17019 17020 41e895 17017->17020 17019->17020 17021 41e884 GetLastError 17019->17021 17022 41e8aa SetCurrentDirectoryW 17020->17022 17024 41e8b8 17020->17024 17020->17030 17021->17030 17023 41e8e8 GetLastError 17022->17023 17022->17024 17023->17030 17025 41c740 15 API calls 17024->17025 17026 41e8c5 17025->17026 17027 41e4dc 159 API calls 17026->17027 17026->17030 17028 41e8d5 17027->17028 17029 42c644 12 API calls 17028->17029 17029->17030 17030->16738 17032 41e6a3 17031->17032 17033 42c6ac 168 API calls 17032->17033 17034 41e6aa 17033->17034 17034->17008 17039 41e593 17035->17039 17036 41e5a5 FindFirstFileW 17037 41e5c5 FindClose 17036->17037 17036->17039 17037->17039 17038 41e68a 17038->17017 17039->17036 17039->17038 17042 425ae5 17040->17042 17041 406fa4 12 API calls 17043 426272 17041->17043 17044 41c4b8 168 API calls 17042->17044 17047 425b38 17042->17047 17078 425afa 17042->17078 17043->16758 17044->17047 17045 425bf0 17046 425bfa GetFileAttributesW 17045->17046 17045->17078 17046->17078 17047->17045 17048 425c2a 17047->17048 17049 42c6ac 168 API calls 17048->17049 17050 425c34 17049->17050 17050->17078 17085 41e2b0 17050->17085 17052 425ca6 17053 425caa 17052->17053 17055 425ce4 17052->17055 17054 425cb4 GetFileAttributesW 17053->17054 17053->17078 17054->17078 17096 42c758 17055->17096 17057 425d1e 17058 41c4b8 168 API calls 17057->17058 17059 425d51 17057->17059 17058->17059 17060 42c6ac 168 API calls 17059->17060 17061 425d77 17060->17061 17061->17078 17105 42c838 17061->17105 17063 425de8 17064 41c4b8 168 API calls 17063->17064 17065 425e0a 17063->17065 17064->17065 17066 42c838 168 API calls 17065->17066 17067 425e31 17066->17067 17070 425fbb 17067->17070 17073 42631c 22 API calls 17067->17073 17076 426226 GetBinaryTypeW 17067->17076 17067->17078 17079 42612d 17067->17079 17111 42de0c GetDriveTypeW 17067->17111 17113 41ea84 17067->17113 17071 41a5d0 14 API calls 17070->17071 17072 425fc6 17071->17072 17119 41514c 17072->17119 17073->17067 17075 425fd7 17077 41514c 14 API calls 17075->17077 17076->17067 17077->17078 17078->17041 17079->17078 17080 41a5d0 14 API calls 17079->17080 17081 426164 17080->17081 17082 41514c 14 API calls 17081->17082 17083 426175 17082->17083 17084 41514c 14 API calls 17083->17084 17084->17078 17086 41e2c6 17085->17086 17087 41e2d5 17086->17087 17090 41e327 17086->17090 17088 41e4dc 168 API calls 17087->17088 17089 41e2de 17088->17089 17089->17052 17091 41e372 SetErrorMode SetErrorMode GetFullPathNameW SetErrorMode 17090->17091 17092 41e345 17090->17092 17093 41e3a1 GetLastError 17091->17093 17094 41e39d 17091->17094 17095 41e4dc 168 API calls 17092->17095 17093->17089 17094->17089 17094->17093 17095->17089 17097 403f60 12 API calls 17096->17097 17098 42c792 17097->17098 17099 409b90 58 API calls 17098->17099 17103 42c7b4 17098->17103 17100 42c7a7 17099->17100 17102 42d674 168 API calls 17100->17102 17101 406f44 12 API calls 17104 42c803 17101->17104 17102->17103 17103->17101 17104->17057 17106 42c853 17105->17106 17107 42c849 17105->17107 17131 42c740 17106->17131 17107->17063 17109 42c758 168 API calls 17109->17107 17110 42c866 17110->17109 17112 42de33 17111->17112 17112->17067 17115 41ea96 17113->17115 17118 41eab4 17115->17118 17237 41e054 17115->17237 17117 41e0d8 18 API calls 17117->17118 17118->17067 17249 407604 17119->17249 17121 41516c GetFullPathNameW 17122 41518d 17121->17122 17123 41517e 17121->17123 17124 41518b 17122->17124 17126 4076f0 12 API calls 17122->17126 17125 40709c 12 API calls 17123->17125 17124->17075 17125->17124 17127 41519a 17126->17127 17128 4151a2 GetFullPathNameW 17127->17128 17129 4151b2 17128->17129 17129->17124 17130 4076f0 12 API calls 17129->17130 17130->17124 17132 42c6ac 168 API calls 17131->17132 17134 42c746 17132->17134 17133 42c751 17133->17110 17134->17133 17136 42c3b8 17134->17136 17141 42c49c 17136->17141 17138 42c3bd 17139 42c398 168 API calls 17138->17139 17140 42c3d6 17139->17140 17140->17133 17142 42c4b2 17141->17142 17143 42c4d0 17141->17143 17161 4280f8 17142->17161 17145 42c50a 17143->17145 17146 408450 14 API calls 17143->17146 17147 408408 16 API calls 17145->17147 17146->17145 17148 42c532 17147->17148 17149 42c558 17148->17149 17165 42435c 17148->17165 17170 4251f4 17149->17170 17152 42c59f 17153 42c5c3 17152->17153 17184 41e0d8 17152->17184 17191 42e470 17153->17191 17156 42c55d 17156->17152 17180 42db5c 17156->17180 17159 42e4a0 10 API calls 17160 42c5d4 17159->17160 17160->17138 17162 428119 17161->17162 17163 428101 17161->17163 17162->17143 17163->17162 17195 428140 17163->17195 17166 4243a6 17165->17166 17169 424371 17165->17169 17166->17148 17168 42db5c _close 17168->17169 17169->17166 17169->17168 17235 42dafc _dup2 17169->17235 17171 425207 17170->17171 17174 42522e 17170->17174 17173 42dc44 8 API calls 17171->17173 17171->17174 17172 4252e3 17172->17156 17173->17171 17174->17172 17175 42dc78 6 API calls 17174->17175 17176 42528f _get_osfhandle FlushFileBuffers 17174->17176 17178 42dafc _dup2 17174->17178 17179 42db5c _close 17174->17179 17175->17174 17177 42dafc _dup2 17176->17177 17177->17174 17178->17174 17179->17174 17181 42db64 17180->17181 17183 42db68 17180->17183 17181->17156 17182 42db94 _close 17182->17156 17183->17182 17183->17183 17188 41e0e6 17184->17188 17185 41e16c FindClose 17186 41e176 17185->17186 17187 41e17a GetLastError 17185->17187 17186->17152 17187->17186 17188->17185 17188->17188 17189 408408 16 API calls 17188->17189 17190 41e169 17189->17190 17190->17185 17192 42e474 17191->17192 17193 42c5cf 17191->17193 17192->17193 17194 42e48a SetConsoleTitleW 17192->17194 17193->17159 17194->17193 17196 42814f 17195->17196 17204 428199 17195->17204 17197 428180 17196->17197 17205 42d4dc 17196->17205 17199 41e918 168 API calls 17197->17199 17200 428187 17199->17200 17225 41c6fc SetEnvironmentStringsW 17200->17225 17204->17162 17206 41c4b8 164 API calls 17205->17206 17207 42d52c 17206->17207 17208 42d532 SetCurrentDirectoryW 17207->17208 17209 42d53e 17207->17209 17208->17209 17210 42d5c8 17209->17210 17212 42d553 17209->17212 17213 42d54a SetErrorMode 17209->17213 17211 41e4dc 164 API calls 17210->17211 17214 42d5d4 17211->17214 17215 41c740 15 API calls 17212->17215 17213->17212 17216 406f44 12 API calls 17214->17216 17217 42d589 SetCurrentDirectoryW 17215->17217 17220 42d5ec 17216->17220 17218 42d599 17217->17218 17219 42d5be 17217->17219 17221 409b90 58 API calls 17218->17221 17219->17210 17222 42d5c2 SetErrorMode 17219->17222 17220->17197 17223 42d5ab 17221->17223 17222->17210 17224 42d674 164 API calls 17223->17224 17224->17219 17226 403f48 12 API calls 17225->17226 17227 41c70e 17226->17227 17228 41c444 14 API calls 17227->17228 17229 41c713 17228->17229 17230 41c4a8 17229->17230 17231 41c4b4 17230->17231 17232 41c4ac 17230->17232 17231->17204 17233 403f48 12 API calls 17232->17233 17234 41c4b1 17233->17234 17234->17204 17236 42db17 17235->17236 17236->17169 17240 41df90 FindFirstFileW 17237->17240 17241 41dfb8 17240->17241 17245 41dfd1 FindNextFileW 17241->17245 17246 41dfc4 17241->17246 17242 408408 16 API calls 17247 41e014 17242->17247 17243 41e049 17243->17117 17243->17118 17244 41e03c GetLastError 17244->17243 17245->17241 17248 41dfde FindClose 17245->17248 17246->17242 17246->17247 17247->17243 17247->17244 17248->17246 17250 40760a 17249->17250 17250->17121 17252 42d6c2 17251->17252 17263 4155b0 17252->17263 17254 42d6f0 17255 41e478 6 API calls 17254->17255 17256 42d7be 17254->17256 17259 41e1c4 5 API calls 17254->17259 17260 42d746 _get_osfhandle WriteConsoleW 17254->17260 17261 42d79f GetLastError 17254->17261 17255->17254 17257 42b6fc GetWindowsDirectoryW 17256->17257 17258 42c3b8 164 API calls 17256->17258 17257->16766 17258->17257 17259->17254 17260->17254 17262 42d767 GetLastError 17260->17262 17261->17256 17262->17254 17266 4155c8 17263->17266 17267 4155c2 17266->17267 17268 4155da 17266->17268 17267->17254 17268->17267 17269 4159f8 62 API calls 17268->17269 17269->17267 17294 41f440 17270->17294 17273 41f79f 17273->15985 17274 41e900 168 API calls 17275 41f789 17274->17275 17276 41f798 17275->17276 17277 41f78d 17275->17277 17279 403f48 12 API calls 17276->17279 17278 403f48 12 API calls 17277->17278 17280 41f794 17278->17280 17279->17273 17280->15985 17284 427d36 17281->17284 17282 427d5e 17283 408408 16 API calls 17282->17283 17286 427d72 17283->17286 17284->17282 17285 403f48 12 API calls 17284->17285 17285->17284 17287 427b00 17286->17287 17288 427b12 17287->17288 17289 427b45 17288->17289 17291 42db5c _close 17288->17291 17293 403f48 12 API calls 17288->17293 17290 408408 16 API calls 17289->17290 17292 427b59 ExitProcess 17290->17292 17291->17288 17292->15850 17293->17288 17295 41f453 17294->17295 17296 41f44f 17294->17296 17295->17296 17297 41f46d WNetCancelConnection2W 17295->17297 17296->17273 17296->17274 17297->17296 17299 42c614 17298->17299 17300 42c630 17299->17300 17301 403f48 12 API calls 17299->17301 17303 42c63f 17300->17303 17331 42c5dc 17300->17331 17301->17299 17303->15994 17305 4218d2 17304->17305 17306 4229f4 198 API calls 17305->17306 17307 4218ed 17306->17307 17335 421e0c 17307->17335 17309 421911 17309->15997 17311 422a00 17310->17311 17312 41f91c 198 API calls 17311->17312 17313 422a0f 17312->17313 17313->15999 17332 42c5e4 17331->17332 17333 42c5f4 17331->17333 17332->17333 17334 403f48 12 API calls 17332->17334 17333->17300 17334->17333 17336 421e61 17335->17336 17345 421e1c 17335->17345 17337 421e70 17336->17337 17339 421e8b 17336->17339 17351 42281c 17337->17351 17340 421ebe 17339->17340 17347 4229f4 198 API calls 17339->17347 17343 421ee2 17340->17343 17344 42281c 198 API calls 17340->17344 17342 4229f4 198 API calls 17342->17345 17343->17309 17346 421ee0 17344->17346 17345->17336 17345->17342 17349 421e47 17345->17349 17346->17309 17347->17339 17348 421e56 17348->17309 17349->17348 17350 4229f4 198 API calls 17349->17350 17350->17336 17352 42282d 17351->17352 17353 4229f4 198 API calls 17352->17353 17367 421e89 17352->17367 17358 42283f 17353->17358 17354 422883 17356 4228a9 17354->17356 17359 4229f4 198 API calls 17354->17359 17363 4228a0 17354->17363 17355 4228e1 17360 41f91c 198 API calls 17355->17360 17356->17367 17395 42c6a0 17356->17395 17358->17354 17358->17355 17359->17354 17360->17367 17368 41f91c 17363->17368 17367->17309 17376 41f94a 17368->17376 17396 42c6ac 168 API calls 17395->17396 17641 41cac9 17640->17641 17642 41cb21 17641->17642 17643 41cbda 17641->17643 17645 41cbc7 17641->17645 17646 41cb28 17641->17646 17647 41cb3e 17641->17647 17642->16004 17644 41cc54 171 API calls 17643->17644 17648 41cbeb 17644->17648 17650 41cc54 171 API calls 17645->17650 17816 41cc54 17646->17816 17651 41cb46 17647->17651 17652 41cb8b 17647->17652 17648->17642 17656 41cc54 171 API calls 17648->17656 17650->17642 17653 41cc54 171 API calls 17651->17653 17654 41cc54 171 API calls 17652->17654 17655 41cb5d 17653->17655 17657 41cb9f 17654->17657 17655->17642 17658 41cc54 171 API calls 17655->17658 17660 41cc01 17656->17660 17657->17642 17659 41cc54 171 API calls 17657->17659 17658->17642 17659->17642 17660->17642 17661 41cc54 171 API calls 17660->17661 17661->17660 17663 42495e 17662->17663 17665 424966 17662->17665 17663->16015 17664 4249a3 17664->16015 17665->17664 17824 4249cc 17665->17824 17673 423d1c 17668->17673 17669 42c6ac 168 API calls 17670 423d7a 17669->17670 17678 423db2 17670->17678 17673->17669 17673->17678 17675 41e3bc 6 API calls 17675->17678 17678->17675 17684 423e18 _get_osfhandle SetFilePointer 17678->17684 17685 423e46 17678->17685 17697 42da90 19 API calls 17678->17697 17701 423f59 17678->17701 17703 423fdb SearchPathW 17678->17703 17704 423da8 17678->17704 17708 4240cc 17678->17708 17710 42dafc _dup2 17678->17710 17715 424053 17678->17715 17718 42db5c _close 17678->17718 17896 41e450 _get_osfhandle GetFileType 17678->17896 17897 42dad0 _dup 17678->17897 17684->17678 17697->17678 17703->17678 17710->17678 17718->17678 17763 424405 17762->17763 17764 4243fb 17762->17764 17765 424414 17763->17765 17766 4244d5 17763->17766 17768 406fa4 12 API calls 17764->17768 17769 42de0c GetDriveTypeW 17765->17769 18308 424704 17766->18308 17772 4246e8 17768->17772 17770 42441c 17769->17770 17773 424420 17770->17773 17774 42444f 17770->17774 17772->16016 17776 409b90 58 API calls 17773->17776 18297 42de40 GetDriveTypeW 17774->18297 17817 41cc6d 17816->17817 17821 41cc7f 17816->17821 17818 42c6ac 168 API calls 17817->17818 17817->17821 17823 41cc9b 17818->17823 17819 41cd86 17820 42c758 168 API calls 17819->17820 17819->17821 17820->17821 17821->17642 17822 420c28 171 API calls 17822->17823 17823->17819 17823->17821 17823->17822 17825 424a16 17824->17825 17826 4249da 17824->17826 17827 424bdc 17825->17827 17831 424a0b 17825->17831 17832 424c08 17825->17832 17833 424bbe 17825->17833 17855 4249fd 17825->17855 17826->17827 17829 424a02 17826->17829 17830 4249e5 17826->17830 17829->17827 17829->17831 17831->17855 17896->17678 18312 42473d 18308->18312 18309 4247a3 18310 406f44 12 API calls 18309->18310 18311 4244df 18310->18311 18312->18309 18313 42c6ac 168 API calls 18312->18313 18314 42489c 18313->18314 18314->18309

      Executed Functions

      Function 00409500 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,004095C0,?,?), ref: 00409532
      • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,004095C0,?,?), ref: 0040953B
        • Part of subcall function 004093C8: FindFirstFileW.KERNEL32(00000000,?,00000000,00409426,?,00000001), ref: 004093FB
        • Part of subcall function 004093C8: FindClose.KERNEL32(00000000,00000000,?,00000000,00409426,?,00000001), ref: 0040940B
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
      • String ID:
      • API String ID: 3216391948-0
      • Opcode ID: 5e425b5381f49e77debb17cb532570a91ce03e2471ae4a664c4b302440e7807d
      • Instruction ID: 071e64af6b88f542872354593d617c80015b1f849b8bb04898bb7fc151495cb3
      • Opcode Fuzzy Hash: 5e425b5381f49e77debb17cb532570a91ce03e2471ae4a664c4b302440e7807d
      • Instruction Fuzzy Hash: 7C116670A042099FDB04EBA6D992AADB3F8EF49304F50447EF905B32C2D7786F048769
      Function 004093C8 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 475 4093c8-409408 call 407028 call 407604 FindFirstFileW 480 409410-409425 call 406f44 475->480 481 40940a-40940b FindClose 475->481 481->480
      APIs
      • FindFirstFileW.KERNEL32(00000000,?,00000000,00409426,?,00000001), ref: 004093FB
      • FindClose.KERNEL32(00000000,00000000,?,00000000,00409426,?,00000001), ref: 0040940B
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Find$CloseFileFirst
      • String ID:
      • API String ID: 2295610775-0
      • Opcode ID: b344a49cfde1689ea3054574d788de18550e4a209e79c5a6a29cb86aee5296c7
      • Instruction ID: 30c26af4e475a8533fb64ed181d0bc5ec4e7e29dd092294426818dad85e2bdff
      • Opcode Fuzzy Hash: b344a49cfde1689ea3054574d788de18550e4a209e79c5a6a29cb86aee5296c7
      • Instruction Fuzzy Hash: 35F0E271908608AEC710EBB5DD1295EB3ECEB493247A109B7B800F25C2EA3CAF10951D
      Function 00409C44 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: InfoSystem
      • String ID:
      • API String ID: 31276548-0
      • Opcode ID: 77aadbaf1419b8ce617d9818894e266f742206cc870b6c8e8026940cf331f8f7
      • Instruction ID: 92718fd32b649ffd1c7789a63053aa7737a3fda4e5e7f101603dfa55f598ec14
      • Opcode Fuzzy Hash: 77aadbaf1419b8ce617d9818894e266f742206cc870b6c8e8026940cf331f8f7
      • Instruction Fuzzy Hash: 06A012104085000AC404A7394D4740F31C42945514FC40224785CB52C2E62D866843DB
      Function 00408FEC Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00409211,?,?), ref: 00409025
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,00409211,?,?), ref: 0040906E
      • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,00409211,?,?), ref: 00409090
      • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 004090AE
      • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 004090CC
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 004090EA
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00409108
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,004091F4,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,00409211), ref: 00409148
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,004091F4,?,80000001), ref: 00409173
