Edit tour

Windows Analysis Report
SYQV60EVo9.exe

Overview

General Information

Sample name:	SYQV60EVo9.exe renamed because original name is a hash value
Original sample name:	02A54443F76EEE449DB229FCEA8BA4C0.exe
Analysis ID:	1402979
MD5:	02a54443f76eee449db229fcea8ba4c0
SHA1:	6c9eb9c2a0bdee9888f697668850dc49c011bc5f
SHA256:	b70b84b7e75e40868fcefebdc5da896e2ecdbfbb2848cdf1ea90ac4fc1926c63
Tags:	exeRATRemcosRAT
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Machine Learning detection for sample

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SYQV60EVo9.exe (PID: 7536 cmdline: C:\Users\user\Desktop\SYQV60EVo9.exe MD5: 02A54443F76EEE449DB229FCEA8BA4C0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "195.54.170.36:22033:0", "Assigned name": "22033", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "%VR^&bty-4RZCYZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SYQV60EVo9.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
SYQV60EVo9.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
SYQV60EVo9.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
SYQV60EVo9.exe	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
SYQV60EVo9.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134a8:$a1: Remcos restarted by watchdog! 0x13a20:$a3: %02i:%02i:%02i:%03i
00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134a8:$a1: Remcos restarted by watchdog! 0x13a20:$a3: %02i:%02i:%02i:%03i
00000000.00000002.4101662323.000000000054E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SYQV60EVo9.exe PID: 7536	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SYQV60EVo9.exe PID: 7536	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SYQV60EVo9.exe PID: 7536	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xf043:$a1: Remcos restarted by watchdog! 0x1ce7d:$a1: Remcos restarted by watchdog! 0xf59d:$a3: %02i:%02i:%02i:%03i 0xf9cc:$a3: %02i:%02i:%02i:%03i 0x1d3d7:$a3: %02i:%02i:%02i:%03i 0x1d806:$a3: %02i:%02i:%02i:%03i
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SYQV60EVo9.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.SYQV60EVo9.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SYQV60EVo9.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0.2.SYQV60EVo9.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0.2.SYQV60EVo9.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0.0.SYQV60EVo9.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.0.SYQV60EVo9.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.0.SYQV60EVo9.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0.0.SYQV60EVo9.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0.0.SYQV60EVo9.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
Click to see the 5 entries

Snort Signatures

ET TROJAN Remcos 3.x Unencrypted Checkin - Source IP: 192.168.2.4 - Destination IP: 195.54.170.36

Timestamp:	03/04/24-20:36:58.052882
SID:	2032776
Source Port:	49729
Destination Port:	22033
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Remcos 3.x Unencrypted Server Response - Source IP: 195.54.170.36 - Destination IP: 192.168.2.4

Timestamp:	03/04/24-20:41:05.908024
SID:	2032777
Source Port:	22033
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SYQV60EVo9.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.4101662323.000000000054E000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "195.54.170.36:22033:0", "Assigned name": "22033", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "%VR^&bty-4RZCYZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for submitted file

Source: SYQV60EVo9.exe

ReversingLabs: Detection: 89%

Yara detected Remcos RAT

Source: Yara match	File source: SYQV60EVo9.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4101662323.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYQV60EVo9.exe PID: 7536, type: MEMORYSTR

Machine Learning detection for sample

Source: SYQV60EVo9.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

0_2_00433837

Source: SYQV60EVo9.exe, 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_1855c6c4-f

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: SYQV60EVo9.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYQV60EVo9.exe PID: 7536, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_004074FD _wcslen,CoGetObject,

0_2_004074FD

Source: SYQV60EVo9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409253
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041C291
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040C34D
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409665
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_0040880C
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040783C FindFirstFileW,FindNextFileW,	0_2_0040783C
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00419AF5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040BB30
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040BD37

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407C97

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49729 -> 195.54.170.36:22033
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 195.54.170.36:22033 -> 192.168.2.4:49729

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 195.54.170.36

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 195.54.170.36:22033

Source: Joe Sandbox View

ASN Name: VALICOM-ASPT VALICOM-ASPT

Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.170.36

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_0041B380

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

0_2_0040A2B8

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040B70E

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004168C1

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040B70E

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

0_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: SYQV60EVo9.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4101662323.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYQV60EVo9.exe PID: 7536, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0041C9E2 SystemParametersInfoW,

0_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: SYQV60EVo9.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: SYQV60EVo9.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: SYQV60EVo9.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SYQV60EVo9.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	0_2_004132D2
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0041BB09
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	0_2_0041BB35

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_004167B4

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0043E0CC	0_2_0043E0CC
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0041F0FA	0_2_0041F0FA
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00454159	0_2_00454159
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00438168	0_2_00438168
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_004461F0	0_2_004461F0
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0043E2FB	0_2_0043E2FB
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0045332B	0_2_0045332B
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0042739D	0_2_0042739D
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_004374E6	0_2_004374E6
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0043E558	0_2_0043E558
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00438770	0_2_00438770
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_004378FE	0_2_004378FE
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00433946	0_2_00433946
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0044D9C9	0_2_0044D9C9
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00427A46	0_2_00427A46
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0041DB62	0_2_0041DB62
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00427BAF	0_2_00427BAF
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00437D33	0_2_00437D33
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00435E5E	0_2_00435E5E
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00426E0E	0_2_00426E0E
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0043DE9D	0_2_0043DE9D
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00413FCA	0_2_00413FCA
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00436FEA	0_2_00436FEA

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: String function: 00434770 appears 42 times
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: String function: 00401E65 appears 35 times

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Section loaded: winnsi.dll	Jump to behavior

Source: SYQV60EVo9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SYQV60EVo9.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: SYQV60EVo9.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: SYQV60EVo9.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SYQV60EVo9.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_00417952

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_0040F474

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_0041B4A8

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041AA4A

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Mutant created: \Sessions\1\BaseNamedObjects\%VR^&bty-4RZCYZ

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: Software\	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: %VR^&bty-4RZCYZ	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: Exe	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: Exe	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: %VR^&bty-4RZCYZ	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: Inj	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: Inj	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: 8SG	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: bnupgxp	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: 8SG	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: bnupgxp	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: arkbllp	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: dMG	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: (V	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: PSG	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: Administrator	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: User	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: wej	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: bom	0_2_0040E9C5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Command line argument: bom	0_2_0040E9C5

Source: SYQV60EVo9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SYQV60EVo9.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SYQV60EVo9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SYQV60EVo9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SYQV60EVo9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SYQV60EVo9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SYQV60EVo9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SYQV60EVo9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SYQV60EVo9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SYQV60EVo9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SYQV60EVo9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SYQV60EVo9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SYQV60EVo9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SYQV60EVo9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_0041CB50

Source: SYQV60EVo9.exe

Static PE information: section name: ejdgjg

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00457106 push ecx; ret	0_2_00457119
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00482774 push eax; retf	0_2_00482775
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00457A28 push eax; ret	0_2_00457A46
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00434E56 push ecx; ret	0_2_00434E69

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

0_2_00406EB0

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041AA4A

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

0_2_0041CB50

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0040F7A7 Sleep,ExitProcess,

0_2_0040F7A7

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

0_2_0041A748

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Window / User API: threadDelayed 1311			Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Window / User API: threadDelayed 8684			Jump to behavior

Source: C:\Users\user\Desktop\SYQV60EVo9.exe TID: 7556	Thread sleep count: 1311 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe TID: 7556	Thread sleep time: -3933000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe TID: 7556	Thread sleep count: 8684 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SYQV60EVo9.exe TID: 7556	Thread sleep time: -26052000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409253
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041C291
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040C34D
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409665
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_0040880C
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040783C FindFirstFileW,FindNextFileW,	0_2_0040783C
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00419AF5
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040BB30
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040BD37

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407C97

Source: SYQV60EVo9.exe, 00000000.00000002.4101662323.000000000054E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

API call chain: ExitProcess graph end node

graph_0-48152

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004349F9

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

0_2_0041CB50

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h]

0_2_004432B5

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_00412077 GetProcessHeap,HeapFree,

0_2_00412077

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004349F9
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00434B47 SetUnhandledExceptionFilter,	0_2_00434B47
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043BB22
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00434FDC

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

0_2_00412117

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_00419627 mouse_event,

0_2_00419627

Source: SYQV60EVo9.exe, 00000000.00000002.4101662323.0000000000588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager'
Source: SYQV60EVo9.exe, 00000000.00000002.4101662323.0000000000588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SYQV60EVo9.exe, 00000000.00000002.4101662323.0000000000588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerd
Source: SYQV60EVo9.exe, 00000000.00000002.4101662323.0000000000588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager-
Source: SYQV60EVo9.exe, 00000000.00000002.4101662323.000000000054E000.00000004.00000020.00020000.00000000.sdmp, SYQV60EVo9.exe, 00000000.00000002.4101662323.0000000000588000.00000004.00000020.00020000.00000000.sdmp, SYQV60EVo9.exe, 00000000.00000002.4101662323.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: SYQV60EVo9.exe, 00000000.00000002.4101662323.0000000000588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager{

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_00434C52 cpuid

0_2_00434C52

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: GetLocaleInfoA,	0_2_0040F8D1
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: EnumSystemLocalesW,	0_2_00452036
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_004520C3
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: GetLocaleInfoW,	0_2_00452313
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: EnumSystemLocalesW,	0_2_00448404
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0045243C
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: GetLocaleInfoW,	0_2_00452543
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452610
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: GetLocaleInfoW,	0_2_004488ED
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00451CD8
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: EnumSystemLocalesW,	0_2_00451F50
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: EnumSystemLocalesW,	0_2_00451F9B

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,

0_2_00404F51

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_0041B60D GetComputerNameExW,GetUserNameW,

0_2_0041B60D

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: 0_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_004493AD

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: SYQV60EVo9.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4101662323.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYQV60EVo9.exe PID: 7536, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

0_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		0_2_0040BB30
Source: C:\Users\user\Desktop\SYQV60EVo9.exe	Code function: \key3.db		0_2_0040BB30

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: SYQV60EVo9.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SYQV60EVo9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4101662323.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYQV60EVo9.exe PID: 7536, type: MEMORYSTR

Source: C:\Users\user\Desktop\SYQV60EVo9.exe

Code function: cmd.exe

0_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	2 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	1 DLL Side-Loading	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 Bypass User Account Control	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	1 Virtualization/Sandbox Evasion	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SYQV60EVo9.exe	89%	ReversingLabs	Win32.Backdoor.Remcos
SYQV60EVo9.exe	100%	Avira	BDS/Backdoor.Gen
SYQV60EVo9.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
195.54.170.36	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
195.54.170.36	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
195.54.170.36	unknown	unknown		51171	VALICOM-ASPT	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1402979
Start date and time:	2024-03-04 20:36:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SYQV60EVo9.exe renamed because original name is a hash value
Original Sample Name:	02A54443F76EEE449DB229FCEA8BA4C0.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 30 Number of non-executed functions: 225
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SYQV60EVo9.exe

Simulations

Behavior and APIs

Time	Type	Description
20:37:34	API Interceptor	4967193x Sleep call for process: SYQV60EVo9.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VALICOM-ASPT	5Qq54zuREl.exe	Get hash	malicious	RedLine	Browse	195.54.170.157
	5Qq54zuREl.exe	Get hash	malicious	RedLine	Browse	195.54.170.157
	file.exe	Get hash	malicious	RedLine	Browse	195.54.170.157
	q1wLT3xKiY.exe	Get hash	malicious	CryptOne, Raccoon Stealer v2, RedLine, Vidar	Browse	195.54.170.157
	9n6ctoq7cn.exe	Get hash	malicious	AsyncRAT, CryptOne, Raccoon Stealer v2, RedLine, Vidar	Browse	195.54.170.157
	xZ4q0nNSPX.exe	Get hash	malicious	AsyncRAT, CryptOne, Raccoon Stealer v2, RedLine, Vidar	Browse	195.54.170.157
	9n6ctoq7cn.exe	Get hash	malicious	AsyncRAT, CryptOne, Raccoon Stealer v2, RedLine, Vidar	Browse	195.54.170.157
	WSkT8d093C.exe	Get hash	malicious	AsyncRAT, CryptOne, Raccoon Stealer v2, RedLine, Vidar	Browse	195.54.170.157
	em1B8DcC72.exe	Get hash	malicious	AsyncRAT, CryptOne, Raccoon Stealer v2, RedLine, Vidar	Browse	195.54.170.157
	JMDc707Z03.exe	Get hash	malicious	CryptOne, Raccoon Stealer v2, RedLine, Vidar	Browse	195.54.170.157