      • RegCloseKey.ADVAPI32(?,004091FB,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,004091F4,?,80000001,Software\Embarcadero\Locales), ref: 004091EE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Open$QueryValue$CloseFileModuleName
      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
      • API String ID: 2701450724-3496071916
      • Opcode ID: 02cb05001f5eaad6fff4339b5af17fb9bc6815be3947461fd3347b4c018bfb3a
      • Instruction ID: a0cd080a1ff7527f2579847e9569a255959e0f2ed411b0715fcd69c9a807d56b
      • Opcode Fuzzy Hash: 02cb05001f5eaad6fff4339b5af17fb9bc6815be3947461fd3347b4c018bfb3a
      • Instruction Fuzzy Hash: 7B515871B4020DBEEB10EAA5CD46FAE73BCDB48704F50447BBA04F61C2D6B89E409659
      Function 00432408 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 290threadCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • SetThreadUILanguage.KERNEL32(00000000,00000000,0043284C,?,?,?,?,00000000,00000000), ref: 00432480
      • _get_osfhandle.MSVCRT ref: 00432654
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
        • Part of subcall function 0042B5D8: InitializeCriticalSection.KERNEL32(0044E930,00000000,0042B88D,?,00000000), ref: 0042B613
        • Part of subcall function 0042B5D8: SetConsoleCtrlHandler.KERNEL32(0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B624
        • Part of subcall function 0042B5D8: GetWindowsDirectoryW.KERNEL32(0044E6EC,00000105,00000000,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B706
        • Part of subcall function 0042B5D8: GetConsoleOutputCP.KERNEL32(?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B717
        • Part of subcall function 0042B5D8: GetCPInfo.KERNEL32(00000000,0044E8F8,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B72C
        • Part of subcall function 0042B5D8: GetConsoleTitleW.KERNEL32(00000000,00000104,00000000,0044E8F8,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B771
        • Part of subcall function 0042C398: ExitProcess.KERNEL32(00000000,00000000,00432828), ref: 0042C3B1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Console$CriticalCtrlDirectoryExitHandlerInfoInitializeLanguageLoadOutputProcessSectionStringThreadTitleWindows_get_osfhandle
      • String ID: <cC$BIN$CRC$TXT$T`C$``C$B$D
      • API String ID: 2958763707-2773022990
      • Opcode ID: 3a90bb429f451ce73e71aafb876a89f7a3c20cc72ecc5f47d944eaa56cab1f0b
      • Instruction ID: 05c674e6a89e990405df80dbf507ba3f9d9f23654c3176dc86012a4c3b5596b2
      • Opcode Fuzzy Hash: 3a90bb429f451ce73e71aafb876a89f7a3c20cc72ecc5f47d944eaa56cab1f0b
      • Instruction Fuzzy Hash: 48C15F746006018FD700FF6AE881A5A77E1FF89314B54957AE901AB3A6CB78FC41CB9D
      Function 00417DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97filewindowCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 00417BE8: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00417D94), ref: 00417C1B
        • Part of subcall function 00417BE8: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00417C3F
        • Part of subcall function 00417BE8: GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 00417C5A
        • Part of subcall function 00417BE8: LoadStringW.USER32(00000000,0000FFEA,?,00000100), ref: 00417CF5
      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,00417F05), ref: 00417E41
      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00417E74
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00417E86
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00417E8C
      • GetStdHandle.KERNEL32(000000F4,00417F20,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00417EA0
      • WriteFile.KERNEL32(00000000,000000F4,00417F20,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00417EA6
      • LoadStringW.USER32(00000000,0000FFEB,?,00000040), ref: 00417ECA
      • MessageBoxW.USER32(00000000,?,?,00002010), ref: 00417EE4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
      • String ID: <cC$T`C
      • API String ID: 135118572-2907802301
      • Opcode ID: c830c6d019e0b2c82b1b22302c3ae2dd07d2ba64d974e9f814e6c5bfe0acd496
      • Instruction ID: 58906fad06aeeaf9f466d3d3253202a83cb380b9e0a52c9a91e9a57a9748e339
      • Opcode Fuzzy Hash: c830c6d019e0b2c82b1b22302c3ae2dd07d2ba64d974e9f814e6c5bfe0acd496
      • Instruction Fuzzy Hash: 17312DB2644204BFE714E765DC42FEA73ACEB04704F50817AB644F61D1DAB86E848B6D
      Function 00408CB8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • EnterCriticalSection.KERNEL32(00438B84,00000000,00408DBC,?,?,?,00000000,?,00409684,00000000,004096E3,?,?,00000000,00000000,00000000), ref: 00408CD6
      • LeaveCriticalSection.KERNEL32(00438B84,00438B84,00000000,00408DBC,?,?,?,00000000,?,00409684,00000000,004096E3,?,?,00000000,00000000), ref: 00408CFA
      • LeaveCriticalSection.KERNEL32(00438B84,00438B84,00000000,00408DBC,?,?,?,00000000,?,00409684,00000000,004096E3,?,?,00000000,00000000), ref: 00408D09
      • IsValidLocale.KERNEL32(00000000,00000002,00438B84,00438B84,00000000,00408DBC,?,?,?,00000000,?,00409684,00000000,004096E3), ref: 00408D1B
      • EnterCriticalSection.KERNEL32(00438B84,00000000,00000002,00438B84,00438B84,00000000,00408DBC,?,?,?,00000000,?,00409684,00000000,004096E3), ref: 00408D78
      • LeaveCriticalSection.KERNEL32(00438B84,00438B84,00000000,00000002,00438B84,00438B84,00000000,00408DBC,?,?,?,00000000,?,00409684,00000000,004096E3), ref: 00408DA1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CriticalSection$Leave$Enter$LocaleValid
      • String ID: en-GB,en,en-US,
      • API String ID: 975949045-3021119265
      • Opcode ID: 1ee68946195f193d8b2c1b3f62ebaf0ca0bae414d7619bd794637c17c73039b4
      • Instruction ID: 3dc906d19139535a517bf05a43ec2f41213ab5801fe5d559e5ac7df0bf09f9e7
      • Opcode Fuzzy Hash: 1ee68946195f193d8b2c1b3f62ebaf0ca0bae414d7619bd794637c17c73039b4
      • Instruction Fuzzy Hash: BB21C3707107465AD714B7B68E03B1AA1949F99718FA0457FB480B32D2DEBCAD01826F
      Function 0042EE28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61registryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 218 42ee28-42ee55 RegOpenKeyExW 219 42eec0-42eec2 218->219 220 42ee57-42ee79 RegQueryValueExW 218->220 223 42eed4-42eedc 219->223 224 42eec4-42eecf call 407698 219->224 221 42ee7b-42ee7d 220->221 222 42ee7f-42ee98 RegOpenKeyExW 220->222 221->219 222->219 225 42ee9a-42eebc RegQueryValueExW 222->225 224->223 225->219 227 42eebe 225->227 227->219
      APIs
      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020019,?,00000000,00000000,0042EFAA,00400000,00000000,00400000,00000000,00000005,00000000,0042F0CD), ref: 0042EE4E
      • RegQueryValueExW.ADVAPI32(?,MachineGuid,00000000,?,?,?,80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020019,?,00000000,00000000,0042EFAA,00400000,00000000), ref: 0042EE72
      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,MachineGuid,00000000,?,?,?,80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020019), ref: 0042EE91
      • RegQueryValueExW.ADVAPI32(?,MachineGuid,00000000,?,?,?,80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,MachineGuid,00000000,?,?), ref: 0042EEB5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: OpenQueryValue
      • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
      • API String ID: 4153817207-1211650757
      • Opcode ID: 7aeb374d09ccaf4faa7c7184a15372a46a3e12d2bcb6c6c10f605ca0fc949c19
      • Instruction ID: 4acd9089b50f56c747d35b13d68d7b592a5668b2c744b2dd2c07be4cd837ba67
      • Opcode Fuzzy Hash: 7aeb374d09ccaf4faa7c7184a15372a46a3e12d2bcb6c6c10f605ca0fc949c19
      • Instruction Fuzzy Hash: E811A5723443117BD310D993AD82FAB738C9F54744F550C2BBA40E71C6E678E80486AB
      Function 00406D5C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 228 406d5c-406d71 229 406d73-406d7f call 406c3c call 406cc4 228->229 230 406d84-406d8b 228->230 229->230 232 406d8d-406d98 GetCurrentThreadId 230->232 233 406dae-406db2 230->233 232->233 237 406d9a-406da9 call 40699c call 406c98 232->237 234 406db4-406db7 233->234 235 406dc8-406dcc 233->235 234->235 238 406db9-406dc6 234->238 239 406ddc-406de5 call 403fd0 235->239 240 406dce-406dd5 235->240 237->233 238->235 250 406de7-406df7 call 4058b0 call 403fd0 239->250 251 406df9-406e02 call 4069c4 239->251 240->239 243 406dd7-406dd9 240->243 243->239 250->251 256 406e04-406e0b 251->256 257 406e0d-406e12 251->257 256->257 259 406e33-406e3e call 40699c 256->259 257->259 260 406e14-406e27 call 4098d0 257->260 267 406e40 259->267 268 406e43-406e47 259->268 260->259 266 406e29-406e2b 260->266 266->259 271 406e2d-406e2e FreeLibrary 266->271 267->268 269 406e50-406e53 268->269 270 406e49-406e4b call 406c98 268->270 273 406e55-406e5c 269->273 274 406e6f 269->274 270->269 271->259 275 406e64-406e6a ExitProcess 273->275 276 406e5e 273->276 276->275
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 00406D8D
      • FreeLibrary.KERNEL32(00400000,?,?,?,?,00406E92,0040401B,00404062,?,00000000,0040407B,?,?,?,?,00000000), ref: 00406E2E
      • ExitProcess.KERNEL32(00000001,?,?,?,?,00406E92,0040401B,00404062,?,00000000,0040407B,?,?,?,?,00000000), ref: 00406E6A
        • Part of subcall function 00406CC4: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D,?,?,?,?,00406E92,0040401B,00404062,?,00000000), ref: 00406CFD
        • Part of subcall function 00406CC4: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D,?,?,?,?,00406E92,0040401B,00404062,?), ref: 00406D03
        • Part of subcall function 00406CC4: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D,?,?,?), ref: 00406D1E
        • Part of subcall function 00406CC4: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D), ref: 00406D24
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
      • String ID: MZP
      • API String ID: 3490077880-2889622443
      • Opcode ID: db5ecf3e493b48906c9d6fc14bfd7c8e272e6dfb4ad713da9b1759fe41478d41
      • Instruction ID: 027523a471c850c2d6f5948c08cf4c6e9b43939df7d15fd5d14c5f77f5a4c2e5
      • Opcode Fuzzy Hash: db5ecf3e493b48906c9d6fc14bfd7c8e272e6dfb4ad713da9b1759fe41478d41
      • Instruction Fuzzy Hash: 6F316B646003528BE730AF79C44971BB6E4AF05318F16583FE446A73D1CBBCA9A4C75D
      Function 00406D54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 277 406d54-406d71 278 406d73-406d7f call 406c3c call 406cc4 277->278 279 406d84-406d8b 277->279 278->279 281 406d8d-406d98 GetCurrentThreadId 279->281 282 406dae-406db2 279->282 281->282 286 406d9a-406da9 call 40699c call 406c98 281->286 283 406db4-406db7 282->283 284 406dc8-406dcc 282->284 283->284 287 406db9-406dc6 283->287 288 406ddc-406de5 call 403fd0 284->288 289 406dce-406dd5 284->289 286->282 287->284 299 406de7-406df7 call 4058b0 call 403fd0 288->299 300 406df9-406e02 call 4069c4 288->300 289->288 292 406dd7-406dd9 289->292 292->288 299->300 305 406e04-406e0b 300->305 306 406e0d-406e12 300->306 305->306 308 406e33-406e3e call 40699c 305->308 306->308 309 406e14-406e27 call 4098d0 306->309 316 406e40 308->316 317 406e43-406e47 308->317 309->308 315 406e29-406e2b 309->315 315->308 320 406e2d-406e2e FreeLibrary 315->320 316->317 318 406e50-406e53 317->318 319 406e49-406e4b call 406c98 317->319 322 406e55-406e5c 318->322 323 406e6f 318->323 319->318 320->308 324 406e64-406e6a ExitProcess 322->324 325 406e5e 322->325 325->324
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 00406D8D
      • FreeLibrary.KERNEL32(00400000,?,?,?,?,00406E92,0040401B,00404062,?,00000000,0040407B,?,?,?,?,00000000), ref: 00406E2E
      • ExitProcess.KERNEL32(00000001,?,?,?,?,00406E92,0040401B,00404062,?,00000000,0040407B,?,?,?,?,00000000), ref: 00406E6A
        • Part of subcall function 00406CC4: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D,?,?,?,?,00406E92,0040401B,00404062,?,00000000), ref: 00406CFD
        • Part of subcall function 00406CC4: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D,?,?,?,?,00406E92,0040401B,00404062,?), ref: 00406D03
        • Part of subcall function 00406CC4: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D,?,?,?), ref: 00406D1E
        • Part of subcall function 00406CC4: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D), ref: 00406D24
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
      • String ID: MZP
      • API String ID: 3490077880-2889622443
      • Opcode ID: b345d8689da2649745ee8ce4969478b728c55c347d51a61831c1870b9deb212a
      • Instruction ID: 64baec8160611f0d12e964ee0f1bbc1b02591ea2685f4a2b1028bc1e3f95387a
      • Opcode Fuzzy Hash: b345d8689da2649745ee8ce4969478b728c55c347d51a61831c1870b9deb212a
      • Instruction Fuzzy Hash: 5E314964A043428ED731AFB9C44971BBBE0AF05319F16583FE046A72D2CB7CA8A4C75D
      Function 00403E10 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 326 403e10-403e21 327 403e35-403e37 326->327 328 403e23-403e33 VirtualFree 327->328 329 403e39-403e3e 327->329 328->327 330 403e43-403e5d 329->330 330->330 331 403e5f-403e69 330->331 332 403e6e-403e79 331->332 332->332 333 403e7b-403e9d call 4047e0 332->333 336 403eb1-403eb3 333->336 337 403eb5-403ebe 336->337 338 403e9f-403eaf VirtualFree 336->338 338->336
      APIs
      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403E2E
      • VirtualFree.KERNEL32(00438AF8,00000000,00008000), ref: 00403EAA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FreeVirtual
      • String ID: TjC$h0C
      • API String ID: 1263568516-2781714519
      • Opcode ID: 28025f4953048df38c8401b685c6974b0b01bed780533aa76f380f2bd7de03d2
      • Instruction ID: a2be80c46c8db117d9eeeff0df746457e332e92e65e0654445dab54c858edb7b
      • Opcode Fuzzy Hash: 28025f4953048df38c8401b685c6974b0b01bed780533aa76f380f2bd7de03d2
      • Instruction Fuzzy Hash: CD116DB16002009BD7649F199984716BAE4EB89711F16C57FE249EB381D778AD02CB98
      Function 0040278C Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 339 40278c-4027a9 call 402720 VirtualAlloc 342 4027f8-402802 339->342 343 4027ab-4027f7 339->343
      APIs
      • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00402D9F,FFFFFFDC,00402A70), ref: 004027A2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID: TjC$TjC
      • API String ID: 4275171209-3370660221
      • Opcode ID: e09b7ca250215bd02166fe9cae5d380e964669fd141c4ea3df241ecc16fca971
      • Instruction ID: d58c566c32e20f241ab4f8b1cf21c9e0fdeb5a30aec7f5fa187c016e01894f2f
      • Opcode Fuzzy Hash: e09b7ca250215bd02166fe9cae5d380e964669fd141c4ea3df241ecc16fca971
      • Instruction Fuzzy Hash: 6EF04FB1B003415BEB45EF799D853017AD6E78A304F21D03EE609EB7D8D67584058B18
      Function 004095CC Relevance: 3.1, APIs: 2, Instructions: 93COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 344 4095cc-40960e call 407028 * 2 call 406f44 351 409614-409624 call 407298 344->351 352 4096c8-4096e2 call 406fa4 344->352 358 409626-409629 351->358 359 40962b-409630 351->359 358->359 360 409632-40963b 359->360 361 409657-409666 call 409308 359->361 363 409652-409655 360->363 364 40963d-409650 call 407938 360->364 368 409677-409694 GetUserDefaultUILanguage call 408cb8 call 409434 361->368 369 409668-409675 call 409434 361->369 363->360 363->361 364->361 376 409696-40969d 368->376 377 4096b9-4096bc 368->377 369->352 376->377 379 40969f-4096b4 GetSystemDefaultUILanguage call 408cb8 call 409434 376->379 377->352 378 4096be-4096c3 call 409500 377->378 378->352 379->377
      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000000,004096E3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040976A,00000000,?,00000105), ref: 00409677
      • GetSystemDefaultUILanguage.KERNEL32(00000000,004096E3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040976A,00000000,?,00000105), ref: 0040969F
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: DefaultLanguage$SystemUser
      • String ID:
      • API String ID: 384301227-0
      • Opcode ID: b62fc543054050e3ce69501bcf4300a57c0faefa39be0320ed61ca82e73c7ba2
      • Instruction ID: 08fb147fdbcebe08428e2cf7960e314bc20fac605dabfd1cf4f1766cf2536f83
      • Opcode Fuzzy Hash: b62fc543054050e3ce69501bcf4300a57c0faefa39be0320ed61ca82e73c7ba2
      • Instruction Fuzzy Hash: 24314170A142099FDB10EBA9C891AAEB7B5EF45304F50497BE400B33E2DB79AD41CB59