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.598376908380192
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SYQV60EVo9.exe
File size:	497'152 bytes
MD5:	02a54443f76eee449db229fcea8ba4c0
SHA1:	6c9eb9c2a0bdee9888f697668850dc49c011bc5f
SHA256:	b70b84b7e75e40868fcefebdc5da896e2ecdbfbb2848cdf1ea90ac4fc1926c63
SHA512:	85db5fc4b4cb557493563110163bc12cef30d19cc7f414907b46d9991b0372ca5095913c921873250b5382c0f6248ca74cb11c0a763b566d79ecdcbe143ec025
SSDEEP:	6144:OXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZKAXXcN35GvS:OX7tPMK8ctGe4Dzl4h2QnuPs/ZKXcvS
TLSH:	3CB49E01BAD1C072D57514300D36F776EAB8BD202836497BB7D61D9BFE30190B62AAB7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..- ..~ ..~ ..~.f$~3..~.f&~...~.f'~>..~).Q~!..~.Z.~"..~....:..~.......~.......~).F~9..~ ..~...~....D..~..*~!..~....!..~Rich ..

File Icon


Icon Hash:	95694d05214c1b33

Static PE Info

General

Entrypoint:	0x4349ef
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4EA69966 [Tue Oct 25 11:11:34 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8d5087ff5de35c3fbb9f212b47d63cad

Entrypoint Preview

Instruction
call 00007FFAA085ADECh
jmp 00007FFAA085A803h
push ebp
mov ebp, esp
sub esp, 00000324h
push ebx
push esi
push 00000017h
call 00007FFAA087D064h
test eax, eax
je 00007FFAA085A977h
mov ecx, dword ptr [ebp+08h]
int 29h
xor esi, esi
lea eax, dword ptr [ebp-00000324h]
push 000002CCh
push esi
push eax
mov dword ptr [00471D14h], esi
call 00007FFAA085CDD7h
add esp, 0Ch
mov dword ptr [ebp-00000274h], eax
mov dword ptr [ebp-00000278h], ecx
mov dword ptr [ebp-0000027Ch], edx
mov dword ptr [ebp-00000280h], ebx
mov dword ptr [ebp-00000284h], esi
mov dword ptr [ebp-00000288h], edi
mov word ptr [ebp-0000025Ch], ss
mov word ptr [ebp-00000268h], cs
mov word ptr [ebp-0000028Ch], ds
mov word ptr [ebp-00000290h], es
mov word ptr [ebp-00000294h], fs
mov word ptr [ebp-00000298h], gs
pushfd
pop dword ptr [ebp-00000264h]
mov eax, dword ptr [ebp+04h]
mov dword ptr [ebp-0000026Ch], eax
lea eax, dword ptr [ebp+04h]
mov dword ptr [ebp-00000260h], eax
mov dword ptr [ebp-00000324h], 00010001h
mov eax, dword ptr [eax-04h]
push 00000050h
mov dword ptr [ebp-00000270h], eax
lea eax, dword ptr [ebp-58h]
push esi
push eax
call 00007FFAA085CD4Eh

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6eea8	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x79000	0x4818	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7e000	0x3bcc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6d340	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6d3d4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6d378	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x59000	0x4fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x57175	0x57200	f959ed65f49a903603bc150bbb7292aa	False	0.571329694225251	data	6.62552167894442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x59000	0x179b6	0x17a00	2db041e0fbcf1d8b44c22738d25b106c	False	0.5007647156084656	Zebra Metafile graphic (comment = \210\002\007)	5.859817630763893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x71000	0x5d44	0xe00	fa1a169b9414830def88848af87110b5	False	0.22154017857142858	data	3.00580031855032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x77000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x78000	0x230	0x400	09e4699aa75951ab53e804fe4f9a3b6b	False	0.3271484375	data	2.349075166240886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x79000	0x4818	0x4a00	e3fbe46e746563c32f583e82dc55e4e6	False	0.24540751689189189	data	3.803477694310937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7e000	0x3bcc	0x3c00	0a6e61b09628beca43d4bf9604f65238	False	0.7639973958333334	data	6.718533933603825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
ejdgjg	0x82000	0x1000	0xc00	e185e5cbe3c52db23e83a5f85bd2b4b9	False	0.5081380208333334	data	4.916026821522541	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x7918c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3421985815602837
RT_ICON	0x795f4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.27704918032786885
RT_ICON	0x79f7c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.23686679174484052
RT_ICON	0x7b024	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.22977178423236513
RT_RCDATA	0x7d5cc	0x20c	data			1.0209923664122138
RT_GROUP_ICON	0x7d7d8	0x3e	data	English	United States	0.8064516129032258

Imports

DLL	Import
KERNEL32.dll	FindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
USER32.dll	GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, GetMessageA, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, DispatchMessageA, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, GetIconInfo, GetSystemMetrics, AppendMenuA, RegisterClassExA, GetCursorPos, SetForegroundWindow, DrawIcon, SystemParametersInfoW
GDI32.dll	BitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
SHELL32.dll	ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
ole32.dll	CoInitializeEx, CoUninitialize, CoGetObject
SHLWAPI.dll	PathFileExistsW, PathFileExistsA, StrToIntA
WINMM.dll	waveInUnprepareHeader, waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader
WS2_32.dll	gethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
urlmon.dll	URLOpenBlockingStreamW, URLDownloadToFileW
gdiplus.dll	GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
WININET.dll	InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/04/24-20:36:58.052882	TCP	2032776	ET TROJAN Remcos 3.x Unencrypted Checkin	49729	22033	192.168.2.4	195.54.170.36
03/04/24-20:41:05.908024	TCP	2032777	ET TROJAN Remcos 3.x Unencrypted Server Response	22033	49729	195.54.170.36	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 4, 2024 20:36:57.862345934 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:36:58.050684929 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:36:58.050844908 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:36:58.052881956 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:36:58.291784048 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:36:58.413404942 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:36:58.415335894 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:36:58.603967905 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:36:58.645020962 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:36:58.659595966 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:36:58.897973061 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:37:04.056375027 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:37:04.057852030 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:37:04.301083088 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:37:34.200990915 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:37:34.202887058 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:37:34.432439089 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:38:04.325052977 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:38:04.326817989 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:38:04.560038090 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:38:34.485687971 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:38:34.486957073 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:38:34.727874041 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:39:04.805351973 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:39:04.807069063 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:39:05.041587114 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:39:35.160937071 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:39:35.163881063 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:39:35.403177977 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:40:05.464148998 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:40:05.465442896 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:40:05.712122917 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:40:35.595204115 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:40:35.596553087 CET	49729	22033	192.168.2.4	195.54.170.36
Mar 4, 2024 20:40:35.826559067 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:41:05.908024073 CET	22033	49729	195.54.170.36	192.168.2.4
Mar 4, 2024 20:41:05.957942009 CET	49729	22033	192.168.2.4	195.54.170.36

Target ID:	0
Start time:	20:36:57
Start date:	04/03/2024
Path:	C:\Users\user\Desktop\SYQV60EVo9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SYQV60EVo9.exe
Imagebase:	0x400000
File size:	497'152 bytes
MD5 hash:	02A54443F76EEE449DB229FCEA8BA4C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1640784816.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4101662323.000000000054E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.4%
Total number of Nodes:	1274
Total number of Limit Nodes:	47

Executed Functions

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
GetProcAddress.KERNEL32(00000000), ref: 0041CB88
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
GetProcAddress.KERNEL32(00000000), ref: 0041CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
GetProcAddress.KERNEL32(00000000), ref: 0041CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
GetProcAddress.KERNEL32(00000000), ref: 0041CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
GetProcAddress.KERNEL32(00000000), ref: 0041CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
GetProcAddress.KERNEL32(00000000), ref: 0041CC75
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
GetProcAddress.KERNEL32(00000000), ref: 0041CC86
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
GetProcAddress.KERNEL32(00000000), ref: 0041CD07
LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
GetProcAddress.KERNEL32(00000000), ref: 0041CD4C

Strings

RmEndSession, xrefs: 0041CD3E
EnumDisplayMonitors, xrefs: 0041CC3B
GlobalMemoryStatusEx, xrefs: 0041CBC8
Iphlpapi, xrefs: 0041CCC1, 0041CCCB, 0041CCD6
Psapi, xrefs: 0041CB60
SetProcessDpiAwareness, xrefs: 0041CB8F, 0041CB94, 0041CBA8
IsUserAnAdmin, xrefs: 0041CBFF
NtUnmapViewOfSection, xrefs: 0041CBB8
Kernel32, xrefs: 0041CB80
NtSuspendProcess, xrefs: 0041CC9C
user32, xrefs: 0041CBA9, 0041CC2C, 0041CC40, 0041CC54
NtQueryInformationProcess, xrefs: 0041CCE1
kernel32, xrefs: 0041CBCD, 0041CBDC, 0041CBF0, 0041CC18, 0041CC68, 0041CC8D, 0041CCFA
Rstrtmgr, xrefs: 0041CD0E, 0041CD18, 0041CD23, 0041CD33, 0041CD43
GetProcessImageFileNameW, xrefs: 0041CB5A, 0041CB5F, 0041CB7F
GetExtendedUdpTable, xrefs: 0041CCD1
IsWow64Process, xrefs: 0041CBD7
GetMonitorInfoW, xrefs: 0041CC4F
RmStartSession, xrefs: 0041CD09
RmRegisterResources, xrefs: 0041CD1E
RmGetList, xrefs: 0041CD2E
GetComputerNameExW, xrefs: 0041CBEB
SetProcessDEPPolicy, xrefs: 0041CC13
GetExtendedTcpTable, xrefs: 0041CCBC
GetFinalPathNameByHandleW, xrefs: 0041CCF5
Shell32, xrefs: 0041CC04
shcore, xrefs: 0041CB95
Shlwapi, xrefs: 0041CC79
NtResumeProcess, xrefs: 0041CCAC
EnumDisplayDevicesW, xrefs: 0041CC27
ntdll, xrefs: 0041CBBD, 0041CBC2, 0041CCA1, 0041CCB1, 0041CCE6
GetSystemTimes, xrefs: 0041CC63
GetConsoleWindow, xrefs: 0041CC88

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C5 Relevance: 62.0, APIs: 15, Strings: 20, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SYQV60EVo9.exe,00000104), ref: 0040E9EE

Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C

Strings

User, xrefs: 0040F28E
dMG, xrefs: 0040F1A8
PSG, xrefs: 0040F224
Administrator, xrefs: 0040F287
Access Level: , xrefs: 0040F29F
Inj, xrefs: 0040EBD5, 0040EBEC
wej, xrefs: 0040F2D1
C:\Users\user\Desktop\SYQV60EVo9.exe, xrefs: 0040E9E6, 0040EE0F
%VR^&bty-4RZCYZ, xrefs: 0040EB05, 0040EB62
Software\, xrefs: 0040EAC3
8SG, xrefs: 0040EE65
8SG, xrefs: 0040EF1D
Exe, xrefs: 0040EB0F
(V, xrefs: 0040EA5D, 0040EA96, 0040ED47, 0040ED7B, 0040EDD3, 0040EEAC, 0040EF66, 0040F036, 0040F0D8, 0040F103, 0040F12B, 0040F154, 0040F187, 0040F1C7, 0040F1F3
bnupgxp, xrefs: 0040EE92, 0040EF40
Exe, xrefs: 0040EB14
bom, xrefs: 0040F2ED, 0040F36F
license_code.txt, xrefs: 0040EA4D
Remcos Agent initialized, xrefs: 0040EFEF
arkbllp, xrefs: 0040EF88

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: %VR^&bty-4RZCYZ$(V$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\SYQV60EVo9.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$arkbllp$bnupgxp$bom$dMG$license_code.txt$wej
API String ID: 2830904901-3676525279
Opcode ID: 5c7bb5071500f7378bb66c025f357dc5e849ae1b9b716226515f5feeab8bfcbe
Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
Opcode Fuzzy Hash: 5c7bb5071500f7378bb66c025f357dc5e849ae1b9b716226515f5feeab8bfcbe
Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E

Uniqueness

Uniqueness Score: -1.00%

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
InternetOpenUrlW.WININET(00000000,ccmolkpqfhnostgydnet/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
InternetCloseHandle.WININET(00000000), ref: 0041B41C
InternetCloseHandle.WININET(00000000), ref: 0041B41F