      Function 004068DA Relevance: 3.1, APIs: 2, Instructions: 68COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 384 4068da-4068e7 385 406976-406978 384->385 386 4068ed-4068f4 384->386 387 406905-406932 call 4056fc RtlUnwind 386->387 388 4068f6-406903 UnhandledExceptionFilter 386->388 391 406951-40695e call 406504 387->391 392 406934-40693c 387->392 388->385 388->387 404 406960 391->404 405 406962-40696e 391->405 393 406942-406948 392->393 394 40683c-406849 392->394 393->394 412 40694e 393->412 396 406877-40687c 394->396 397 40684b 394->397 399 40687e 396->399 400 40688f-406894 396->400 401 4068a9-4068ab 397->401 402 40684d-406852 397->402 406 406880-406885 399->406 407 4068bd-4068bf 399->407 410 4068c5-4068c7 400->410 411 406896-406899 400->411 413 4068cb-4068d7 call 404010 401->413 408 406854 402->408 409 406869-406871 402->409 404->405 405->385 415 4068b5-4068b7 406->415 416 406887-406888 406->416 407->413 418 406856-40685b 408->418 419 4068ad-4068af 408->419 409->401 414 406873 409->414 410->413 417 4068c9 410->417 420 4068c1-4068c3 411->420 421 40689b 411->421 412->391 423 4068a5-4068a7 414->423 424 406875 414->424 415->413 425 40688a-40688b 416->425 426 40689d-40689f 416->426 417->413 427 4068b9-4068bb 418->427 428 40685d-406862 418->428 419->413 420->413 421->417 423->413 424->417 430 4068b1-4068b3 425->430 431 40688d 425->431 426->413 427->413 432 4068a1-4068a3 428->432 433 406864-406865 428->433 430->413 431->417 432->413 433->415 434 406867 433->434 434->417
      APIs
      • UnhandledExceptionFilter.KERNEL32(00000006), ref: 004068FB
      • RtlUnwind.KERNEL32(?,?,00000000,00000000), ref: 0040691C
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandledUnwind
      • String ID:
      • API String ID: 2354489195-0
      • Opcode ID: d6f31b83982de99da8382a4c2b0ef4a2cf49d2acc30aa13fc6fa3e0284d212f4
      • Instruction ID: 9f73ad73aa315f6702dbae8d4611e6fac1ed1bcee52eb92282eca4ee3201315f
      • Opcode Fuzzy Hash: d6f31b83982de99da8382a4c2b0ef4a2cf49d2acc30aa13fc6fa3e0284d212f4
      • Instruction Fuzzy Hash: 6E21C6752052019BEB24EF18C985B2B73A5AF44300F16C53AE846AB3D9C73CDC61DB5D
      Function 004096F0 Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004097AA,?,?,00000000), ref: 0040972C
      • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004097AA,?,?,00000000), ref: 0040977D
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileLibraryLoadModuleName
      • String ID:
      • API String ID: 1159719554-0
      • Opcode ID: 092220cb52d444f6877993d1257730cf6ceba111b2df17c8dac5e30885d2ecec
      • Instruction ID: 4b8ae59a8274ec1f7fe7bedadba4008a70b0768cba9215aaa869a0053a364d14
      • Opcode Fuzzy Hash: 092220cb52d444f6877993d1257730cf6ceba111b2df17c8dac5e30885d2ecec
      • Instruction Fuzzy Hash: BB11B271A4420C9FDB10EB94CC86BDE73B8DB14304F5104FAA408B32D1DA785F808A99
      Function 00408478 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 485 408478-408486 486 4084b3-4084be 485->486 487 408488-40849f GetModuleFileNameW call 4096f0 485->487 489 4084a4-4084ab 487->489 489->486 490 4084ad-4084b0 489->490 490->486
      APIs
      • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00408496
        • Part of subcall function 004096F0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004097AA,?,?,00000000), ref: 0040972C
        • Part of subcall function 004096F0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004097AA,?,?,00000000), ref: 0040977D
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileModuleName$LibraryLoad
      • String ID:
      • API String ID: 4113206344-0
      • Opcode ID: 555b207bfeb04d72a20648cf77d3343bb5b89bfeb5ce74508b24d888fb9169c6
      • Instruction ID: 48c28891e3bf74db38ef62a4c3c9261bcb525cc5651df91a29b38cc91f364b49
      • Opcode Fuzzy Hash: 555b207bfeb04d72a20648cf77d3343bb5b89bfeb5ce74508b24d888fb9169c6
      • Instruction Fuzzy Hash: FDE0ED71A003109BCB10DE9CDAC5A4737D4AB48754F0449AAAD54DF387E779DD1087D5

      Non-executed Functions

      Function 0041AD3C Relevance: 42.3, APIs: 16, Strings: 8, Instructions: 255COMMON
      Download Yara Rule
      APIs
      • GetUserDefaultLCID.KERNEL32(?,00000000,00000000,0042B736,00000000,0044E8F8,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0041AD47
      • GetLocaleInfoW.KERNEL32(00000000,0000001E,?,00000010,?,00000000,00000000,0042B736,00000000,0044E8F8,?, /c ,?,0042B5A8,000000FF,0044E930), ref: 0041AD54
      • GetLocaleInfoW.KERNEL32(00000000,00000023,?,00000080,00000000,0000001E,?,00000010,?,00000000,00000000,0042B736,00000000,0044E8F8,?, /c ), ref: 0041AD83
      • GetLocaleInfoW.KERNEL32(00000000,00000028,?,00000010,00000000,00000023,?,00000080,00000000,0000001E,?,00000010,?,00000000,00000000,0042B736), ref: 0041ADA9
      • GetLocaleInfoW.KERNEL32(00000000,00000029,?,00000010,00000000,00000028,?,00000010,00000000,00000023,?,00000080,00000000,0000001E,?,00000010), ref: 0041ADD5
      • GetLocaleInfoW.KERNEL32(00000000,00000021,?,00000080,00000000,00000029,?,00000010,00000000,00000028,?,00000010,00000000,00000023,?,00000080), ref: 0041AE0B
      • GetLocaleInfoW.KERNEL32(00000000,0000001D,?,00000010,00000000,00000021,?,00000080,00000000,00000029,?,00000010,00000000,00000028,?,00000010), ref: 0041AE7E
      • GetLocaleInfoW.KERNEL32(00000000,00000031,?,00000020,00000000,0000001D,?,00000010,00000000,00000021,?,00000080,00000000,00000029,?,00000010), ref: 0041AEAA
      • GetLocaleInfoW.KERNEL32(00000000,00000032,?,00000020,00000000,00000031,?,00000020,00000000,0000001D,?,00000010,00000000,00000021,?,00000080), ref: 0041AED6
      • GetLocaleInfoW.KERNEL32(00000000,00000033,?,00000020,00000000,00000032,?,00000020,00000000,00000031,?,00000020,00000000,0000001D,?,00000010), ref: 0041AF02
      • GetLocaleInfoW.KERNEL32(00000000,00000034,?,00000020,00000000,00000033,?,00000020,00000000,00000032,?,00000020,00000000,00000031,?,00000020), ref: 0041AF2E
      • GetLocaleInfoW.KERNEL32(00000000,00000035,?,00000020,00000000,00000034,?,00000020,00000000,00000033,?,00000020,00000000,00000032,?,00000020), ref: 0041AF5A
      • GetLocaleInfoW.KERNEL32(00000000,00000036,?,00000020,00000000,00000035,?,00000020,00000000,00000034,?,00000020,00000000,00000033,?,00000020), ref: 0041AF86
      • GetLocaleInfoW.KERNEL32(00000000,00000037,?,00000020,00000000,00000036,?,00000020,00000000,00000035,?,00000020,00000000,00000034,?,00000020), ref: 0041AFB2
      • GetLocaleInfoW.KERNEL32(00000000,0000000E,?,00000010,00000000,00000037,?,00000020,00000000,00000036,?,00000020,00000000,00000035,?,00000020), ref: 0041AFDE
      • GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000010,00000000,0000000E,?,00000010,00000000,00000037,?,00000020,00000000,00000036,?,00000020), ref: 0041B00A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: InfoLocale$DefaultUser
      • String ID: Fri$MM/dd/yydd/MM/yyyy/MM/dd/$Mon$Sat$Sun$Thu$Tue$Wed
      • API String ID: 183805406-2725659345
      • Opcode ID: 5083693fdfab4dd46d87d493b47507d16569c0fe72b83a0747a2d338eb38cc76
      • Instruction ID: b0dc7d32b17400cf10c49c6fb7f96ed95534bc07079b1885cfb9c23afacce83d
      • Opcode Fuzzy Hash: 5083693fdfab4dd46d87d493b47507d16569c0fe72b83a0747a2d338eb38cc76
      • Instruction Fuzzy Hash: 736152B535231052E23061660D46BDB0499CB49748F24883B7A54AA2C7DBBECDF742FF
      Function 0041B374 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 380timeCOMMON
      Download Yara Rule
      APIs
      • GetSystemTime.KERNEL32(?,00000000,0041B89C,?,00440F84,00000000,?), ref: 0041B3D2
      • SystemTimeToFileTime.KERNEL32(?,?,?,00000000,0041B89C,?,00440F84,00000000,?), ref: 0041B3E2
      • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,0041B89C,?,00440F84,00000000,?), ref: 0041B410
      • FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,0041B89C,?,00440F84,00000000,?), ref: 0041B420
      • GetUserDefaultLCID.KERNEL32(?,?,?,?,00000000,0041B89C,?,00440F84,00000000,?), ref: 0041B51D
      • GetLocaleInfoW.KERNEL32(00000000,0000001F,?,00000080,?,?,?,?,00000000,0041B89C,?,00440F84,00000000,?), ref: 0041B533
      • GetUserDefaultLCID.KERNEL32(00000000,0000001F,?,00000080,?,?,?,?,00000000,0041B89C,?,00440F84,00000000,?), ref: 0041B68E
      • GetDateFormatW.KERNEL32(?,00000000,?,?,?,?,00000000,0000001F,?,00000080,?,?,?,?,00000000,0041B89C), ref: 0041B6AC
      • GetUserDefaultLCID.KERNEL32(?,00000000,?,?,?,?,00000000,0000001F,?,00000080,?,?,?,?,00000000,0041B89C), ref: 0041B6BF
      • GetDateFormatW.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000,?,?,?,?,00000000,0000001F,?,00000080), ref: 0041B6D9
      • GetUserDefaultLCID.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000,?,?,?,?,00000000,0000001F,?,00000080), ref: 0041B70C
      • GetDateFormatW.KERNEL32(?,00000000,?,?,?,00000001,00000000,00000000,?,?,00000000,00000000,?,00000000,?,?), ref: 0041B72A
      • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000,?,?,?,?,00000000,0000001F,?,00000080), ref: 0041B738
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Time$DefaultFileUser$DateFormatSystem$ErrorInfoLastLocalLocale
      • String ID: $%02d%s%02d%s%02d$%s $%s %s
      • API String ID: 3547417185-410911588
      • Opcode ID: 739a57e1ed726c5c988a130102d539851d89a3380d9257a2e666bf5c849069c7
      • Instruction ID: bd11bb6a77d30f9659ec2bfc6a68520022c60487f61cd20b3d88836a2d13d56e
      • Opcode Fuzzy Hash: 739a57e1ed726c5c988a130102d539851d89a3380d9257a2e666bf5c849069c7
      • Instruction Fuzzy Hash: 95F13C75E003189FDF10DBA9C8857EEB7F5EF49304F1440AAE908AB281D7789E85CB95
      Function 0041B8F0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 258timeCOMMON
      Download Yara Rule
      APIs
      • GetSystemTime.KERNEL32(?,00440F84,00000000,?), ref: 0041B908
      • SystemTimeToFileTime.KERNEL32(?,?,?,00440F84,00000000,?), ref: 0041B915
      • FileTimeToLocalFileTime.KERNEL32(?,?,00440F84,00000000,?), ref: 0041B92C
      • FileTimeToSystemTime.KERNEL32(?,?,?,?,00440F84,00000000,?), ref: 0041B939
      • GetUserDefaultLCID.KERNEL32(?,?,?,?,00440F84,00000000,?), ref: 0041BBA3
      • GetLocaleInfoW.KERNEL32(00000000,00001003,?,00000080,?,?,?,?,00440F84,00000000,?), ref: 0041BBBC
      • GetUserDefaultLCID.KERNEL32(00000000,00001003,?,00000080,?,?,?,?,00440F84,00000000,?), ref: 0041BC7C
      • GetTimeFormatW.KERNEL32(00000000,00000002,?,?,?,00000020,00000000,00001003,?,00000080,?,?,?,?,00440F84,00000000), ref: 0041BC9A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Time$File$System$DefaultUser$FormatInfoLocalLocale
      • String ID: $%.2d%s%0.2d%s$%.2d%s%0.2d%s%0.2d%s%0.2d$HH:mm:ss t
      • API String ID: 1639527492-3485249401
      • Opcode ID: 0346bbf31d30e01cc993cd7f082ad59083b8ff36e5ef28fa0bde1c803d4b3688
      • Instruction ID: 656d066bc6f14210b78f0edb226831cdf3b533679f189d4a0789d57a772f5d8a
      • Opcode Fuzzy Hash: 0346bbf31d30e01cc993cd7f082ad59083b8ff36e5ef28fa0bde1c803d4b3688
      • Instruction Fuzzy Hash: 9DB16F71E043689ADB21CB65C8457EEB7F4EF49304F0481DAE548A7381EB784EC5CB9A
      Function 00408DFC Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 00408E19
      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 00408E2A
      • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?), ref: 00408F2A
      • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 00408F3C
      • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?), ref: 00408F48
      • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?), ref: 00408F8D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
      • String ID: GetLongPathNameW$\$kernel32.dll
      • API String ID: 1930782624-3908791685
      • Opcode ID: 6529d149c9b23dd5294fa744df04069a21137189c2797ce175b25f5b08e93afd
      • Instruction ID: a81a4d77bda4d419970e4c857a27713445a2199e476d97cc489ac22f85a4bf6f
      • Opcode Fuzzy Hash: 6529d149c9b23dd5294fa744df04069a21137189c2797ce175b25f5b08e93afd
      • Instruction Fuzzy Hash: 6B418431A006199BCB10EAA4CE85ADEB3B6AF44310F5445BED584F73C0EB7C9E458B89
      Function 0042EF38 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
      Download Yara Rule
      APIs
      • FindResourceW.KERNEL32(00400000,00000000,00000005,00000000,0042F0CD,?,?,0044EA78,00000000), ref: 0042EF77
      • LoadResource.KERNEL32(00400000,00000000,00400000,00000000,00000005,00000000,0042F0CD,?,?,0044EA78,00000000), ref: 0042EF90
        • Part of subcall function 0042EE28: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020019,?,00000000,00000000,0042EFAA,00400000,00000000,00400000,00000000,00000005,00000000,0042F0CD), ref: 0042EE4E
        • Part of subcall function 0042EE28: RegQueryValueExW.ADVAPI32(?,MachineGuid,00000000,?,?,?,80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020019,?,00000000,00000000,0042EFAA,00400000,00000000), ref: 0042EE72
      • LockResource.KERNEL32(?,00400000,00000000,00400000,00000000,00000005,00000000,0042F0CD,?,?,0044EA78,00000000), ref: 0042EFBB
      • SizeofResource.KERNEL32(00400000,?,?,00400000,00000000,00400000,00000000,00000005,00000000,0042F0CD,?,?,0044EA78,00000000), ref: 0042EFCD
      • FreeResource.KERNEL32(?,00400000,?,?,00400000,00000000,00400000,00000000,00000005,00000000,0042F0CD,?,?,0044EA78,00000000), ref: 0042F0AA
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Resource$FindFreeLoadLockOpenQuerySizeofValue
      • String ID:
      • API String ID: 2385253180-0
      • Opcode ID: cdd1f54ee9f4e27d10dd4c839316856832945144a4a8e1506ee2a7b39a67df97
      • Instruction ID: 470452359d02959b2a82e493305dd9586f467a6c4a95ed9613e45acd33ea13c9
      • Opcode Fuzzy Hash: cdd1f54ee9f4e27d10dd4c839316856832945144a4a8e1506ee2a7b39a67df97
      • Instruction Fuzzy Hash: 70518070A00A16AFC700DF6AD581A59F7F4FF48314B90823AE408D3A41DB38F964CF99
      Function 0041DF90 Relevance: 6.1, APIs: 4, Instructions: 71fileCOMMON
      Download Yara Rule
      APIs
      • FindFirstFileW.KERNEL32(?,?,?,-00000002,?), ref: 0041DFAF
      • GetLastError.KERNEL32(00000000,00000000,?), ref: 0041E03C
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorFileFindFirstLast
      • String ID:
      • API String ID: 873889042-0
      • Opcode ID: 321e58e50d224d908461dc322c33f5d91f1d2aba134d19e77d62c7b27265a804
      • Instruction ID: 9b6f964e2967cfbdc8d1c9e944728f8147227f1a32f4a99092c6dff2fd5d5bd1
      • Opcode Fuzzy Hash: 321e58e50d224d908461dc322c33f5d91f1d2aba134d19e77d62c7b27265a804
      • Instruction Fuzzy Hash: EB21CFB0A006019FCB10DF59EC41A9AB7A8EF8A324B204277E851D73D0D7389E92CF59
      Function 0042CAC4 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 286COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CurrentDirectory
      • String ID: 7$D
      • API String ID: 1611563598-1199756253
      • Opcode ID: 28b5e18778e08de363d5ec20efcdc89a5f214f6f8b26ad161a795e8ad2caf248
      • Instruction ID: 6395f369b4c9bed57b421ad016a0ac1f935084ab2fcf427628ce73a92fe48ba3
      • Opcode Fuzzy Hash: 28b5e18778e08de363d5ec20efcdc89a5f214f6f8b26ad161a795e8ad2caf248
      • Instruction Fuzzy Hash: 57C17EB0F002288BDB20DF65ECC179EB7B1AF45314F9141AAD509A7391D7789E85CF89
      Function 00429570 Relevance: 4.6, APIs: 3, Instructions: 128fileCOMMON
      Download Yara Rule
      APIs
      • FindFirstFileW.KERNEL32(?,?,00000001,?), ref: 0042963B
      • FindNextFileW.KERNEL32(00000000,00000010), ref: 004296CF
      • FindClose.KERNEL32(00000000,00000000,00000010), ref: 004296DD
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Find$File$CloseFirstNext
      • String ID:
      • API String ID: 3541575487-0
      • Opcode ID: e81c68514d29f13ef3f86a91459a3f1e69e1838139565904ca29f546a2ebf565
      • Instruction ID: 1acd9ca46e8cb24d59e6611a3c32c04d7b9f48139ab1ffd3041df7352441d4b9
      • Opcode Fuzzy Hash: e81c68514d29f13ef3f86a91459a3f1e69e1838139565904ca29f546a2ebf565
      • Instruction Fuzzy Hash: 3F415E72B00228ABCB11DF59DC81ADEB7F4EF48314F5440AAE818D7391E7789E81CB59
      Function 004089A0 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
      Download Yara Rule
      APIs
      • IsValidLocale.KERNEL32(?,00000002,00000000,00408B05,?,?,?,00000000), ref: 00408A4A
      • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,00408B05,?,?,?,00000000), ref: 00408A66
      • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,00408B05,?,?,?,00000000), ref: 00408A77
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Locale$Info$Valid
      • String ID:
      • API String ID: 1826331170-0
      • Opcode ID: ea0965341c164747aa438cb65c92a4da53aa7ed2badfb8fde95bc0ee800d068d
      • Instruction ID: 21605bc2a06bad9cf0e6a23b166eedfa00832c6933dd506d79f96c7522ef7f53
      • Opcode Fuzzy Hash: ea0965341c164747aa438cb65c92a4da53aa7ed2badfb8fde95bc0ee800d068d
      • Instruction Fuzzy Hash: C131AF70A006089BDB20DF54DD91B9AB7B9EB44701F5101BBB548B32D1DA796E81CF19
      Function 00416D30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON
      Download Yara Rule
      APIs
      • GetLocaleInfoW.KERNEL32(?,0000000F,<nA,00000002,0000002C,?,?,?,00416E3C), ref: 00416D43
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: InfoLocale
      • String ID: <nA
      • API String ID: 2299586839-680915657
      • Opcode ID: 481378556fd2f4782c63f6ed86e00509561caa7bea20dc1f1a79b27e466628ab
      • Instruction ID: f1cc9d58c34ec4fb3ce4063e72c3893b7a2999b89c5cee81e40c0823702babf8
      • Opcode Fuzzy Hash: 481378556fd2f4782c63f6ed86e00509561caa7bea20dc1f1a79b27e466628ab
      • Instruction Fuzzy Hash: 44D05EA630926026E210925B6D85EB756EDCBC5761F15443BBA8CC6252D224CC4A9276
      Function 0041E578 Relevance: 3.1, APIs: 2, Instructions: 95fileCOMMON
      Download Yara Rule
      APIs
      • FindFirstFileW.KERNEL32(?,?,?,?,00000002,00000000,0041E870,?,00000000,00000104,?,?,00000104,?,?,0044EA78), ref: 0041E5B4
      • FindClose.KERNEL32(00000000,?,?,?,?,00000002,00000000,0041E870,?,00000000,00000104,?,?,00000104,?), ref: 0041E5C6
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Find$CloseFileFirst
      • String ID:
      • API String ID: 2295610775-0
      • Opcode ID: 9869e399d77d7b30a338f1604437d7397bbedae7ccf52aa5c9794f7ef9f463d6
      • Instruction ID: 83b49d14aa2d7e9fdfd1922beb8bd092bf31cc602ee9b2e420b4ef262ab7a866
      • Opcode Fuzzy Hash: 9869e399d77d7b30a338f1604437d7397bbedae7ccf52aa5c9794f7ef9f463d6
      • Instruction Fuzzy Hash: 63318236B052045BC7209A79CC857AF76D5AFD4354F98843EE889C7381EA7CDC89874A
      Function 0040FCAC Relevance: 2.9, Instructions: 2860COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 60d5b8b05b4d134ca3bdec6ac7951fa84107f32b5f88050daf4d7dee5a02201d
      • Instruction ID: 48076cec15eccd35ecadb57d2a6182a26f6c9f014f6a7e5a8ac4b072b4e572cb
      • Opcode Fuzzy Hash: 60d5b8b05b4d134ca3bdec6ac7951fa84107f32b5f88050daf4d7dee5a02201d
      • Instruction Fuzzy Hash: 6633868AA4E7C10FE303477099656906F719F6726AF2F45EB80D9CF1E3E55C894AC322
      Function 004151D0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
      Download Yara Rule
      APIs
      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 004151F1
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: DiskFreeSpace
      • String ID:
      • API String ID: 1705453755-0
      • Opcode ID: 9041f734942ca57c5fb34a01f220f8073245e939ec68fc4f06e6ad66118583cb
      • Instruction ID: ff22b59d577313d6bbfba741a0fb47c02e5a205fe59c6f6de2aed158c3e01250
      • Opcode Fuzzy Hash: 9041f734942ca57c5fb34a01f220f8073245e939ec68fc4f06e6ad66118583cb
      • Instruction Fuzzy Hash: 8211C0B5E00209AFDB04CFA9C9819EFB7F9EFC8704B14C56AA505E7254E6319A018BA4
      Function 00416CE4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
      Download Yara Rule
      APIs
      • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00416D02
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: InfoLocale
      • String ID:
      • API String ID: 2299586839-0
      • Opcode ID: 6c4f1e6aa9f658c76dcd92db1758fae387683ef62497e0b06259f29383213a92
      • Instruction ID: 2b9c1a6928095edd7dc05a64c72801690ba2a1fef3c258e55fc692f210e56574
      • Opcode Fuzzy Hash: 6c4f1e6aa9f658c76dcd92db1758fae387683ef62497e0b06259f29383213a92
      • Instruction Fuzzy Hash: 19E09272B0431817E310A5695C86AE7725C9B48300F00417FBA09E7383EEB4AD4446EA
      Function 00419A68 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
      Download Yara Rule
      APIs
      • EnumSystemLocalesW.KERNEL32(00419864,00000002,?,?,00419DC5,004171B5,?,00000000,004171F6,?,?,?,00000000,00000000), ref: 00419A95
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: EnumLocalesSystem
      • String ID:
      • API String ID: 2099609381-0
      • Opcode ID: 5afc6ff0a8dce8195612bc0fed306c66ecd2644cfc92cbc385c39c888367258d
      • Instruction ID: a77c024cf322692a8c7cec17c1031f2e599c8aace297205cca6f58bce0ed0080
      • Opcode Fuzzy Hash: 5afc6ff0a8dce8195612bc0fed306c66ecd2644cfc92cbc385c39c888367258d
      • Instruction Fuzzy Hash: B9E0DF73740A9047C214B3AA0C43B9726059F41FE4F088037F8489B3C2DA3E0C5846EA
      Function 00419880 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
      Download Yara Rule
      APIs
      • GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000400,?,00419924,?,00000000,00419A31,?,?,?,00000000,00000000,?,0041987A), ref: 0041989B
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: InfoLocale
      • String ID:
      • API String ID: 2299586839-0
      • Opcode ID: 8108c8bf47c58d3f16ac2741031a2f31bd522cc2493eaf267972ee138a186f91
      • Instruction ID: ce83a26554a48b871db40be406feca0705ab7bfaaf3879aa63724075275dcd35
      • Opcode Fuzzy Hash: 8108c8bf47c58d3f16ac2741031a2f31bd522cc2493eaf267972ee138a186f91
      • Instruction Fuzzy Hash: 98D0A7D1B1420013E60456588C47B26219C9B84714F10443C7784973C1EE7D681592AF
      Function 0040A8B6 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Version
      • String ID:
      • API String ID: 1889659487-0
      • Opcode ID: 4afc06809abf30ecdb7b7dd656bec85bab4b959a5939932278656d1409d05816
      • Instruction ID: 821697932f9ef1367aa0b374dc6900a18d16d9b4ba69b7de74dca3c6eaa235d0
      • Opcode Fuzzy Hash: 4afc06809abf30ecdb7b7dd656bec85bab4b959a5939932278656d1409d05816
      • Instruction Fuzzy Hash: 1DE0EC755043019FD304DF28D84258576E0B744711F40943DA898D3390E77DC951CB5A
      Function 00408090 Relevance: .1, Instructions: 64COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
      • Instruction ID: 73e49479f985fbd099593cfa7becaa53ebf3b11143f3f6311cb0a9223223b834
      • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
      • Instruction Fuzzy Hash: F401D632B017110B870CDD7ECD8952AB6C3ABD8A10F09C73E95C9D72C8DD318C1AC686
      Function 004056AC Relevance: .0, Instructions: 22COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ae0e43f82692c6785844f3e70bb209c8b319b1924ab6e756aa91dc1deac9637f
      • Instruction ID: ab32cd948f5cc0f986b103ed126492745cff1ff6344bafc82bdf97f524ea6183
      • Opcode Fuzzy Hash: ae0e43f82692c6785844f3e70bb209c8b319b1924ab6e756aa91dc1deac9637f
      • Instruction Fuzzy Hash: F4D0C9AAA2150217F766902958A0B631567E740315F75CC3AA409E5BC5E17ACCA09424
      Function 00425590 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 318threadprocessCOMMON
      Download Yara Rule
      APIs
      • GetProcessWindowStation.USER32(00000000,00425A18,?,?,00000000,00000000), ref: 0042561E
      • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,00000000,00425A18,?,?,00000000,00000000), ref: 00425630
      • GetCurrentThreadId.KERNEL32 ref: 00425635
      • GetThreadDesktop.USER32(00000000,00000000,00000002,00000000,00000000,?,00000000,00425A18,?,?,00000000,00000000), ref: 0042563B
      • GetUserObjectInformationW.USER32(?,00000002,00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,00000000,00425A18,?,?,00000000), ref: 00425651
      • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00000002,00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?), ref: 0042568E
      • GetUserObjectInformationW.USER32(?,00000002,?,?,?,00000000,00000002,?,?,?,?,00000002,00000000,00000000,?,00000000), ref: 004256C6
      • CreateProcessW.KERNEL32(?,?,00000000,00000000,000000FF,00000000,00000000,0044E6EC,?,?,?,00000002,00000000,00000000,?,00000000), ref: 004256FB
      • GetLastError.KERNEL32(?,?,00000000,00000000,000000FF,00000000,00000000,0044E6EC,?,?,?,00000002,00000000,00000000,?,00000000), ref: 0042571A
      • ShellExecuteExW.SHELL32(?), ref: 004257A7
      • CloseHandle.KERNEL32(?,?,?,00000000,00000000,000000FF,00000000,00000000,0044E6EC,?,?,?,00000002,00000000,00000000,?), ref: 0042581F
      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,000000FF,00000000,00000000,0044E6EC,?,?,?,00000002,00000000), ref: 004259AD
        • Part of subcall function 0042DC78: WaitForSingleObject.KERNEL32(?,000000FF,?,00434960,00425267,?,?,?,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042DC88
        • Part of subcall function 0042DC78: GetExitCodeProcess.KERNEL32(?), ref: 0042DC8F
        • Part of subcall function 0042DC78: fflush.MSVCRT ref: 0042DCA4
        • Part of subcall function 0042DC78: CloseHandle.KERNEL32(?,?,000000FF,?,00434960,00425267,?,?,?,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042DCB6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Object$InformationUser$CloseHandleProcess$Thread$CodeCreateCurrentDesktopErrorExecuteExitLastShellSingleStationWaitWindowfflush
      • String ID: %01s$%08X$<$=ExitCode$=ExitCodeAscii$D$d$d$dIC$D
      • API String ID: 4162345748-4261697235
      • Opcode ID: da31e7b4ddab6ca53a2466cf879ea0ca870b1f0c12eac7a77019afc211a361d0
      • Instruction ID: 29cece55cede7e875dbd62b60b7ff0cfa83eaee8ee864221612e865b74dff63f
      • Opcode Fuzzy Hash: da31e7b4ddab6ca53a2466cf879ea0ca870b1f0c12eac7a77019afc211a361d0
      • Instruction Fuzzy Hash: F8D16071E002699FDB20DF69DC81B9EB7F4BB09314F9040A6E508E7391D7B89E81CB59
      Function 0042B8F4 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 162registryCOMMON
      Download Yara Rule
      APIs
      • RegOpenKeyW.ADVAPI32(00000000,Software\Microsoft\Command Processor), ref: 0042B931
      • RegQueryValueExW.ADVAPI32(?,DisableUNCCheck,00000000,?,?,00000040), ref: 0042B961
      • _wtol.MSVCRT ref: 0042B982
      • RegQueryValueExW.ADVAPI32(?,EnableExtensions,00000000,?,?,00000040,?,DisableUNCCheck,00000000,?,?,00000040), ref: 0042B9A4
      • _wtol.MSVCRT ref: 0042B9C5
      • RegQueryValueExW.ADVAPI32(?,DelayedExpansion,00000000,?,?,00000040,?,EnableExtensions,00000000,?,?,00000040,?,DisableUNCCheck,00000000,?), ref: 0042B9E7
      • _wtol.MSVCRT ref: 0042BA08
      • RegQueryValueExW.ADVAPI32(?,DefaultColor,00000000,?,?,00000040,?,DelayedExpansion,00000000,?,?,00000040,?,EnableExtensions,00000000,?), ref: 0042BA2A
      • wcstol.MSVCRT ref: 0042BA50
      • RegQueryValueExW.ADVAPI32(?,CompletionChar,00000000,?,?,00000040,?,DefaultColor,00000000,?,?,00000040,?,DelayedExpansion,00000000,?), ref: 0042BA71
      • wcstol.MSVCRT ref: 0042BA97
      • RegCloseKey.ADVAPI32(00000000,?,CompletionChar,00000000,?,?,00000040,?,DefaultColor,00000000,?,?,00000040,?,DelayedExpansion,00000000), ref: 0042BAA9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: QueryValue$_wtol$wcstol$CloseOpen
      • String ID: @$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$Software\Microsoft\Command Processor
      • API String ID: 2011142946-3045645619
      • Opcode ID: e366d2a4c4599984b5a91b1a498737ae439a1574c2842ad9554b40e7888031d2
      • Instruction ID: b568e245839fec098a9ff80b0fb22002d39e8b9061c6090bdb52f27f9316806c
      • Opcode Fuzzy Hash: e366d2a4c4599984b5a91b1a498737ae439a1574c2842ad9554b40e7888031d2
      • Instruction Fuzzy Hash: 8851E4B1605351AEDB20CB61AC42BA777ACDF91750F50182BF54097282E37CA994C7AF
      Function 0041E6C0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 170COMMON
      Download Yara Rule
      APIs
      • GetCurrentDirectoryW.KERNEL32(00000104,?,?,0044EA78,00000000,0041E916,0041F789,00000000,0042C3A2,00000000,00432828), ref: 0041E729
      • GetFullPathNameW.KERNEL32(00000000,00000104,?,?,00000104,?,?,0044EA78,00000000,0041E916,0041F789,00000000,0042C3A2,00000000,00432828), ref: 0041E7AD
      • GetLastError.KERNEL32(00000000,00000104,?,?,00000104,?,?,0044EA78,00000000,0041E916,0041F789,00000000,0042C3A2,00000000,00432828), ref: 0041E7B6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CurrentDirectoryErrorFullLastNamePath
      • String ID: $:$:$:$=$D
      • API String ID: 1966084046-3320138216
      • Opcode ID: 2a70e21eb2caa05c3df6f490e1ec8f370a0d799ab3863714bc2f12419bd414c3
      • Instruction ID: a201bb975ddcc14929384874e46a04078e206f5854b688f416f7376d47ed11f7
      • Opcode Fuzzy Hash: 2a70e21eb2caa05c3df6f490e1ec8f370a0d799ab3863714bc2f12419bd414c3
      • Instruction Fuzzy Hash: 155180786043519AEB20FB2AC8456EB72E5AF91318F04882BF891C72D0E77CC8C5D75B
      Function 0042B5D8 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 176COMMON
      Download Yara Rule
      APIs
      • InitializeCriticalSection.KERNEL32(0044E930,00000000,0042B88D,?,00000000), ref: 0042B613
        • Part of subcall function 0042C35C: EnterCriticalSection.KERNEL32(0044E930,0042B61D,0044E930,00000000,0042B88D,?,00000000), ref: 0042C361
        • Part of subcall function 0042C35C: LeaveCriticalSection.KERNEL32(0044E930,0044E930,0042B61D,0044E930,00000000,0042B88D,?,00000000), ref: 0042C372
      • SetConsoleCtrlHandler.KERNEL32(0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B624
        • Part of subcall function 0042E4A0: _get_osfhandle.MSVCRT ref: 0042E4B6
        • Part of subcall function 0042E4A0: SetConsoleMode.KERNEL32(00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E4BD
        • Part of subcall function 0042E4A0: _get_osfhandle.MSVCRT ref: 0042E4CA
        • Part of subcall function 0042E4A0: GetConsoleMode.KERNEL32(00000000,0044E924,00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E4D1
        • Part of subcall function 0042E4A0: _get_osfhandle.MSVCRT ref: 0042E4F8
        • Part of subcall function 0042E4A0: SetConsoleMode.KERNEL32(00000000,00000000,00000000,0044E924,00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E4FF
        • Part of subcall function 0042E4A0: _get_osfhandle.MSVCRT ref: 0042E50C
        • Part of subcall function 0042E4A0: GetConsoleMode.KERNEL32(00000000,0044E920,00000000,0044E924,00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E513
        • Part of subcall function 0042E4A0: _get_osfhandle.MSVCRT ref: 0042E54F
        • Part of subcall function 0042E4A0: SetConsoleMode.KERNEL32(00000000,00000000,00000000,0044E920,00000000,0044E924,00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E556
        • Part of subcall function 0042B8F4: RegOpenKeyW.ADVAPI32(00000000,Software\Microsoft\Command Processor), ref: 0042B931
        • Part of subcall function 0042B8F4: RegQueryValueExW.ADVAPI32(?,DisableUNCCheck,00000000,?,?,00000040), ref: 0042B961
        • Part of subcall function 0042B8F4: RegQueryValueExW.ADVAPI32(?,EnableExtensions,00000000,?,?,00000040,?,DisableUNCCheck,00000000,?,?,00000040), ref: 0042B9A4
        • Part of subcall function 0042B8F4: RegQueryValueExW.ADVAPI32(?,DelayedExpansion,00000000,?,?,00000040,?,EnableExtensions,00000000,?,?,00000040,?,DisableUNCCheck,00000000,?), ref: 0042B9E7
        • Part of subcall function 0042B8F4: RegQueryValueExW.ADVAPI32(?,DefaultColor,00000000,?,?,00000040,?,DelayedExpansion,00000000,?,?,00000040,?,EnableExtensions,00000000,?), ref: 0042BA2A
        • Part of subcall function 0042B8F4: RegQueryValueExW.ADVAPI32(?,CompletionChar,00000000,?,?,00000040,?,DefaultColor,00000000,?,?,00000040,?,DelayedExpansion,00000000,?), ref: 0042BA71
        • Part of subcall function 0041E4DC: GetCurrentDirectoryW.KERNEL32(00000104,00440F84), ref: 0041E4F0
        • Part of subcall function 0042C08C: VirtualQuery.KERNEL32(?,0042B5A8,0000001C,00000000,0042C292,?,00000000,00000000), ref: 0042C0D3
        • Part of subcall function 0042C08C: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,0042B5A8,0000001C,00000000,0042C292,?,00000000,00000000), ref: 0042C121
      • GetWindowsDirectoryW.KERNEL32(0044E6EC,00000105,00000000,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B706
      • GetConsoleOutputCP.KERNEL32(?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B717
      • GetCPInfo.KERNEL32(00000000,0044E8F8,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B72C
      • GetConsoleTitleW.KERNEL32(00000000,00000104,00000000,0044E8F8,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B771
      • GetStdHandle.KERNEL32(000000F5,?,00000000,0044E8F8,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B7AD
      • GetConsoleScreenBufferInfo.KERNEL32(00000000,000000F5,?,00000000,0044E8F8,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B7B3
      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,IsDebuggerPresent,00000000,0044E8F8,?, /c ,?,0042B5A8,000000FF,0044E930,00000000,0042B88D,?,00000000), ref: 0042B852
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Console$Query$ModeValue_get_osfhandle$CriticalSection$DirectoryHandleInfoModule$BufferCtrlCurrentEnterFileHandlerInitializeLeaveLoadNameOpenOutputScreenStringTitleVirtualWindows
      • String ID: /c $IsDebuggerPresent$KERNEL32.DLL$L`C$D
      • API String ID: 823238324-460285165