Strings

ccmolkpqfhnostgydnet/json.gp, xrefs: 0041B3B7

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: ccmolkpqfhnostgydnet/json.gp
API String ID: 3121278467-2513464542
Opcode ID: 37211688c0b5698ac0084f66d0ba54e0592879c2b0dd433720555137baf5cf7a
Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
Opcode Fuzzy Hash: 37211688c0b5698ac0084f66d0ba54e0592879c2b0dd433720555137baf5cf7a
Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
Part of subcall function 00413549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592

Sleep.KERNEL32(00000BB8), ref: 0040F85B
ExitProcess.KERNEL32 ref: 0040F8CA

Strings

4.9.3 Pro, xrefs: 0040F836, 0040F8A3
raqmufyp, xrefs: 0040F7CC
pth_unenc, xrefs: 0040F7BD, 0040F804, 0040F871

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 4.9.3 Pro$pth_unenc$raqmufyp
API String ID: 2281282204-3192017170
Opcode ID: 43d610730f54f59da480bb89a6e23b3142a505c85b8be00bf30a330aff577ae3
Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
Opcode Fuzzy Hash: 43d610730f54f59da480bb89a6e23b3142a505c85b8be00bf30a330aff577ae3
Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF

Uniqueness

Uniqueness Score: -1.00%

Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00404F94

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 70ec5357b5270b3dcda54dd920b0034a798e59f343eafcbf38ffbebff9207b28
Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
Opcode Fuzzy Hash: 70ec5357b5270b3dcda54dd920b0034a798e59f343eafcbf38ffbebff9207b28
Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 0041B60D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,(V), ref: 0041B62A
GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642

Strings

(V, xrefs: 0041B616

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID: (V
API String ID: 4229901323-2767085487
Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.3 Pro), ref: 0040F8E5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

Uniqueness

Uniqueness Score: -1.00%

Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,004752F0,(V,00000000), ref: 00414F7B
WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
Sleep.KERNEL32(00000000,00000002), ref: 00415AD7

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

xxop, xrefs: 00415366
Connection Error: Unable to create socket, xrefs: 004151EA
TLS Off, xrefs: 004150E5
PSG, xrefs: 004154FE
NG, xrefs: 004153E2
Connecting | , xrefs: 00415108
Disconnected, xrefs: 00415A47
NG, xrefs: 00415423
TLS On , xrefs: 004150F3
Connected | , xrefs: 0041524E
| , xrefs: 00415112, 00415253
4.9.3 Pro, xrefs: 004154CB
C:\Users\user\Desktop\SYQV60EVo9.exe, xrefs: 004153C0
%VR^&bty-4RZCYZ, xrefs: 0041542C
%I64u, xrefs: 004152F6
8SG, xrefs: 00415340
(V, xrefs: 00414F37, 00414F54, 00415328, 00415A9E
Exe, xrefs: 004153F5
kihvjq, xrefs: 00415393
Connection Error: , xrefs: 0041519F
dMG, xrefs: 00415499

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$%VR^&bty-4RZCYZ$(V$4.9.3 Pro$8SG$C:\Users\user\Desktop\SYQV60EVo9.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$TLS Off$TLS On $dMG$kihvjq$xxop$NG$NG
API String ID: 524882891-2506696863
Opcode ID: 8a2c2d6246c99f03029119e8fe0303447c0e108969f154f440c397d712d1768e
Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
Opcode Fuzzy Hash: 8a2c2d6246c99f03029119e8fe0303447c0e108969f154f440c397d712d1768e
Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

Connection Refused, xrefs: 00404A76
TLS Authentication Failed, xrefs: 00404999
TLS Error 1, xrefs: 00404937
TLS Error 3, xrefs: 004049D8
Connection Failed: , xrefs: 00404A43
TLS Error 2, xrefs: 00404955
TLS Handshake... | , xrefs: 00404904

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
Opcode Fuzzy Hash: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A

Strings

ProgramFiles, xrefs: 0040DB6E
AppData, xrefs: 0040DB51
WinDir, xrefs: 0040DA9B, 0040DABD, 0040DB0F
\system32, xrefs: 0040DAAE
Temp, xrefs: 0040DA66
ProgramData, xrefs: 0040DB5F
SystemDrive, xrefs: 0040DA91
UserProfile, xrefs: 0040DB58
\SysWOW64, xrefs: 0040DB00

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
Opcode Fuzzy Hash: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2C3 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,(V,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C

Strings

(64 bit), xrefs: 0041B368
ProductName, xrefs: 0041B2D2
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B2D7, 0041B2E1, 0041B322
CurrentBuildNumber, xrefs: 0041B31D
(V, xrefs: 0041B2CA
(32 bit), xrefs: 0041B36F

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$(V$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 782494840-1025170727
Opcode ID: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
Opcode Fuzzy Hash: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE

Uniqueness

Uniqueness Score: -1.00%

Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?), ref: 00415B0F
GetTickCount.KERNEL32 ref: 00415B86

Strings

NG, xrefs: 00415B3E
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !D@$NG
API String ID: 180926312-2721294649
Opcode ID: d89f4e7666c86353a320844bfa4086d85ed4db57ae5acb0d94645bf4c67511cf
Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
Opcode Fuzzy Hash: d89f4e7666c86353a320844bfa4086d85ed4db57ae5acb0d94645bf4c67511cf
Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A

Uniqueness

Uniqueness Score: -1.00%

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.3 Pro), ref: 004137A6
RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.3 Pro), ref: 004137B1

Strings

pth_unenc, xrefs: 00413773

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 00404DDB

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
String ID:
API String ID: 2579639479-0
Opcode ID: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
Opcode Fuzzy Hash: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
GetLastError.KERNEL32 ref: 0040D083

Strings

%VR^&bty-4RZCYZ, xrefs: 0040D069

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: %VR^&bty-4RZCYZ
API String ID: 1925916568-4015424174
Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Uniqueness

Uniqueness Score: -1.00%

Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93
synchronizationnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitsend
String ID:
API String ID: 3963590051-0
Opcode ID: 778a05176575217d70e804aa02ba2bb4ca6cce75f32be32a141a68c09f8a03c8
Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
Opcode Fuzzy Hash: 778a05176575217d70e804aa02ba2bb4ca6cce75f32be32a141a68c09f8a03c8
Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
RegCloseKey.KERNEL32(?), ref: 004135F2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
Opcode Fuzzy Hash: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
RegCloseKey.KERNEL32(00000000), ref: 00413738

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044F3DD Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F3E1
_free.LIBCMT ref: 0044F41A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F421

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: f3c2c49517413e8eabdba28df60095274e0f4285ab7e88089faf331cb05c3344
Instruction ID: a95b0472bde791e81118f5b212bf6f07b4125f005b99c6aef0626ee370485fe8
Opcode Fuzzy Hash: f3c2c49517413e8eabdba28df60095274e0f4285ab7e88089faf331cb05c3344
Instruction Fuzzy Hash: 50E06577144A216BB211362A7C49D6F2A18DFD67BA727013BF45486143DE288D0641FA

Uniqueness

Uniqueness Score: -1.00%

Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
RegCloseKey.KERNEL32(?), ref: 00413592

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94

Uniqueness

Uniqueness Score: -1.00%

Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
RegCloseKey.KERNEL32(?,?,?,0040C19C,00466C48), ref: 00413535

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798

Uniqueness

Uniqueness Score: -1.00%

Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404BDA

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitrecv
String ID:
API String ID: 311754179-0
Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409DFD

Strings

pQG, xrefs: 00409E2D

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: pQG
API String ID: 176396367-3769108836
Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA

Strings

@, xrefs: 0041B7C0

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404852
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E

Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0041BAB8
GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

Uniqueness

Uniqueness Score: -1.00%

Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00407CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
DeleteFileW.KERNEL32(00000000), ref: 00407DA9

Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
DeleteFileA.KERNEL32(?), ref: 00408652

Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF

Sleep.KERNEL32(000007D0), ref: 004086F8
StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A

Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Strings

Deleted file: , xrefs: 00407DC8
XPG, xrefs: 004082E7
XPG, xrefs: 00408718
Unable to delete: , xrefs: 00407E07
Executing file: , xrefs: 004081AD
Downloaded file: , xrefs: 0040802E
Unable to rename file!, xrefs: 00408413
Browsing directory: , xrefs: 00408238
open, xrefs: 00408191
NG, xrefs: 00407CE5
(PG, xrefs: 004081F2
XPG, xrefs: 00407DED
Downloading file: , xrefs: 00407F7D
XPG, xrefs: 00408430
Failed to download file: , xrefs: 004080A5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
API String ID: 1067849700-181434739
Opcode ID: ba0348ee6b73155157fb9b6e468fbe911bccdd51d5321804534e068badcf2fa8
Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
Opcode Fuzzy Hash: ba0348ee6b73155157fb9b6e468fbe911bccdd51d5321804534e068badcf2fa8
Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B

Uniqueness

Uniqueness Score: -1.00%

Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

0lG, xrefs: 00405954
0lG, xrefs: 00405A2D
0lG, xrefs: 004056D0
SystemDrive, xrefs: 00405761
kG, xrefs: 004057DB
0lG, xrefs: 00405988
0lG, xrefs: 0040585A
cmd.exe, xrefs: 0040574D

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
API String ID: 2994406822-18413064
Opcode ID: e195c35a70fd06facb6c9a798aafc844510a3b271cd4bea1d832d5012f169b93
Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
Opcode Fuzzy Hash: e195c35a70fd06facb6c9a798aafc844510a3b271cd4bea1d832d5012f169b93
Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00412117 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 227threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
CloseHandle.KERNEL32(00000000), ref: 00412155
CreateThread.KERNEL32(00000000,00000000,Function_000127EE,00000000,00000000,00000000), ref: 004121AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A

Strings

\SysWOW64\, xrefs: 00412261
WinDir, xrefs: 0041221B, 00412270
Watchdog module activated, xrefs: 00412184, 004123DC
svchost.exe, xrefs: 004122C5
\system32\, xrefs: 00412209
rmclient.exe, xrefs: 004122EA
fsutil.exe, xrefs: 0041230F
Remcos restarted by watchdog!, xrefs: 00412160
Watchdog launch failed!, xrefs: 00412383
WDH, xrefs: 004121B5, 004121BB, 00412420

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseCreateOpen$HandleMutexProcessThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 261377708-13974260
Opcode ID: f5863e728546d794f483388620a9ba98951bb2a7d5e86a395bbd2eac8edf96d1
Instruction ID: 5044532447ce4e70f722e285ad7bc5f912dfeea71c25201e33dbc8cc77036b6f
Opcode Fuzzy Hash: f5863e728546d794f483388620a9ba98951bb2a7d5e86a395bbd2eac8edf96d1
Instruction Fuzzy Hash: 8171823160430167C618FB72CD579AE73A4AED0308F50057FF546A61E2FFBC9949C69A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
FindClose.KERNEL32(00000000), ref: 0040BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
FindClose.KERNEL32(00000000), ref: 0040BD12

Strings

\key3.db, xrefs: 0040BC76
[Firefox StoredLogins not found], xrefs: 0040BBD4
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BB52
[Firefox StoredLogins Cleared!], xrefs: 0040BCFF
\logins.json, xrefs: 0040BC34
UserProfile, xrefs: 0040BB60

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
Opcode Fuzzy Hash: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89

Uniqueness

Uniqueness Score: -1.00%

Function 004168C1 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004168C2
EmptyClipboard.USER32 ref: 004168D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
GlobalLock.KERNEL32(00000000), ref: 004168F9
GlobalUnlock.KERNEL32(00000000), ref: 0041692F
SetClipboardData.USER32(0000000D,00000000), ref: 00416938
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

hdF, xrefs: 0041698C
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !D@$hdF
API String ID: 3520204547-3475379602
Opcode ID: e66c59823327cf4acbf01a6e1b07da69e7b75eeac6ee79e0da8023ac416dd7c5
Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
Opcode Fuzzy Hash: e66c59823327cf4acbf01a6e1b07da69e7b75eeac6ee79e0da8023ac416dd7c5
Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F474 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,(V,?,00475338), ref: 0040F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E

Strings

ieinstal.exe, xrefs: 0040F6D5
hdF, xrefs: 0040F569
hdF, xrefs: 0040F5DB
(V, xrefs: 0040F483
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F6BE
ielowutil.exe, xrefs: 0040F716
Inj, xrefs: 0040F769

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: (V$C:\Program Files(x86)\Internet Explorer\$Inj$hdF$hdF$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-2977724225
Opcode ID: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
Opcode Fuzzy Hash: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
FindClose.KERNEL32(00000000), ref: 0040BDC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
FindClose.KERNEL32(00000000), ref: 0040BEAF
FindClose.KERNEL32(00000000), ref: 0040BED0