      • Opcode ID: f32365ca3bd5669f4518458bd4dfe1c12d6f026e60ef6a7e51fad7ba4fe90df8
      • Instruction ID: 4e79633e98e41082f364da831a232bd15b0c0c84a61507a755bf56309128a8ef
      • Opcode Fuzzy Hash: f32365ca3bd5669f4518458bd4dfe1c12d6f026e60ef6a7e51fad7ba4fe90df8
      • Instruction Fuzzy Hash: 0E6171B4A012149ADB00FBB6EC81A9D77B5FB48318F50453BF410A72E2DB7CA944CB9D
      Function 0042D85C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 172fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,80000000,0000000C,?,00000003,00000080,00000000), ref: 0042D903
      • CreateFileW.KERNEL32(?,80000000,0000000C,?,00000003,00000080,00000000,?,80000000,0000000C,?,00000003,00000080,00000000), ref: 0042D92B
      • GetLastError.KERNEL32(?,80000000,0000000C,?,00000003,00000080,00000000,?,80000000,0000000C,?,00000003,00000080,00000000), ref: 0042D937
      • CreateFileW.KERNEL32(?,80000000,0000000C,?,00000003,00000080,00000000), ref: 0042D974
      • GetLastError.KERNEL32(?,80000000,0000000C,?,00000003,00000080,00000000), ref: 0042D980
      • _open_osfhandle.MSVCRT ref: 0042D9A8
      • GetFileSize.KERNEL32(00000000,00000000), ref: 0042D9D0
      • SetFilePointer.KERNEL32(00000000,000000FF,?,00000002), ref: 0042D9F6
      • GetLastError.KERNEL32(00000000,000000FF,?,00000002), ref: 0042D9FD
      • _close.MSVCRT ref: 0042DA1B
      • ReadFile.KERNEL32(00000000,?,00000001,FFFFFFFF,00000000,00000000,000000FF,?,00000002), ref: 0042DA35
      • SetFilePointer.KERNEL32(00000000,00000000,?,00000002,00000000,?,00000001,FFFFFFFF,00000000,00000000,000000FF,?,00000002), ref: 0042DA50
      • SetFilePointer.KERNEL32(00000000,000000FF,?,00000002,00000000,?,00000001,FFFFFFFF,00000000,00000000,000000FF,?,00000002), ref: 0042DA6F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: File$CreateErrorLastPointer$ReadSize_close_open_osfhandle
      • String ID: con
      • API String ID: 2744256135-4257191772
      • Opcode ID: ec9d835b21950934a3650b5f3da288062123e11d27ac97da0ea3ec4a2d2ea18f
      • Instruction ID: a8aafa59e29608650fe8345e6a63883d94b5a5ac0ca1098a238f6131ccf085ac
      • Opcode Fuzzy Hash: ec9d835b21950934a3650b5f3da288062123e11d27ac97da0ea3ec4a2d2ea18f
      • Instruction Fuzzy Hash: 7851BEB1F09311AAE710EA78AC45F6B72D8AB84324F500B2AF5B1D72D1D7B8DC45835A
      Function 0041CDE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 196COMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F5,00000000,0041D0BA), ref: 0041CF3A
      • GetConsoleMode.KERNEL32(?,?,000000F5,00000000,0041D0BA), ref: 0041CF4A
      • SetConsoleMode.KERNEL32(?,?,?,?,000000F5,00000000,0041D0BA), ref: 0041CF62
      • GetLastError.KERNEL32(?,?,?,?,000000F5,00000000,0041D0BA), ref: 0041CF67
      • GetStdHandle.KERNEL32(000000F6,?,?,000000F5,00000000,0041D0BA), ref: 0041CF6E
      • GetConsoleMode.KERNEL32(?,?,000000F6,?,?,000000F5,00000000,0041D0BA), ref: 0041CF7E
      • SetConsoleMode.KERNEL32(?,?,?,?,000000F6,?,?,000000F5,00000000,0041D0BA), ref: 0041CF9C
      • GetLastError.KERNEL32(?,?,?,?,000000F6,?,?,000000F5,00000000,0041D0BA), ref: 0041CFA1
      • SetConsoleMode.KERNEL32(?,?,?), ref: 0041D05D
      • SetConsoleMode.KERNEL32(?,?,?), ref: 0041D070
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ConsoleMode$ErrorHandleLast
      • String ID: $"$=
      • API String ID: 142029828-3137003337
      • Opcode ID: da357deb41f2922d347dda3b9a52cc711d37534b445ee3f9336ed38662cce3c8
      • Instruction ID: 865f3dcd195a89cb5a5abe06bd6b2739945314c5b8f0776bbe46b85f788f77bb
      • Opcode Fuzzy Hash: da357deb41f2922d347dda3b9a52cc711d37534b445ee3f9336ed38662cce3c8
      • Instruction Fuzzy Hash: 5F71A570E002159BDB20EB65CC807DEB7F5BF48318F1445A6E444A7282DB7D9E81CB9E
      Function 00426E30 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 197registryCOMMON
      Download Yara Rule
      APIs
      • RegEnumKeyW.ADVAPI32(?,00000000,?,0000020A), ref: 00426E7C
      • RegOpenKeyW.ADVAPI32(?,0000002E,?), ref: 00426EE2
      • RegQueryValueExW.ADVAPI32(?,004271C0,00000000,?,?,0000020A,?,0000002E,?), ref: 00426F1B
      • RegCloseKey.ADVAPI32(?,?,004271C0,00000000,?,?,0000020A,?,0000002E,?), ref: 00426F26
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CloseEnumOpenQueryValue
      • String ID: %s=%s$%s\Shell\Open\Command$*** no open command defined ***$.$\Shell\Open\Command${
      • API String ID: 3984146545-2468193110
      • Opcode ID: dbdc2516c416aa1b04d10fe59cfcd294d76879acc1d09890d8bd9115ee25ff17
      • Instruction ID: 116559adae04dba84b3c08218e4b63129272dc625c466050257a41c5e68b908e
      • Opcode Fuzzy Hash: dbdc2516c416aa1b04d10fe59cfcd294d76879acc1d09890d8bd9115ee25ff17
      • Instruction Fuzzy Hash: D68145B5A042289ADB20DB55DC85BDDB7B8AF04304F9140EAEA08A7281D7785F94CF5E
      Function 0042E4A0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 69COMMON
      Download Yara Rule
      APIs
      • _get_osfhandle.MSVCRT ref: 0042E4B6
      • SetConsoleMode.KERNEL32(00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E4BD
      • _get_osfhandle.MSVCRT ref: 0042E4CA
      • GetConsoleMode.KERNEL32(00000000,0044E924,00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E4D1
      • _get_osfhandle.MSVCRT ref: 0042E4F8
      • SetConsoleMode.KERNEL32(00000000,00000000,00000000,0044E924,00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E4FF
      • _get_osfhandle.MSVCRT ref: 0042E50C
      • GetConsoleMode.KERNEL32(00000000,0044E920,00000000,0044E924,00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E513
      • _get_osfhandle.MSVCRT ref: 0042E54F
      • SetConsoleMode.KERNEL32(00000000,00000000,00000000,0044E920,00000000,0044E924,00000000,00000000,00000000,004349C4,0042C5D4), ref: 0042E556
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ConsoleMode_get_osfhandle
      • String ID: D$$D
      • API String ID: 1606018815-2300610124
      • Opcode ID: cc42cf222249ed1649b5cf6f63f395be8194c94dc6006fa1d82e3ac29f84e021
      • Instruction ID: f305ef07755de7834ef06ba784ebea511ee43af3d1da8f8aec9bac4f818cc33b
      • Opcode Fuzzy Hash: cc42cf222249ed1649b5cf6f63f395be8194c94dc6006fa1d82e3ac29f84e021
      • Instruction Fuzzy Hash: 02114F71714621AFE704EBD9EC86F5633A9EB88719F005166F400CF2A1D6B8EC508B6D
      Function 004044BC Relevance: 19.7, APIs: 13, Instructions: 189COMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(FFFFFFF5), ref: 0040456A
      • GetStdHandle.KERNEL32(000000F6), ref: 00404575
      • GetFileType.KERNEL32(00000000), ref: 0040458D
      • GetConsoleOutputCP.KERNEL32(00000000), ref: 0040459F
      • GetConsoleCP.KERNEL32(00000000), ref: 004045B0
      • GetFileType.KERNEL32(00000000), ref: 004046FB
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ConsoleFileHandleType$Output
      • String ID:
      • API String ID: 393880136-0
      • Opcode ID: 0e3193d4c0489fb8fe930c9f6cb2be9426119d284c09d2d911fd307d3aa1ad49
      • Instruction ID: 44818e351155a583358b238547e797e5d0553b54459bbe2914d2e11aea70f6f1
      • Opcode Fuzzy Hash: 0e3193d4c0489fb8fe930c9f6cb2be9426119d284c09d2d911fd307d3aa1ad49
      • Instruction Fuzzy Hash: 885161E0500200AADF20EF6589887273694AFC6314F158A7BEB15BF2D6E77DC841976E
      Function 00409E7C Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258COMMON
      Download Yara Rule
      APIs
      • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00409F34
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ExceptionRaise
      • String ID: (<C$H<C
      • API String ID: 3997070919-3224027150
      • Opcode ID: 076dbe915f91956be400e8e65fdf05f96802e6b4a5d50a34f0ccc415e07fbb36
      • Instruction ID: 1ee168f13e44fd747450b25795412b987f935942c6365d45b43deeebd993f223
      • Opcode Fuzzy Hash: 076dbe915f91956be400e8e65fdf05f96802e6b4a5d50a34f0ccc415e07fbb36
      • Instruction Fuzzy Hash: 44A18D72A003099FDB11DFA9D880BEEB7B5BF48300F14953AE505BB391DB78A944CB59
      Function 00417560 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 175threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00406158: GetTickCount.KERNEL32 ref: 0040618F
        • Part of subcall function 00406158: GetTickCount.KERNEL32 ref: 004061A7
        • Part of subcall function 00416CE4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00416D02
      • GetThreadLocale.KERNEL32(00000000,00000004), ref: 004175FB
      • EnumCalendarInfoW.KERNEL32(0041744C,00000000,00000000,00000004), ref: 00417606
      • GetThreadLocale.KERNEL32(00000000,00000003,0041744C,00000000,00000000,00000004), ref: 00417636
      • EnumCalendarInfoW.KERNEL32(004174D8,00000000,00000000,00000003,0041744C,00000000,00000000,00000004), ref: 00417641
      • GetThreadLocale.KERNEL32(00000000,00000004), ref: 004176D2
      • EnumCalendarInfoW.KERNEL32(0041744C,00000000,00000000,00000004), ref: 004176DD
      • GetThreadLocale.KERNEL32(00000000,00000003,0041744C,00000000,00000000,00000004), ref: 0041770F
      • EnumCalendarInfoW.KERNEL32(004174D8,00000000,00000000,00000003,0041744C,00000000,00000000,00000004), ref: 0041771A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: InfoLocale$CalendarEnumThread$CountTick
      • String ID: 8AA$B.C.$pBA
      • API String ID: 1601775584-1801559493
      • Opcode ID: db743d50ddc811bb4b19ec784315abac5a425741be62414b27879390e3c3a899
      • Instruction ID: f779f405f7bf5c115b4640ed699a02e87b66550376314941ef65ff2446fb59c1
      • Opcode Fuzzy Hash: db743d50ddc811bb4b19ec784315abac5a425741be62414b27879390e3c3a899
      • Instruction Fuzzy Hash: 6B51E4706043009FC751EB69DD82AEA77B5EB94314F11817EF810AB3E2CB38AD418B9D
      Function 0042C08C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 148COMMON
      Download Yara Rule
      APIs
      • VirtualQuery.KERNEL32(?,0042B5A8,0000001C,00000000,0042C292,?,00000000,00000000), ref: 0042C0D3
      • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,0042B5A8,0000001C,00000000,0042C292,?,00000000,00000000), ref: 0042C121
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
        • Part of subcall function 0042C398: ExitProcess.KERNEL32(00000000,00000000,00432828), ref: 0042C3B1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ExitFileLoadModuleNameProcessQueryStringVirtual
      • String ID: $P$G$.COM;.EXE;.BAT;.CMD$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE$\CMD.EXE
      • API String ID: 3132779286-2718134287
      • Opcode ID: 378fedc8eb04913ae9282e370df604eca6602215c14efdda8b876530ccaa9b6e
      • Instruction ID: c6f3d75e003e591319e080799ca882cd3471f38fa8cddb2bbb44a27153a8f319
      • Opcode Fuzzy Hash: 378fedc8eb04913ae9282e370df604eca6602215c14efdda8b876530ccaa9b6e
      • Instruction Fuzzy Hash: 485161747002158FD700EBAAECC269E73A4EB89354B90957BE800DB352DB7CDC418BAD
      Function 0041C4B8 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 106COMMON
      Download Yara Rule
      APIs
      • GetEnvironmentVariableW.KERNEL32(?,00440F84,00002001,00000000,00000000,00000000,0042D52C,00000000,0042D5ED,?,0043AEC8,00000000,?,?,00428180,00000000), ref: 0041C4CB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: EnvironmentVariable
      • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$RANDOM$TIME
      • API String ID: 1431749950-3577079365
      • Opcode ID: aa02ba526aba6a2cb1b7ceeda021806e895254bdce99554e738f717af2fcf0ea
      • Instruction ID: c5e49d4f8323c7dcc25afabd03bc36df13bddd75a41424c8c249d721635f5fa0
      • Opcode Fuzzy Hash: aa02ba526aba6a2cb1b7ceeda021806e895254bdce99554e738f717af2fcf0ea
      • Instruction Fuzzy Hash: 1231B170B8066572E720227B5DC27DB124A9BD0794F14903BBC06EB387E6ACDCC2439E
      Function 0042DF84 Relevance: 18.2, APIs: 12, Instructions: 152COMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F5), ref: 0042DFC6
      • GetConsoleMode.KERNEL32(?,?,000000F5), ref: 0042DFD9
      • SetConsoleMode.KERNEL32(?,?,?,?,000000F5), ref: 0042DFF4
      • GetLastError.KERNEL32(?,?,?,?,000000F5), ref: 0042DFF9
      • GetStdHandle.KERNEL32(000000F6,?,?,000000F5), ref: 0042E000
      • GetConsoleMode.KERNEL32(?,?,000000F6,?,?,000000F5), ref: 0042E013
      • SetConsoleMode.KERNEL32(?,?,?,?,000000F6,?,?,000000F5), ref: 0042E038
      • GetLastError.KERNEL32(?,?,?,?,000000F6,?,?,000000F5), ref: 0042E03D
      • GetStdHandle.KERNEL32(000000F6,000000FF,?,?,000000F6,?,?,000000F5), ref: 0042E096
      • FlushConsoleInputBuffer.KERNEL32(00000000,000000F6,000000FF,?,?,000000F6,?,?,000000F5), ref: 0042E09C
      • SetConsoleMode.KERNEL32(?,?,?,?,000000F6,?,?,000000F5), ref: 0042E16B
      • SetConsoleMode.KERNEL32(?,?,?,?,000000F6,?,?,000000F5), ref: 0042E181
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Console$Mode$Handle$ErrorLast$BufferFlushInput
      • String ID:
      • API String ID: 589625271-0
      • Opcode ID: 438c3773d31c425142d0acd2361cc7c0041ad1dbebca37dd8401495308a48b39
      • Instruction ID: b62f991822aacebff3112e291d8033601b920fb396382c85d7fae18f17ef378a
      • Opcode Fuzzy Hash: 438c3773d31c425142d0acd2361cc7c0041ad1dbebca37dd8401495308a48b39
      • Instruction Fuzzy Hash: AA51D0716083609ACB20DF2AD845B6B77E4BF85328F484A2FF894972D1D778C945C71B
      Function 004202A4 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 353COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CriticalSection$EnterEnvironmentLeaveLoadStringVariable
      • String ID: $$%.*s$%s $%s>$+++++++++++++++++++++++++++++++++$PROMPT$Unknown$hIC$D
      • API String ID: 3837321750-545324147
      • Opcode ID: 4e1d57c0f2c874a2a788936fd0359a5a04647f1ce96b68dc4d6d7b7391cd29d2
      • Instruction ID: 883c0385007684d30356b67a48d011197ac73531404de27a67a391f6c1155b98
      • Opcode Fuzzy Hash: 4e1d57c0f2c874a2a788936fd0359a5a04647f1ce96b68dc4d6d7b7391cd29d2
      • Instruction Fuzzy Hash: 62F11930E00218EFCB50DBA9D995B9DB7F0EF48310F5480A6E415E7292D778AE81CF59
      Function 0042CF78 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 289COMMON
      Download Yara Rule
      APIs
      • SetErrorMode.KERNEL32(00000000,00000000,0042D31D,?,?,?,?), ref: 0042CFE0
      • SetErrorMode.KERNEL32(?,00000000,00000000,00000000,0042D31D,?,?,?,?), ref: 0042D0CA
      • GetFileAttributesW.KERNEL32(0043498C,00000000,0042D31D,?,?,?,?), ref: 0042D169
      • GetLastError.KERNEL32(0043498C,00000000,0042D31D,?,?,?,?), ref: 0042D180
      • GetFileAttributesW.KERNEL32(00434988,00000000,0042D31D,?,?,?,?), ref: 0042D1BF
      • GetLastError.KERNEL32(00434988,00000000,0042D31D,?,?,?,?), ref: 0042D1D6
      • GetFileAttributesW.KERNEL32(00434984,00000000,0042D31D,?,?,?,?), ref: 0042D1F7
        • Part of subcall function 0041E3BC: _get_osfhandle.MSVCRT ref: 0041E3C2
        • Part of subcall function 0041E3BC: GetFileType.KERNEL32(00000000,?,00000000,00000000,0041ECC8,?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000), ref: 0041E3CB
        • Part of subcall function 0041E3BC: GetConsoleMode.KERNEL32(00000000,?,000000F6,00000000,?,00000000,00000000,0041ECC8,?,?,?,00000000,0041ED55,?,00440F84,00000000), ref: 0041E407
      • GetLastError.KERNEL32(00434984,00000000,0042D31D,?,?,?,?), ref: 0042D20E
        • Part of subcall function 0041E450: _get_osfhandle.MSVCRT ref: 0041E454
        • Part of subcall function 0041E450: GetFileType.KERNEL32(00000000,00000000,0041ECF4,?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E45B
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorFile$AttributesLastMode$Type_get_osfhandle$ConsoleLoadString
      • String ID: :\*$\
      • API String ID: 3917490256-2060159975
      • Opcode ID: e0aba001a1734eff74b5f0870aaec981b43b90093d8db2693008d2f189d9164b
      • Instruction ID: 8676db7fcce67f9e7c17ae9da64bc12e3ed9348eebe21c3817a212eeca1f1944
      • Opcode Fuzzy Hash: e0aba001a1734eff74b5f0870aaec981b43b90093d8db2693008d2f189d9164b
      • Instruction Fuzzy Hash: 6AB18170F00615CFDB20EFA9E88179A73F0AF49318F90856AE450973A5E779DC42CB69
      Function 00416D5C Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 219threadCOMMON
      Download Yara Rule
      APIs
      • IsValidLocale.KERNEL32(?,00000001,00000000,0041704B,?,?,?,?,00000000,00000000), ref: 00416D83
      • GetThreadLocale.KERNEL32(?,00000001,00000000,0041704B,?,?,?,?,00000000,00000000), ref: 00416D8C
        • Part of subcall function 00416D30: GetLocaleInfoW.KERNEL32(?,0000000F,<nA,00000002,0000002C,?,?,?,00416E3C), ref: 00416D43
        • Part of subcall function 00416CE4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00416D02
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Locale$Info$ThreadValid