Strings

[Firefox Cookies not found], xrefs: 0040BDD4, 0040BE9C
\cookies.sqlite, xrefs: 0040BE2C
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BD52
[Firefox cookies found, cleared!], xrefs: 0040BEDF
UserProfile, xrefs: 0040BD60

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
Opcode Fuzzy Hash: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E

Uniqueness

Uniqueness Score: -1.00%

Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
GetFileSize.KERNEL32(?,00000000), ref: 00413432
UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
CloseHandle.KERNEL32(00000000), ref: 0041345F
CloseHandle.KERNEL32(?), ref: 00413465

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
Opcode Fuzzy Hash: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E

Uniqueness

Uniqueness Score: -1.00%

Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

2, xrefs: 004196F4
5, xrefs: 00419809
1, xrefs: 00419695
0, xrefs: 00419651
6, xrefs: 00419813
3, xrefs: 00419754
VG, xrefs: 0041968B
4, xrefs: 004197B8
7, xrefs: 0041982A

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
Opcode Fuzzy Hash: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
Elevation:Administrator!new:, xrefs: 00407542
[+] CoGetObject, xrefs: 00407561
[+] ucmAllocateElevatedObject, xrefs: 00407508
[+] CoGetObject SUCCESS, xrefs: 00407595
[-] CoGetObject FAILURE, xrefs: 0040758E
$, xrefs: 0040753B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
GetLastError.KERNEL32 ref: 0041A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: c2c0025c57c9184c186f90ff8c77a7af65f28d98b3056bfc8770941e6fbd2c57
Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
Opcode Fuzzy Hash: c2c0025c57c9184c186f90ff8c77a7af65f28d98b3056bfc8770941e6fbd2c57
Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00419AF5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E

Strings

NG, xrefs: 00419B25
PXG, xrefs: 00419CC8
8SG, xrefs: 00419BEB
(eF, xrefs: 00419D6D
(V, xrefs: 00419BD5
PXG, xrefs: 00419E2E

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: (eF$(V$8SG$PXG$PXG$NG
API String ID: 341183262-436990355
Opcode ID: 8aa0571499403d58be1e130ca3da03e6fee7ca646c1bdb921da3abf0fdeeb52b
Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
Opcode Fuzzy Hash: 8aa0571499403d58be1e130ca3da03e6fee7ca646c1bdb921da3abf0fdeeb52b
Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
FindClose.KERNEL32(00000000), ref: 0040C47D
FindClose.KERNEL32(00000000), ref: 0040C4A8

Strings

\cookies.sqlite, xrefs: 0040C409
AppData, xrefs: 0040C358
\Mozilla\Firefox\Profiles\, xrefs: 0040C36E

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
Opcode Fuzzy Hash: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B

Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371

GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32(?), ref: 0040A355

Strings

Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 565b5ccb6e78a691ec5ddd9f3789ed7e5c3552f9939a09d58bd2f2de98618cfb
Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
Opcode Fuzzy Hash: 565b5ccb6e78a691ec5ddd9f3789ed7e5c3552f9939a09d58bd2f2de98618cfb
Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 0040A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
GetKeyboardLayout.USER32(00000000), ref: 0040A429
GetKeyState.USER32(00000010), ref: 0040A433
GetKeyboardState.USER32(?,?,00000000), ref: 0040A43E
ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 0040A461
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 0040A4FA

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
GetProcAddress.KERNEL32(00000000), ref: 00414271

Strings

SHDeleteKeyW, xrefs: 00414260
Shlwapi.dll, xrefs: 00414265

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: fb7c7236340fcb0cc32af97ee5a51d4e65813ec50030604b1f4e5ed9fb5d0958
Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
Opcode Fuzzy Hash: fb7c7236340fcb0cc32af97ee5a51d4e65813ec50030604b1f4e5ed9fb5d0958
Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0

Strings

open, xrefs: 00406FB6
C:\Users\user\Desktop\SYQV60EVo9.exe, xrefs: 00407007, 0040712F
aF, xrefs: 004070F1
aF, xrefs: 00406FE0

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: aF$ aF$C:\Users\user\Desktop\SYQV60EVo9.exe$open
API String ID: 2825088817-3147949544
Opcode ID: 66bde5b1840f9c527649eaf94ccad33dac10dc1a6f20fe2354d26b846e8214af
Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
Opcode Fuzzy Hash: 66bde5b1840f9c527649eaf94ccad33dac10dc1a6f20fe2354d26b846e8214af
Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B

Uniqueness

Uniqueness Score: -1.00%

Function 0040880C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Strings

hdF, xrefs: 00408834

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID: hdF
API String ID: 1771804793-665520524
Opcode ID: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
Opcode Fuzzy Hash: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
GetProcAddress.KERNEL32(00000000), ref: 00416872

Strings

PowrProf.dll, xrefs: 00416866
SetSuspendState, xrefs: 00416861
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: 8ce191c967a42c787c9f60fc832cecced2ee4e9844afd20766cc7ce476c8f96f
Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
Opcode Fuzzy Hash: 8ce191c967a42c787c9f60fc832cecced2ee4e9844afd20766cc7ce476c8f96f
Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
GetLastError.KERNEL32 ref: 0040BA58

Strings

[Chrome StoredLogins not found], xrefs: 0040BA72
[Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
UserProfile, xrefs: 0040BA1E

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
OpenProcessToken.ADVAPI32(00000000), ref: 00417966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
GetLastError.KERNEL32 ref: 0041799D

Strings

SeShutdownPrivilege, xrefs: 00417972

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00454159 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0045429F

Strings

1#QNAN, xrefs: 004554A5
1#SNAN, xrefs: 0045549E
1#INF, xrefs: 004554AC
1#IND, xrefs: 00455497

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
Instruction ID: adbfc57a6ba9eb8fd61ef87ee4788d0f45260f030e03b769905361500cdb2a19
Opcode Fuzzy Hash: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
Instruction Fuzzy Hash: EBC26E71E046288FDB25CE28DD407EAB3B5EB85306F1541EBD80DE7241E778AE898F45

Uniqueness

Uniqueness Score: -1.00%

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: 72b10921a7971adf5ef9a2979ca6100da9cf18bd27a86df75df8988b1f649e25
Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
Opcode Fuzzy Hash: 72b10921a7971adf5ef9a2979ca6100da9cf18bd27a86df75df8988b1f649e25
Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
Opcode Fuzzy Hash: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9

Uniqueness

Uniqueness Score: -1.00%

Function 0045243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004524D5
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004524FE
GetACP.KERNEL32 ref: 00452513