      • String ID: AMPM$2$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy$pBA
      • API String ID: 233154393-1309873074
      • Opcode ID: 9fe86e8d231827b89954bae2f4a73363bf767d3e158fae614fceef9cd323ec1f
      • Instruction ID: ae2340563471d082460ba2b478ea8b8b299e0bf9addc3d726e6e7ff642e47639
      • Opcode Fuzzy Hash: 9fe86e8d231827b89954bae2f4a73363bf767d3e158fae614fceef9cd323ec1f
      • Instruction Fuzzy Hash: B47132707041085BDB01EB65D841ADF76B6EF88704F51807BF504AB386DA3DDA46C7A9
      Function 0041EF44 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 195COMMON
      Download Yara Rule
      APIs
      • GetFullPathNameW.KERNEL32(?,00000800,0043DE14,?,00000000,0041F1C8), ref: 0041EFB6
      • GetLastError.KERNEL32(000000FF,?,00000800,0043DE14,?,00000000,0041F1C8), ref: 0041EFC1
        • Part of subcall function 0042DE0C: GetDriveTypeW.KERNEL32 ref: 0042DE29
      • CreateDirectoryW.KERNEL32(?,00000000,?,00000800,0043DE14,?,00000000,0041F1C8), ref: 0041EFE8
      • GetLastError.KERNEL32(?,00000000,?,00000800,0043DE14,?,00000000,0041F1C8), ref: 0041EFF5
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorLast$CreateDirectoryDriveFullLoadNamePathStringType
      • String ID: :$\
      • API String ID: 3155896459-1166558509
      • Opcode ID: d475d4f3deb5f9b6467045b0e950e967c7d80e3c0a897bc957d6c898a5ab2ce1
      • Instruction ID: 5f8715485b1821dd9e71d7c95c07ccd0ccd496caa82c902b5291760976a09a66
      • Opcode Fuzzy Hash: d475d4f3deb5f9b6467045b0e950e967c7d80e3c0a897bc957d6c898a5ab2ce1
      • Instruction Fuzzy Hash: 3671A274E00204EBDB10EF95C981AEEB7F1EF58314F5081BAE404A7291E77C9E8AD759
      Function 00403890 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 285windowCOMMON
      Download Yara Rule
      APIs
      • MessageBoxA.USER32(00000000,?,004024DC,00002010), ref: 00403C84
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Message
      • String ID: $7$@$@$TjC$TjC$h$@$j0C
      • API String ID: 2030045667-870653932
      • Opcode ID: 3865173792abf774d962e86b543473beabf32d9ea3fb5edf836efcdce3cb461e
      • Instruction ID: 70882ba3cec9f805b14261335af8e53c6eefcb66acd924a6baa1ca9ca47d01dc
      • Opcode Fuzzy Hash: 3865173792abf774d962e86b543473beabf32d9ea3fb5edf836efcdce3cb461e
      • Instruction Fuzzy Hash: 40B17830B042548BDB21EF2DC880B997BF8AB09705F1451F6E449EB387DB789E85CB59
      Function 00422C5C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 209COMMON
      Download Yara Rule
      APIs
      • GetVolumeInformationW.KERNEL32(00000020,?,00000200,?,?,?,00000000,00000000,00000000,00422FB9), ref: 00422D7C
      • GetLastError.KERNEL32(00000020,?,00000200,?,?,?,00000000,00000000,00000000,00422FB9), ref: 00422D9E
      • GetLastError.KERNEL32(000000FF,00000020,?,00000200,?,?,?,00000000,00000000,00000000,00422FB9), ref: 00422DD1
        • Part of subcall function 0041EBE0: _get_osfhandle.MSVCRT ref: 0041EC50
        • Part of subcall function 0041EBE0: WriteConsoleW.KERNEL32(00000000,0043AEC8,00000000,?,00000000,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000), ref: 0041EC57
        • Part of subcall function 0041EBE0: GetLastError.KERNEL32(00000000,0043AEC8,00000000,?,00000000,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000), ref: 0041EC66
        • Part of subcall function 0041EBE0: GetLastError.KERNEL32(?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000,00000000,?,0041BCE1,00000000), ref: 0041ECA9
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorLast$ConsoleInformationLoadStringVolumeWrite_get_osfhandle
      • String ID: $%0.4X-%0.4X$:$\$D
      • API String ID: 3192398648-954999098
      • Opcode ID: 3b968ef8a7dc9ef9144539650c664523049d8260251d66a9b7497a9a0391377a
      • Instruction ID: e2d4084d0e5931fd1a20d6d2d95e0c62f8f5af0845b4235fdc188e1e617b3777
      • Opcode Fuzzy Hash: 3b968ef8a7dc9ef9144539650c664523049d8260251d66a9b7497a9a0391377a
      • Instruction Fuzzy Hash: 22919430A102289BCB26DB25DD817DDB3F9AF45314F9041EAE408AB2D5D7B86F85CF49
      Function 0040388E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 207COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $7$@$@$TjC$TjC$h$@$j0C
      • API String ID: 0-870653932
      • Opcode ID: 9634f1cfca89adc7cdb218cedbe1645155aa5edda4f342eb7045ed18cbfa3a2a
      • Instruction ID: f5476afb3b956266bac58d5710667e828f49a60b966df5c0ed2e6b75f59184a9
      • Opcode Fuzzy Hash: 9634f1cfca89adc7cdb218cedbe1645155aa5edda4f342eb7045ed18cbfa3a2a
      • Instruction Fuzzy Hash: 8C819430B042548FDB21EF2DC884B99BBF8AB09705F1451F6E448E7386DB789A85CB59
      Function 00427200 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 183registryCOMMON
      Download Yara Rule
      APIs
      • RegOpenKeyW.ADVAPI32(?,?,?), ref: 00427274
      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,02000000,00000000,?,?,?,?,?), ref: 00427317
      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,00000000,02000000,00000000,?,?,?,?,?), ref: 00427377
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
      • RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00427396
      • RegSetValueExW.ADVAPI32(?,004274EC,00000000,00000002,00000000,00000001,?,?,?), ref: 004273FF
      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?), ref: 0042747D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Close$CreateDeleteLoadOpenStringValue
      • String ID: %s=%s$%s\Shell\Open\Command
      • API String ID: 1799281012-1013525187
      • Opcode ID: 43e74d0b0a1c9e6f6be711a04ce70c4a0f0f3c3539546040015a37e19b3fb71b
      • Instruction ID: 9c63a30ad6edb18036cc17ca58e6e95f7b7a22c75c83e8365899d70be6a1fa2a
      • Opcode Fuzzy Hash: 43e74d0b0a1c9e6f6be711a04ce70c4a0f0f3c3539546040015a37e19b3fb71b
      • Instruction Fuzzy Hash: B1711175E042289BDB10DB95DC89B9EB7B5FB48300F5041DAE808A7291D77C5F84CF69
      Function 0042D4DC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 78COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0041C4B8: GetEnvironmentVariableW.KERNEL32(?,00440F84,00002001,00000000,00000000,00000000,0042D52C,00000000,0042D5ED,?,0043AEC8,00000000,?,?,00428180,00000000), ref: 0041C4CB
      • SetCurrentDirectoryW.KERNEL32(00000000,00000000,0042D5ED,?,0043AEC8,00000000,?,?,00428180,00000000,00000000,00428119), ref: 0042D533
      • SetErrorMode.KERNEL32(00000001,00000000,0042D5ED,?,0043AEC8,00000000,?,?,00428180,00000000,00000000,00428119), ref: 0042D54C
      • SetCurrentDirectoryW.KERNEL32(?,00000000,0042D5ED,?,0043AEC8,00000000,?,?,00428180,00000000,00000000,00428119), ref: 0042D590
      • SetErrorMode.KERNEL32(00000000,?,00000000,0042D5ED,?,0043AEC8,00000000,?,?,00428180,00000000,00000000,00428119), ref: 0042D5C3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CurrentDirectoryErrorMode$EnvironmentVariable
      • String ID: :$=$\$D
      • API String ID: 1902915753-4086321335
      • Opcode ID: c84258a3773b430e6ba999c71d2aa19d1b98ac79dbb9b191f04c105e3f7fbf05
      • Instruction ID: d5cb7de9750c05d6a24e2ac071ac77ede12de5704f6aad5faa042bac199d095e
      • Opcode Fuzzy Hash: c84258a3773b430e6ba999c71d2aa19d1b98ac79dbb9b191f04c105e3f7fbf05
      • Instruction Fuzzy Hash: C1218734D4022C9ADB11EF65DC456DEB3B4EF54708F5081ABE804A7250E7784F85CB99
      Function 0041BD54 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 211timeCOMMON
      Download Yara Rule
      APIs
      • GetLocalTime.KERNEL32(?,?,000000FF,00000000,0041C032,?,?,?,?), ref: 0041BF46
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
      • GetLastError.KERNEL32(?,?,000000FF,00000000,0041C032,?,?,?,?), ref: 0041BF8F
      • GetLastError.KERNEL32(000000FF,?,?,000000FF,00000000,0041C032,?,?,?,?), ref: 0041BF9D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorLast$LoadLocalStringTime
      • String ID: %.2d%s%0.2d%s$%s$.$:
      • API String ID: 2097227092-2097317611
      • Opcode ID: 572cb3da4348d12fe114bbc9acc3fcb2a98db5148e49d3e19b5225238afd6654
      • Instruction ID: 0d642e9cdfeddb0e002c2ee26661f49aa49ec77cac97d5663e1e43f25fd6ecb9
      • Opcode Fuzzy Hash: 572cb3da4348d12fe114bbc9acc3fcb2a98db5148e49d3e19b5225238afd6654
      • Instruction Fuzzy Hash: 88814D30914208DBCB24DBA5D8816DDB7F1FF05318F60453BE511A7292E7B899C6CB8D
      Function 0041F544 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 160shareCOMMON
      Download Yara Rule
      APIs
      • WNetAddConnection2W.MPR(?,00000000,00000000,00000000), ref: 0041F646
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Connection2
      • String ID: :$:$A$\$\$D
      • API String ID: 951124676-1323042167
      • Opcode ID: e914f0622c5744d1859c830ce3f5db66f3a9537acc603cc0c3237f7d7d033627
      • Instruction ID: de6903be853d0e93713632dca1f23a446e42e65ae98195daa72b8d6ba732463c
      • Opcode Fuzzy Hash: e914f0622c5744d1859c830ce3f5db66f3a9537acc603cc0c3237f7d7d033627
      • Instruction Fuzzy Hash: EA51BD30A04604CFCB15DF65C880B9AB7F1EF59304F01D076E8049B3A6E779988ACB6D
      Function 00406CC4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D,?,?,?,?,00406E92,0040401B,00404062,?,00000000), ref: 00406CFD
      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D,?,?,?,?,00406E92,0040401B,00404062,?), ref: 00406D03
      • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D,?,?,?), ref: 00406D1E
      • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00406D7D), ref: 00406D24
      • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00406D42
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileHandleWrite$Message
      • String ID: Error$Runtime error at 00000000
      • API String ID: 1570097196-2970929446
      • Opcode ID: eecde37390cf18eeda7ac79a75cdfe9e86cdc58b2b1ae6d9a14d2b40840ab541
      • Instruction ID: 8d232dfbb4434259f94e32261e0cdce2704fc8c62347cff489187cca3be3a9f4
      • Opcode Fuzzy Hash: eecde37390cf18eeda7ac79a75cdfe9e86cdc58b2b1ae6d9a14d2b40840ab541
      • Instruction Fuzzy Hash: 13F0F6B078834575F611B7A45D0AF5A225CDF08F16F21957BBA50B90D2C7FC98C4922E
      Function 00402E28 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000,?,?,00000000,00402A98), ref: 00402EBE
      • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00402A98), ref: 00402ED8
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 861abcb8f46a6eb64ff94c89fb904ba08e9bc9a138af66715ca9642c7f326342
      • Instruction ID: 4bfebdeae85c00683b5610abe5ea885f333ee3dbc8b623835842db8a6bbcc228
      • Opcode Fuzzy Hash: 861abcb8f46a6eb64ff94c89fb904ba08e9bc9a138af66715ca9642c7f326342
      • Instruction Fuzzy Hash: AC71E1716042019BE715DB29CA89B17BBE0AB85314F14C2BFE844AB3E2D6F88845C799
      Function 00403020 Relevance: 10.9, APIs: 7, Instructions: 407COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5ccb220493a30a118f36d08614cbabc300c0a4fc2c6b366e5b05fe71cc2a2771
      • Instruction ID: 2a671d29592211b5fbf572d6eb98111a1a3df8bc4f9b39c3c733f7aeb79d3fcb
      • Opcode Fuzzy Hash: 5ccb220493a30a118f36d08614cbabc300c0a4fc2c6b366e5b05fe71cc2a2771
      • Instruction Fuzzy Hash: DBC136727102010BD724AE7D9E8836EB7859BC9322F18867FE104EB3D6DABCCD458358
      Function 0041FDC4 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 316COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0042C35C: EnterCriticalSection.KERNEL32(0044E930,0042B61D,0044E930,00000000,0042B88D,?,00000000), ref: 0042C361
        • Part of subcall function 0042C35C: LeaveCriticalSection.KERNEL32(0044E930,0044E930,0042B61D,0044E930,00000000,0042B88D,?,00000000), ref: 0042C372
      • GetLastError.KERNEL32(00000000,00000008,00000000,0042026D,?,?), ref: 0041FEBA
        • Part of subcall function 0042B37C: _get_osfhandle.MSVCRT ref: 0042B38B
        • Part of subcall function 0042B37C: GetStdHandle.KERNEL32(000000F5,?,00444F94,00000000), ref: 0042B396
        • Part of subcall function 0042B37C: _get_osfhandle.MSVCRT ref: 0042B3A4
        • Part of subcall function 0042B37C: GetConsoleScreenBufferInfo.KERNEL32(00000000,?,000000F5,?,00444F94,00000000), ref: 0042B3C6
        • Part of subcall function 0042B37C: ReadConsoleW.KERNEL32(?,00444F94,?,?,00000000,000000F5,?,00444F94,00000000), ref: 0042B3DE
      • GetLastError.KERNEL32(?,00000000,0042026D,?,?), ref: 0041FF50
      • GetLastError.KERNEL32(?,00000000,0042026D,?,?), ref: 0041FF95
      • GetLastError.KERNEL32 ref: 0041FFE8
        • Part of subcall function 0041EBE0: _get_osfhandle.MSVCRT ref: 0041EC50
        • Part of subcall function 0041EBE0: WriteConsoleW.KERNEL32(00000000,0043AEC8,00000000,?,00000000,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000), ref: 0041EC57
        • Part of subcall function 0041EBE0: GetLastError.KERNEL32(00000000,0043AEC8,00000000,?,00000000,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000), ref: 0041EC66
        • Part of subcall function 0041EBE0: GetLastError.KERNEL32(?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000,00000000,?,0041BCE1,00000000), ref: 0041ECA9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorLast$Console_get_osfhandle$CriticalSection$BufferEnterHandleInfoLeaveReadScreenWrite
      • String ID: :RD$:RD$hIC
      • API String ID: 1270314918-2772246872
      • Opcode ID: f00a14a44e0c9934d5298f88f3914fae55959ba783fa867a066df0bc10cc7119
      • Instruction ID: 3a1e2a02244a5b1a33384499df5aa427a36e3745cb5a1aa3f888342b3af32766
      • Opcode Fuzzy Hash: f00a14a44e0c9934d5298f88f3914fae55959ba783fa867a066df0bc10cc7119
      • Instruction Fuzzy Hash: 94D16C35A00214DFDB10DBA5E88679E77F0BB46314F9046BBE410972A2D7BC9D86CB1E
      Function 00406158 Relevance: 10.6, APIs: 7, Instructions: 131threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004063F4: GetCurrentThreadId.KERNEL32 ref: 004063F7
      • GetTickCount.KERNEL32 ref: 0040618F
      • GetTickCount.KERNEL32 ref: 004061A7
      • GetCurrentThreadId.KERNEL32 ref: 004061D7
      • GetTickCount.KERNEL32 ref: 00406202
      • GetTickCount.KERNEL32 ref: 00406239
      • GetTickCount.KERNEL32 ref: 00406263
      • GetCurrentThreadId.KERNEL32 ref: 004062D3
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CountTick$CurrentThread
      • String ID:
      • API String ID: 3968769311-0
      • Opcode ID: ff0d451f1921140a55af1f059dfb466f60419af23f985ae784c06128e562ecce
      • Instruction ID: 29d9ba70e5f2eb885d164a0b3de890b460bf9a057a9a9946b3bc9aeb2f14b802
      • Opcode Fuzzy Hash: ff0d451f1921140a55af1f059dfb466f60419af23f985ae784c06128e562ecce
      • Instruction Fuzzy Hash: EC41AD302093419ED721AE78C58431FBBD5AF81344F16897EE8DA972C6EB7DC990874A
      Function 0042B37C Relevance: 9.1, APIs: 6, Instructions: 134COMMON
      Download Yara Rule
      APIs
      • _get_osfhandle.MSVCRT ref: 0042B38B
      • GetStdHandle.KERNEL32(000000F5,?,00444F94,00000000), ref: 0042B396
      • _get_osfhandle.MSVCRT ref: 0042B3A4
      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,000000F5,?,00444F94,00000000), ref: 0042B3C6
      • ReadConsoleW.KERNEL32(?,00444F94,?,?,00000000,000000F5,?,00444F94,00000000), ref: 0042B3DE
      • ReadConsoleW.KERNEL32(?,00444F94,?,?,00000010,00000000,?,000000F5,?,00444F94,00000000), ref: 0042B42E
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Console$Read_get_osfhandle$BufferHandleInfoScreen
      • String ID:
      • API String ID: 4242899780-0
      • Opcode ID: 81de232f7f58ca491d334bce3cc634e26f614ea0127cad6c2617a712c03c7ba5
      • Instruction ID: 68f6ff667c68eff74639935069849f5357d53d3815d3a5c9b98a9f84a1c888ce
      • Opcode Fuzzy Hash: 81de232f7f58ca491d334bce3cc634e26f614ea0127cad6c2617a712c03c7ba5
      • Instruction Fuzzy Hash: 8D419471E00219AFCB10EFA9D8816EEB7F4EF09324F504166E560E7391D7789E41CBA9
      Function 00420C28 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 344COMMON
      Download Yara Rule
      APIs
      • GetCommandLineW.KERNEL32(00000000,00421044,?,00000000,00000021,?), ref: 00420D47
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
      • wcstol.MSVCRT ref: 00420DA4
      • wcstol.MSVCRT ref: 00420DD8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: wcstol$CommandLineLoadString
      • String ID: CMDCMDLINE$ERRORLEVEL
      • API String ID: 3320807497-3727483786
      • Opcode ID: ec263c1166ed5ab579c4425a6849d398a9a950159ec0bce2f8d7376ec96b4547
      • Instruction ID: 2066b3ef339eff4d0f9fdd73cae23a1c68702821149802ea9f6ad196cc38f9a4
      • Opcode Fuzzy Hash: ec263c1166ed5ab579c4425a6849d398a9a950159ec0bce2f8d7376ec96b4547
      • Instruction Fuzzy Hash: 54D18A70F002298FCB10DFA9E9816EEB3F1BF58314F95456AE410A7391D778AD81CB69
      Function 00423CCC Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 306COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0041E3BC: _get_osfhandle.MSVCRT ref: 0041E3C2
        • Part of subcall function 0041E3BC: GetFileType.KERNEL32(00000000,?,00000000,00000000,0041ECC8,?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000), ref: 0041E3CB
        • Part of subcall function 0041E3BC: GetConsoleMode.KERNEL32(00000000,?,000000F6,00000000,?,00000000,00000000,0041ECC8,?,?,?,00000000,0041ED55,?,00440F84,00000000), ref: 0041E407
        • Part of subcall function 0041E450: _get_osfhandle.MSVCRT ref: 0041E454
        • Part of subcall function 0041E450: GetFileType.KERNEL32(00000000,00000000,0041ECF4,?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E45B
      • _get_osfhandle.MSVCRT ref: 00423E21
      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,00000000,00424139,?,00000001,?,?,?,00424332,00000000,0042434A,?,00000001), ref: 00423E28
      • SearchPathW.KERNEL32(DPATH,?,00000000,00000104,?,?,00000000,00424139,?,00000001,?,?,?,00424332,00000000,0042434A), ref: 00423FF6
      • GetLastError.KERNEL32(000000FF,00000000,00424139,?,00000001,?,?,?,00424332,00000000,0042434A,?,00000001,00000000,00000000), ref: 004240D3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: File_get_osfhandle$Type$ConsoleErrorLastModePathPointerSearch
      • String ID: DPATH
      • API String ID: 813518873-2010427443
      • Opcode ID: ebc1fe81ea560fcdaaf8c0a055be5403ecf9010572c76a7342151e43c5ac1934
      • Instruction ID: 5f1ea81e580a7f05d0caead0e58977167eeada402022a173e920dd21153f8b96
      • Opcode Fuzzy Hash: ebc1fe81ea560fcdaaf8c0a055be5403ecf9010572c76a7342151e43c5ac1934
      • Instruction Fuzzy Hash: 1BD15130B002248BDB20EF65E88579AB7B0EF48314F5481EAE8189B395D77CDE85CF59
      Function 0041E3BC Relevance: 9.1, APIs: 6, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • _get_osfhandle.MSVCRT ref: 0041E3C2
      • GetFileType.KERNEL32(00000000,?,00000000,00000000,0041ECC8,?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000), ref: 0041E3CB
      • GetStdHandle.KERNEL32(000000F6,00000000,?,00000000,00000000,0041ECC8,?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000), ref: 0041E3E8
      • GetStdHandle.KERNEL32(000000F5,00000000,?,00000000,00000000,0041ECC8,?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000), ref: 0041E3F3
      • GetStdHandle.KERNEL32(000000F4,00000000,?,00000000,00000000,0041ECC8,?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000), ref: 0041E3FE
      • GetConsoleMode.KERNEL32(00000000,?,000000F6,00000000,?,00000000,00000000,0041ECC8,?,?,?,00000000,0041ED55,?,00440F84,00000000), ref: 0041E407
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Handle$ConsoleFileModeType_get_osfhandle
      • String ID:
      • API String ID: 3006655848-0
      • Opcode ID: d70a2db51f614da4d766352b73f96fc6dd45ea5288b3446b70f99a505d1153d6
      • Instruction ID: 50b90ea80130b39a20dab3d9e418b1bb2675c93bd250fe14ffb35702c42ef723
      • Opcode Fuzzy Hash: d70a2db51f614da4d766352b73f96fc6dd45ea5288b3446b70f99a505d1153d6
      • Instruction Fuzzy Hash: C201D8796082105ED320977BAD493FA25C49706378F68073BEC66D22D3E76C4CC2525F
      Function 00402AA4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000,FFFFFFDC,00402A70), ref: 00402B5B
      • Sleep.KERNEL32(0000000A,00000000,FFFFFFDC,00402A70), ref: 00402B71
      • Sleep.KERNEL32(00000000,?,?,FFFFFFDC,00402A70), ref: 00402B9F
      • Sleep.KERNEL32(0000000A,00000000,?,?,FFFFFFDC,00402A70), ref: 00402BB5
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: fbed82d3cfe5f33c82c6b13f3a5eca371e9553dc365f3410045f166b6d929db3
      • Instruction ID: d6c9818163ac4615f7c5c11563140dab7e23f2c8159fce2275c5c82e41bb5f9c
      • Opcode Fuzzy Hash: fbed82d3cfe5f33c82c6b13f3a5eca371e9553dc365f3410045f166b6d929db3
      • Instruction Fuzzy Hash: 54C159726013129FE715DF28DA88716BBE0EB86310F19C2BFD445AB3D1C7B89941C7A9
      Function 0041E478 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
      Download Yara Rule
      APIs
      • _get_osfhandle.MSVCRT ref: 0041E47E
      • GetFileType.KERNEL32(00000000,?,00000000,00000000,0041EC3D,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000), ref: 0041E487
      • GetStdHandle.KERNEL32(000000F6,00000000,?,00000000,00000000,0041EC3D,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000), ref: 0041E4A4
      • GetStdHandle.KERNEL32(000000F5,00000000,?,00000000,00000000,0041EC3D,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000), ref: 0041E4AF
      • GetStdHandle.KERNEL32(000000F4,00000000,?,00000000,00000000,0041EC3D,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000), ref: 0041E4BA
      • GetConsoleMode.KERNEL32(00000000,?,000000F6,00000000,?,00000000,00000000,0041EC3D,?,?,00000000,0041ED55,?,00440F84,00000000,00000000), ref: 0041E4C3
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Handle$ConsoleFileModeType_get_osfhandle
      • String ID:
      • API String ID: 3006655848-0
      • Opcode ID: e702d8a8ed5436618eb197489e4d97f6ccaab42bdcae16d8e3bf9fea5cc3dbb3
      • Instruction ID: 9cf0d6bec0b9fa9ceb0a92f8ab7afb08ece9beb0ec36215879b94a990e9376b7
      • Opcode Fuzzy Hash: e702d8a8ed5436618eb197489e4d97f6ccaab42bdcae16d8e3bf9fea5cc3dbb3
      • Instruction Fuzzy Hash: 38F0377B61D3203A9A1021772D855FF10988A5A3B47380737BD26E72D2D85D8CD1217F
      Function 00428368 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 236COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: 8RD$GOTO
      • API String ID: 0-1652146345
      • Opcode ID: d4b5a97b48a0859f1856e18cf6974029dbe03c960dad603f6cf5db9a0e9f7ee5
      • Instruction ID: 47bb2f638037c66365c0b937d1684f8f6f490ee3f669bde7e7b0daa95634b018
      • Opcode Fuzzy Hash: d4b5a97b48a0859f1856e18cf6974029dbe03c960dad603f6cf5db9a0e9f7ee5
      • Instruction Fuzzy Hash: 98915A70B012259FDB10EFA9E88179EB7F0AF48314F94856FE80597391DB7CA980CB59
      Function 0041EBE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
      Download Yara Rule
      APIs
      • _get_osfhandle.MSVCRT ref: 0041EC50
      • WriteConsoleW.KERNEL32(00000000,0043AEC8,00000000,?,00000000,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000), ref: 0041EC57
      • GetLastError.KERNEL32(00000000,0043AEC8,00000000,?,00000000,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000), ref: 0041EC66
      • GetLastError.KERNEL32(?,?,?,00000000,0041ED55,?,00440F84,00000000,00000000,00000000,00000000,00000000,00000000,?,0041BCE1,00000000), ref: 0041ECA9
        • Part of subcall function 00416C48: FormatMessageW.KERNEL32(00003300,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?,?,0041ED23,000000FF,?), ref: 00416C62
        • Part of subcall function 00416C48: LocalFree.KERNEL32(?,00416CBE,00003300,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?,?,0041ED23,000000FF,?), ref: 00416CB1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorLast$ConsoleFormatFreeLocalMessageWrite_get_osfhandle
      • String ID: p
      • API String ID: 2270358821-2181537457
      • Opcode ID: 0204b2111009f6fdd1736e9e54ef18b357ba1b1f8898a310d257fec38ef63b86
      • Instruction ID: 49edcebe0a85dd48a2e070739db156686d173b9639f2b96a125106bac5c506d9
      • Opcode Fuzzy Hash: 0204b2111009f6fdd1736e9e54ef18b357ba1b1f8898a310d257fec38ef63b86
      • Instruction Fuzzy Hash: 5F41D774B002159FEB00EBA6DD81BEE73B4EF44314F50852AF810A7281DA7CAD8187A9
      Function 004269AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114registryCOMMON
      Download Yara Rule
      APIs
      • RegEnumKeyW.ADVAPI32(?,00000000,?,0000020A), ref: 004269EC
      • RegQueryValueW.ADVAPI32(?,0000002E,?,0000020A), ref: 00426A2E
      • RegQueryValueW.ADVAPI32(?,00000000,?,0000020A), ref: 00426AC7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: QueryValue$Enum
      • String ID: %s=%s$.
      • API String ID: 4111014795-4275322459
      • Opcode ID: f1c62476c0a59da3f590bf0842a351fa31978a8ee87c3719ef33815e40657458
      • Instruction ID: 2c636fb1329cd15d83b00e9da85558723bf258c0e801e26cfe553c4b9cd9d097
      • Opcode Fuzzy Hash: f1c62476c0a59da3f590bf0842a351fa31978a8ee87c3719ef33815e40657458
      • Instruction Fuzzy Hash: EF4175B1B042389ADB21DA55DC947DEBBB8EB09304F8140FBE904E3241D7785E94CB9E
      Function 00417BE8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON
      Download Yara Rule
      APIs
      • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00417D94), ref: 00417C1B
      • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00417C3F
      • GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 00417C5A
      • LoadStringW.USER32(00000000,0000FFEA,?,00000100), ref: 00417CF5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileModuleName$LoadQueryStringVirtual
      • String ID: MZP
      • API String ID: 3990497365-2889622443
      • Opcode ID: 3ef64bc2c4261145098a3c062584a36777ad11253964d742893b81a22fb6573c
      • Instruction ID: 80ab70f2b93dfe37295a3ae79f27070d34fcea32ae60c8c3a02933449a0be010
      • Opcode Fuzzy Hash: 3ef64bc2c4261145098a3c062584a36777ad11253964d742893b81a22fb6573c
      • Instruction Fuzzy Hash: B3413D70A0431C9FDB20DF65CC81BDAB7B9AB98314F5080FAE508E7241DB799E948F59
      Function 00405F90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00405FA6
      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405FAC
      • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00405FC8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: AddressErrorHandleLastModuleProc
      • String ID: GetLogicalProcessorInformation$kernel32.dll
      • API String ID: 4275029093-812649623
      • Opcode ID: bd2e3c33bd11c53c5d300c0185f8ce7b7d7f868649576a545f0bf7f30e04c864
      • Instruction ID: 5d6e66ec93e10d7886517edabbe52e5c8cd566ed8fa27352bdb5c7e07854c76c
      • Opcode Fuzzy Hash: bd2e3c33bd11c53c5d300c0185f8ce7b7d7f868649576a545f0bf7f30e04c864
      • Instruction Fuzzy Hash: 6111B671D44204AEEB20EBA5D946B5EB7F8DB40314F2240BFE805B22C2D67D9FA0865D
      Function 00405F8E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00405FA6
      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405FAC
      • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00405FC8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: AddressErrorHandleLastModuleProc
      • String ID: GetLogicalProcessorInformation$kernel32.dll
      • API String ID: 4275029093-812649623
      • Opcode ID: 251978b34e377692bc80b67647e58cdc138d8128925342292972071cfe3dea7e
      • Instruction ID: 44311a6b8b6cd7867a0930f42e4339a60c21becb3f61a42b79d02befdf299494
      • Opcode Fuzzy Hash: 251978b34e377692bc80b67647e58cdc138d8128925342292972071cfe3dea7e
      • Instruction Fuzzy Hash: B5018471D84204AEDB20EBA1D946A6EB7E99B00314F2140BFF805F61C2D67D9AA08619
      Function 0042DE40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
      Download Yara Rule
      APIs
      • GetDriveTypeW.KERNEL32(?,004245FD), ref: 0042DE65
      • GetVolumeInformationW.KERNEL32(?,?,00000104,?,?,?,00000000,00000000,?,004245FD), ref: 0042DE9F
      • GetLastError.KERNEL32(?,?,00000104,?,?,?,00000000,00000000,?,004245FD), ref: 0042DEA8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: DriveErrorInformationLastTypeVolume
      • String ID: :$\
      • API String ID: 1929915864-1166558509
      • Opcode ID: 2303b1fb79b5ef4a2e638baf1db761647025159a071e0685a8e53359de552362
      • Instruction ID: 85d4e233b75b5ba4ad75be32e4d70d4f67db23e6f388f99416d30daa92100dda
      • Opcode Fuzzy Hash: 2303b1fb79b5ef4a2e638baf1db761647025159a071e0685a8e53359de552362
      • Instruction Fuzzy Hash: 2BF081B1918750A5D720DA50D881B9F72ECBF54304F954C1FF5A4CA290E778E145875F
      Function 0042B278 Relevance: 7.6, APIs: 5, Instructions: 104fileCOMMON
      Download Yara Rule
      APIs
      • _get_osfhandle.MSVCRT ref: 0042B288
      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00444F94,00000000), ref: 0042B2A1
      • ReadFile.KERNEL32(?,0043EE16,?,?,00000000,?,00000000,00000000,00000001,?,00444F94,00000000), ref: 0042B2BD
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: File$PointerRead_get_osfhandle
      • String ID:
      • API String ID: 1944154119-0
      • Opcode ID: cca99747a22471e377f59d3bbb4defd00f25036e75d1cfff84522416b49370b0
      • Instruction ID: bda4b283853c0d5d0cdd0b75419822c66d349f292db09f5999b03b3f87793a3c
      • Opcode Fuzzy Hash: cca99747a22471e377f59d3bbb4defd00f25036e75d1cfff84522416b49370b0
      • Instruction Fuzzy Hash: 96315071A04214AFDB10CB99DC81FABB7F9EB89310F548096F904DB350D378AD4187A9
      Function 0041E2B0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CurrentDirectory
      • String ID:
      • API String ID: 1611563598-0
      • Opcode ID: 68a29e21ada7a1d73980bf707f426c2ec723bc7b4cba94b3d701aa2d8859e2c5
      • Instruction ID: be95d2f0238709fc43d2869d9c4b94caec4bed5684931305ea1f8c02383cc80f
      • Opcode Fuzzy Hash: 68a29e21ada7a1d73980bf707f426c2ec723bc7b4cba94b3d701aa2d8859e2c5
      • Instruction Fuzzy Hash: ED21B279B0421457D710AB7B8C4279A62D5AF85324F14843BEC55CB382EAFDC8C283AF
      Function 0041E1C4 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON
      Download Yara Rule
      APIs
      • _get_osfhandle.MSVCRT ref: 0041E1D8
      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00002000,0043EE16,00002000,00000000,00000000,00000000,00000000,00000000), ref: 0041E20E
      • WriteFile.KERNEL32(?,0043EE16,00000000,?,00000000,00000000,00000000,?,00002000,0043EE16,00002000,00000000,00000000,00000000,00000000,00000000), ref: 0041E230
      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,0043EE16,00002000,00000000,00000000,00000000,00000000,00000000), ref: 0041E26E
      • WriteFile.KERNEL32(?,0043EE16,-00000001,?,00000000,00000000,00000000,?,000000FF,0043EE16,00002000,00000000,00000000,00000000,00000000,00000000), ref: 0041E284
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ByteCharFileMultiWideWrite$_get_osfhandle
      • String ID:
      • API String ID: 3996430891-0
      • Opcode ID: a2915911fdd40aad71c27654f119cbc523d1265d8c514667d98e034dbd955a97
      • Instruction ID: bbc2714c1c9e7c79e86cffdd82a24e7e5c29a21ae3c0866453ce4e5d5395e40d
      • Opcode Fuzzy Hash: a2915911fdd40aad71c27654f119cbc523d1265d8c514667d98e034dbd955a97
      • Instruction Fuzzy Hash: 4431A571A40314BBE710D69AEC85FAFBBBCEB45710F14006AFE14FB2C0C279694087A9
      Function 004254F4 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
      Download Yara Rule
      APIs
      • GetVDMCurrentDirectories.KERNEL32(00000000,00000000), ref: 004254FF
      • GetVDMCurrentDirectories.KERNEL32(00000000,00000000), ref: 00425520
      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00425940,00000000,?), ref: 00425547
      • SetErrorMode.KERNEL32(00000001,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00425940,00000000), ref: 0042554E
      • SetErrorMode.KERNEL32(00000000,00000001,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00425940), ref: 0042557D
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CurrentDirectoriesErrorMode$ByteCharMultiWide
      • String ID:
      • API String ID: 3679696385-0
      • Opcode ID: 4a82e97b66778526a6b20d6be2ed8ce1e4d9c9984b7e68dffe4e68b52a3f9724
      • Instruction ID: d350da4ff1af98a08e1eeb4a403d6ddfca8be5bcb7a4e2b7c14f04b77815b3f5
      • Opcode Fuzzy Hash: 4a82e97b66778526a6b20d6be2ed8ce1e4d9c9984b7e68dffe4e68b52a3f9724
      • Instruction Fuzzy Hash: CA019672B055206BC220777E9C86F5F72E99B46764F45413BF404DB381DA6DCC8142EE
      Function 004275FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0042753C: LoadLibraryW.KERNEL32(psapi.dll,00000000,00000000,?,?,0042760E,00000000,?,00000000), ref: 00427550
      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000), ref: 00427620
      • GetLastError.KERNEL32(?,?,QueryFullProcessImageNameW,kernel32.dll,00000000,?,00000000), ref: 0042769F
        • Part of subcall function 00419704: GetLastError.KERNEL32(00427597,00000000,004275A1,?,00000000,GetModuleFileNameExW,psapi.dll,00000000,00000000,?,?,0042760E,00000000,?,00000000), ref: 00419704
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorLast$HandleLibraryLoadModule
      • String ID: QueryFullProcessImageNameW$kernel32.dll
      • API String ID: 4252302101-1740548384
      • Opcode ID: 2ecd39ebd3d3d0c26c18704bc697b779764e4d1741cb5c07a2a77b02de8e63c0
      • Instruction ID: 5bf0f1c2fe2c7a787f9c561c4908e978d8bb44830b088c148e6cd9204b6364d6
      • Opcode Fuzzy Hash: 2ecd39ebd3d3d0c26c18704bc697b779764e4d1741cb5c07a2a77b02de8e63c0
      • Instruction Fuzzy Hash: 8131A970708A146FDB11FBBDAC42A5E77A8DF46768F90047BF400E3282EA3DAD41865D
      Function 00426CB8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103registryCOMMON
      Download Yara Rule
      APIs
      • RegOpenKeyW.ADVAPI32(80000002,Software\Classes,?), ref: 00426CE2
      • RegCloseKey.ADVAPI32(?,000000FF,80000002,Software\Classes,?,00000000,00426DE5,?,?,?,?,00000000,00000000,00000000), ref: 00426DC5
        • Part of subcall function 00426E30: RegEnumKeyW.ADVAPI32(?,00000000,?,0000020A), ref: 00426E7C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CloseEnumOpen
      • String ID: Software\Classes${
      • API String ID: 1332880857-1310189716
      • Opcode ID: 604154dfae668fc49c7baf1f66e9bdc13dfc555cbb4c44506076eef4809354bd
      • Instruction ID: 41c6464a7724e3360542a107b1677f7f227151cf13a16c47f588d303f585f86a
      • Opcode Fuzzy Hash: 604154dfae668fc49c7baf1f66e9bdc13dfc555cbb4c44506076eef4809354bd
      • Instruction Fuzzy Hash: F431C934B1022C9BD711EAA5EC8279EB2E5DF44314FA2447BF4019B382DABCDD42865D
      Function 0042685C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97registryCOMMON
      Download Yara Rule
      APIs
      • RegOpenKeyW.ADVAPI32(80000002,Software\Classes,?), ref: 00426888
      • RegCloseKey.ADVAPI32(?,000000FF,80000002,Software\Classes,?,00000000,00426973), ref: 00426958
        • Part of subcall function 004269AC: RegEnumKeyW.ADVAPI32(?,00000000,?,0000020A), ref: 004269EC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CloseEnumOpen
      • String ID: =$Software\Classes
      • API String ID: 1332880857-889067453
      • Opcode ID: ee26286127dcb09f04be502dc97ab55d4b14339310faf369ff7dc467277d3b7e
      • Instruction ID: 4dea960224145465aac807c044d6743f0e5bfb1072e4a62240e343e54dfe5282
      • Opcode Fuzzy Hash: ee26286127dcb09f04be502dc97ab55d4b14339310faf369ff7dc467277d3b7e
      • Instruction Fuzzy Hash: 1731E8B0B002259BDB11EBA5EC8165E72E5EB89314BA2407AE400D7382EE7C9E85C75D
      Function 0042E390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
      Download Yara Rule
      APIs
      • GetConsoleTitleW.KERNEL32(?,00000104,?,?,00000000,004246B4), ref: 0042E3DA
      • SetConsoleTitleW.KERNEL32(004349AC,?,00000104,?,?,00000000,004246B4), ref: 0042E455
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ConsoleTitle
      • String ID: - $dIC
      • API String ID: 3358957663-2260885757
      • Opcode ID: 18df4d967149f5399ccad87f48e1912b26981e4ae86bd0de4b6f9ce047a5f831
      • Instruction ID: 382b0d7edfda4a521a0743bb4888e91c1c0fcf324d801d56f11b5a71215d4869
      • Opcode Fuzzy Hash: 18df4d967149f5399ccad87f48e1912b26981e4ae86bd0de4b6f9ce047a5f831
      • Instruction Fuzzy Hash: A2110771705251DBD311FB6AE88579AB7E4AB46704F44983AF5848B3A2CB7CDC80CB1E
      Function 004277C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004277DD
        • Part of subcall function 00415038: ReadFile.KERNEL32(00000000,?,00000040,?,00000000,00000040,00000000,00000000,00000000,004277F8,00000000,80000000,00000001,00000000,00000003,00000080), ref: 0041504C
      • CloseHandle.KERNEL32(00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00427856
        • Part of subcall function 00415064: SetFilePointer.KERNEL32(00000000,?,00000000,00000000,0042780E,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00415069
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: File$CloseCreateHandlePointerRead
      • String ID: MZ$PE
      • API String ID: 4133201480-1102611028
      • Opcode ID: 080d7fcd422ba145720c091abd9a2e7172d80cf72804ec405ce97fc805721fe6
      • Instruction ID: dcbb4d889583db28263f28d856cd42f979cbba9703595e9051f617ed9aa36113
      • Opcode Fuzzy Hash: 080d7fcd422ba145720c091abd9a2e7172d80cf72804ec405ce97fc805721fe6
      • Instruction Fuzzy Hash: 3C01D830705350D7E720B6649CA179B62954FC4744F40493EB7816B3C2DABDDD48C289
      Function 004243B8 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 220COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: (D$/
      • API String ID: 0-3590975923
      • Opcode ID: b73c55f1a1c11231f2fda68aaa44fd8890c8353eabaff80dcfa3fcbeb8af9d29
      • Instruction ID: 6f62d097e54fc76a3fdcbae2efac5aa7994de3f4d19eb2cd12b22caf22ed59e9
      • Opcode Fuzzy Hash: b73c55f1a1c11231f2fda68aaa44fd8890c8353eabaff80dcfa3fcbeb8af9d29
      • Instruction Fuzzy Hash: BD81D430B002358BCB10EF65E884799B3F1EF95324F9145BAE8055B391D77C9E46CB49
      Function 0042D6AC Relevance: 6.1, APIs: 4, Instructions: 114COMMON
      Download Yara Rule
      APIs
      • _get_osfhandle.MSVCRT ref: 0042D757
      • WriteConsoleW.KERNEL32(00000000,0043AEC8,?,?,00000000,?,0000000C,00000000,?), ref: 0042D75E
      • GetLastError.KERNEL32(00000000,0043AEC8,?,?,00000000,?,0000000C,00000000,?), ref: 0042D767
      • GetLastError.KERNEL32(?,?,0000000C,00000000,?), ref: 0042D79F
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorLast$ConsoleWrite_get_osfhandle
      • String ID:
      • API String ID: 581457647-0
      • Opcode ID: d0847b2d41681145c7de68883382b7b0378422511e1ad2c79dbce1ec6b9b98b9
      • Instruction ID: 73474893b2bac90f9fb368502ecf05381c80657d066e765acdf0f66f0c11b644
      • Opcode Fuzzy Hash: d0847b2d41681145c7de68883382b7b0378422511e1ad2c79dbce1ec6b9b98b9
      • Instruction Fuzzy Hash: 87314F71F002289BDB10DFA9D88179EB7F5AF88354F64847BAD04E7341E63CAD4187A9
      Function 004279E4 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
      Download Yara Rule
      APIs
      • _get_osfhandle.MSVCRT ref: 00427A65
      • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00427A83
      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000002), ref: 00427AB3
      • ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000002), ref: 00427AD7
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: File$Pointer$Read_get_osfhandle
      • String ID:
      • API String ID: 2224376348-0
      • Opcode ID: 59933432a4225aee383a2e0b5c2ec8e77a34ea1e634fd73134ecfa4a1ac26d76
      • Instruction ID: 7fbcd090624c8a26a52c4677edfcc844109b7a7b14e75264bb4cf7280c4330dc
      • Opcode Fuzzy Hash: 59933432a4225aee383a2e0b5c2ec8e77a34ea1e634fd73134ecfa4a1ac26d76
      • Instruction Fuzzy Hash: A4413B79600244AFC710EF59CC81E9A77A9FF88310F50C16AF949CF362DB35EA518B99
      Function 00408B9C Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
      Download Yara Rule
      APIs
      • GetThreadUILanguage.KERNEL32(?,00000000), ref: 00408BAD
      • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 00408C0B
      • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 00408C68
      • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 00408C9B
        • Part of subcall function 00408B58: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,00408C19), ref: 00408B6F
        • Part of subcall function 00408B58: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,00408C19), ref: 00408B8C
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Thread$LanguagesPreferred$Language
      • String ID:
      • API String ID: 2255706666-0
      • Opcode ID: 5bd000ef9faf2ce5e777626ed128adf9e5d6de55d318ed006bf182100a3e7eda
      • Instruction ID: 4f86612df9afef8dc168f762eba1a3b0a8d2813837681946306221ac72f68b06
      • Opcode Fuzzy Hash: 5bd000ef9faf2ce5e777626ed128adf9e5d6de55d318ed006bf182100a3e7eda
      • Instruction Fuzzy Hash: 86316F70E0421E9BDB10EFA5C885AAEB7B8EF04304F40457EF555F72D1DB78AA448B68
      Function 0042385C Relevance: 6.0, APIs: 4, Instructions: 45COMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F5), ref: 00423883
      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,000000F5), ref: 00423890
      • FillConsoleOutputAttribute.KERNEL32(00000000,00000000,?,000000F5,000000F5,00000000,?,000000F5), ref: 004238BE
      • SetConsoleTextAttribute.KERNEL32(00000000,00000000,00000000,00000000,?,000000F5,000000F5,00000000,?,000000F5), ref: 004238C5
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
      • String ID:
      • API String ID: 1033415088-0
      • Opcode ID: 39b98d81768fe0f695e9bdb72f311459652956ba8a69d336e6e891405d4c9120
      • Instruction ID: 4d734664593e06f5a9a13dc878724b12bc6292eb1d5fcd029eae1ebd6b877874
      • Opcode Fuzzy Hash: 39b98d81768fe0f695e9bdb72f311459652956ba8a69d336e6e891405d4c9120
      • Instruction Fuzzy Hash: 5BF0C85160822579E3006A618C819BF72FCDF9535AF44492BF891DA2C0E77CCE5163AB
      Function 0042DC78 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
      Download Yara Rule
      APIs
      • WaitForSingleObject.KERNEL32(?,000000FF,?,00434960,00425267,?,?,?,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042DC88
      • GetExitCodeProcess.KERNEL32(?), ref: 0042DC8F
      • CloseHandle.KERNEL32(?,?,000000FF,?,00434960,00425267,?,?,?,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042DCB6
        • Part of subcall function 0042C378: EnterCriticalSection.KERNEL32(0044E930,0042DCA2,?,000000FF,?,00434960,00425267,?,?,?,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042C37D
        • Part of subcall function 0042C378: LeaveCriticalSection.KERNEL32(0044E930,0044E930,0042DCA2,?,000000FF,?,00434960,00425267,?,?,?,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042C391
      • fflush.MSVCRT ref: 0042DCA4
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflush
      • String ID:
      • API String ID: 4081377292-0
      • Opcode ID: d041d10ecb1b1bca371db88a83d314c5df1ce85a1ca8d53eea094f96a1889b27
      • Instruction ID: 165dcddb9c5a3f0605b6d5cceaa86326c34234312b7ca19cca0c1976a0007937
      • Opcode Fuzzy Hash: d041d10ecb1b1bca371db88a83d314c5df1ce85a1ca8d53eea094f96a1889b27
      • Instruction Fuzzy Hash: CEE012B02483006ED600BB6BEC8296A7299AF89339B11572AB074A62D6CA7C5850852A
      Function 00404B6C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: +K@$``C
      • API String ID: 0-2148898874
      • Opcode ID: 20347ee991edc8de7611bb411ebc3471355b1df6111ca01e0d7f09b2ac20f7b6
      • Instruction ID: 5cc954d6e20fa8cd40a837c61c0d3408391d1c3201b641b4e0ac55a79da3e991
      • Opcode Fuzzy Hash: 20347ee991edc8de7611bb411ebc3471355b1df6111ca01e0d7f09b2ac20f7b6
      • Instruction Fuzzy Hash: C05102B09081A49BDB11EB65C4957EE7BB49F81308F0904FBD941BB2C7D63C9E05C7A9
      Function 00418864 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
      Download Yara Rule
      APIs
      • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00418A36), ref: 004188DA
      • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,00418A36), ref: 004188FC
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileLoadModuleNameQueryStringVirtual
      • String ID: 6A
      • API String ID: 902310565-1828091119
      • Opcode ID: 0a8a5f7d25dd6d408f29b0100952c20c11dbea0b9899c723a057f4e62207b4fc
      • Instruction ID: 55bb49759d43a2ddf400105b3ccf1db1d043e12df8e760a6825baaaedb2eb6b1
      • Opcode Fuzzy Hash: 0a8a5f7d25dd6d408f29b0100952c20c11dbea0b9899c723a057f4e62207b4fc
      • Instruction Fuzzy Hash: A951F674A046599FDB20EF68CD89BC9B7F4EB48314F1041EAE808A7351D778AE84CF59
      Function 004251F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0042DC44: TerminateProcess.KERNEL32(?,00000001,?,00000000,00434960,00425227,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042DC50
        • Part of subcall function 0042DC44: GetLastError.KERNEL32(?,00000001,?,00000000,00434960,00425227,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042DC59
      • _get_osfhandle.MSVCRT ref: 00425290
      • FlushFileBuffers.KERNEL32(00000000,?,0043AEC8,00000000,00000000,0042C55D), ref: 00425297
        • Part of subcall function 0042DC78: WaitForSingleObject.KERNEL32(?,000000FF,?,00434960,00425267,?,?,?,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042DC88
        • Part of subcall function 0042DC78: GetExitCodeProcess.KERNEL32(?), ref: 0042DC8F
        • Part of subcall function 0042DC78: fflush.MSVCRT ref: 0042DCA4
        • Part of subcall function 0042DC78: CloseHandle.KERNEL32(?,?,000000FF,?,00434960,00425267,?,?,?,?,0043AEC8,00000000,00000000,0042C55D), ref: 0042DCB6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Process$BuffersCloseCodeErrorExitFileFlushHandleLastObjectSingleTerminateWait_get_osfhandlefflush
      • String ID: `IC
      • API String ID: 440551933-2046359124
      • Opcode ID: e4bb4563ce19de5ba2b113e5e2a50cfca94e9231daa0c95ba7d1f3c92f28fe24
      • Instruction ID: b5343a7084197eb16992b0b5e7ff8d9a711c96aa0a7cdb134deb011f145a5fc8
      • Opcode Fuzzy Hash: e4bb4563ce19de5ba2b113e5e2a50cfca94e9231daa0c95ba7d1f3c92f28fe24
      • Instruction Fuzzy Hash: 3031E435B01A30CFC714EF6AE484B1673A1AF56714B8A40EAE5048B3A6D778EC45CF5A
      Function 00426B7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80registryCOMMON
      Download Yara Rule
      APIs
      • RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00426BAD
      • RegSetValueW.ADVAPI32(?,00000000,00000001,00000004,00000000), ref: 00426BF1
        • Part of subcall function 00409B90: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00409BD5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: DeleteLoadStringValue
      • String ID: %s=%s
      • API String ID: 165137819-1087296587
      • Opcode ID: 576e67d2379019df031d6c4b188bcd91c3005552ce4e1f1353e7d1a2dc1f2866
      • Instruction ID: 3b9df548e103ad227f4ac6bca07f9f4cc23eb33f3e385fab044275901cdf35ac
      • Opcode Fuzzy Hash: 576e67d2379019df031d6c4b188bcd91c3005552ce4e1f1353e7d1a2dc1f2866
      • Instruction Fuzzy Hash: 93217930E043589BDB11EB96D881BDEB7F4EF49704F91416AE800B7381D7BC5E04CA9A
      Function 0042753C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38libraryCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryW.KERNEL32(psapi.dll,00000000,00000000,?,?,0042760E,00000000,?,00000000), ref: 00427550
        • Part of subcall function 00419704: GetLastError.KERNEL32(00427597,00000000,004275A1,?,00000000,GetModuleFileNameExW,psapi.dll,00000000,00000000,?,?,0042760E,00000000,?,00000000), ref: 00419704
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ErrorLastLibraryLoad
      • String ID: GetModuleFileNameExW$psapi.dll
      • API String ID: 3568775529-1894792326
      • Opcode ID: b88f964b1472b510e97091693d9faaac061a02f4c2a613b4dedebd6dd4897fb3
      • Instruction ID: 130a6a2728818ef488f4c6a2e2615dec33ddd6d4cc94b6a22f4423864622f3f4
      • Opcode Fuzzy Hash: b88f964b1472b510e97091693d9faaac061a02f4c2a613b4dedebd6dd4897fb3
      • Instruction Fuzzy Hash: 1AF09679308324FED7415FB7BC55B22B668F766758FD1043BE40481A60D67C5880852D
      Function 0042DE0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: DriveType
      • String ID: :$\
      • API String ID: 338552980-1166558509
      • Opcode ID: 858a0acfbb05ab264ed078d721505fe814c7f53a396ecafd7f1ef06bc34f1488
      • Instruction ID: 0fbc0fdf5cdb0dc1e3a63b8c9b6641b5bbdd805e049915c2c93339e7d82eb778
      • Opcode Fuzzy Hash: 858a0acfbb05ab264ed078d721505fe814c7f53a396ecafd7f1ef06bc34f1488
      • Instruction Fuzzy Hash: D2D05E2112D34058A3109B24590610EB3E0EE81334FA0D91FE0AC962D4FB369046A30F
      Function 004197D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0043236F,00000000,004323A6), ref: 004197DE
        • Part of subcall function 0040A664: GetProcAddress.KERNEL32(?,0042B88D), ref: 0040A688
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1836081492.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1836069438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836104214.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836117915.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836129930.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836156931.0000000000450000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836169887.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1836182121.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: GetDiskFreeSpaceExW$kernel32.dll
      • API String ID: 1646373207-1127948838
      • Opcode ID: 8df9d7db37854f209d6322b4b6d05ce3073977e900c6ee5fcd9c5f41e5e7dd67
      • Instruction ID: c6d731c50d33cff667622933a37d5dc3a313c9916d13df34d1e9f3d205f4ed8c
      • Opcode Fuzzy Hash: 8df9d7db37854f209d6322b4b6d05ce3073977e900c6ee5fcd9c5f41e5e7dd67
      • Instruction Fuzzy Hash: 77D05EB0E143019ADB00BFB26CD679222749720305F54983BE02055282DBBC8E818F9C