Strings

ACP, xrefs: 0045245A
OCP, xrefs: 00452490

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398

Uniqueness

Uniqueness Score: -1.00%

Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

XPG, xrefs: 0040793A
XPG, xrefs: 00407877
(eF, xrefs: 004078A0

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: (eF$XPG$XPG
API String ID: 4113138495-1496965907
Opcode ID: b7a6a647542a969cd037d0eb723fdddc811f13e057d1182a449fff4599d7b841
Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
Opcode Fuzzy Hash: b7a6a647542a969cd037d0eb723fdddc811f13e057d1182a449fff4599d7b841
Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3

Strings

SETTINGS, xrefs: 0041B4AC

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: ee1845b0ef5c607cfd4356d03837d6fe25fba8810e880e90ca5809c6b8fe6ab1
Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
Opcode Fuzzy Hash: ee1845b0ef5c607cfd4356d03837d6fe25fba8810e880e90ca5809c6b8fe6ab1
Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00452610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetUserDefaultLCID.KERNEL32 ref: 0045271C
IsValidCodePage.KERNEL32(00000000), ref: 00452777
IsValidLocale.KERNEL32(?,00000001), ref: 00452786
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004527ED

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.3 Pro), ref: 004137A6
Part of subcall function 0041376F: RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.3 Pro), ref: 004137B1

Strings

TileWallpaper, xrefs: 0041CAC1
Control Panel\Desktop, xrefs: 0041CA1D, 0041CA50, 0041CAA0
WallpaperStyle, xrefs: 0041CA22, 0041CA55, 0041CAA5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 83e8efec2716ceb83164fa55b769f2df0e481ae1f01e026661163cd9be6e0e41
Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
Opcode Fuzzy Hash: 83e8efec2716ceb83164fa55b769f2df0e481ae1f01e026661163cd9be6e0e41
Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF

Uniqueness

Uniqueness Score: -1.00%

Function 00451CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

IsValidCodePage.KERNEL32(00000000), ref: 00451DBA
_wcschr.LIBVCRUNTIME ref: 00451E4A
_wcschr.LIBVCRUNTIME ref: 00451E58
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451EFB

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
Opcode Fuzzy Hash: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769

Uniqueness

Uniqueness Score: -1.00%

Function 004493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004493BD

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

GetTimeZoneInformation.KERNEL32 ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 00449474

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
Instruction ID: 1863d2ad967fb4723a60e4ea427cb143a9fbff6035582c54e6546b9b7662ab80
Opcode Fuzzy Hash: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
Instruction Fuzzy Hash: E1312570908201EFDB18DF69DE8086EBBB8FF0572071442AFE054973A1D3748D42DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
Opcode Fuzzy Hash: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043BC1A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48

Uniqueness

Uniqueness Score: -1.00%

Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00000000), ref: 00433849
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
ExitProcess.KERNEL32 ref: 004432EF

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B711
GetClipboardData.USER32(0000000D), ref: 0040B71D
CloseClipboard.USER32 ref: 0040B725

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenSuspend
String ID:
API String ID: 1999457699-0
Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenResume
String ID:
API String ID: 3614150671-0
Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940

Strings

GetLocaleInfoEx, xrefs: 00448908

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E

Uniqueness

Uniqueness Score: -1.00%

Function 004461F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
Opcode Fuzzy Hash: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00453326,?,?,00000008,?,?,004561DD,00000000), ref: 00453558

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
Instruction ID: ef9cfcefdd20db456822e604066c987cb5d00f1002a97bdaec88d2537339d9b1
Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
Instruction Fuzzy Hash: 40B16C311106089FD715CF28C48AB657BE0FF053A6F258659EC9ACF3A2C739DA96CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00433946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON

Download Yara Rule

Strings

0, xrefs: 00433952

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
Instruction ID: aa2317f629b7fe23c078ec1ce6c5eb8ae6c7f7e5ba67e2b2e47e92e01b9ebfde
Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
Instruction Fuzzy Hash: A4126F32B083008BD714EF6AD851A1FB3E2BFCC758F15892EF585A7391DA34E9058B46

Uniqueness

Uniqueness Score: -1.00%

Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00451F9B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(004520C3,00000001), ref: 0045200D

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 92dc4731b164c5dad593997b290ced1c322b4c5a654dbafbc59ecf52729822b9
Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
Opcode Fuzzy Hash: 92dc4731b164c5dad593997b290ced1c322b4c5a654dbafbc59ecf52729822b9
Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698

Uniqueness

Uniqueness Score: -1.00%

Function 00452036 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00452313,00000001), ref: 00452082

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
Opcode Fuzzy Hash: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604

Uniqueness

Uniqueness Score: -1.00%

Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

EnumSystemLocalesW.KERNEL32(Function_000483BE,00000001,0046EAD0,0000000C), ref: 0044843C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09

Uniqueness

Uniqueness Score: -1.00%

Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00451EA7,00000001), ref: 00451F87

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754

Uniqueness

Uniqueness Score: -1.00%

Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0043E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0043E23C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction ID: cdd912994a32e16cda9accbda93f1ea0618352901e275441ec4d65c4c105c2b3
Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction Fuzzy Hash: 9C514771603648A7DF3489AB88567BF63899B0E344F18394BD882C73C3C62DED02975E

Uniqueness

Uniqueness Score: -1.00%

Function 00427A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

@, xrefs: 00427A9D

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
Instruction ID: e4f6ca204f58efd2523fb0dbef6dba8f744ce0bfcff40a2940ff04dc0a880f4e
Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
Instruction Fuzzy Hash: A841FB75A187558BC340CF29C58061BFBE1FFD8318F655A1EF889A3350D375E9428B86

Uniqueness

Uniqueness Score: -1.00%

Function 0044D9C9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
Instruction ID: ecf94096385373c2e9f2c5c276bef480e2dc0267d4a411ba40625ecd8b408152
Opcode Fuzzy Hash: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
Instruction Fuzzy Hash: 7F323831D69F014DE7239A35C862336A289BFB73C5F15D737F816B5AAAEB28C4834105

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0FA Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
Instruction ID: 709358690f7fb2d2e3012b2358c769367bf3ff6314f01af24d3ecfcd65fe7181
Opcode Fuzzy Hash: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
Instruction Fuzzy Hash: 443290716087459BD715DE28C4807AAB7E1BF84318F044A3EF89587392D778DD8BCB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0042739D Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
Instruction ID: c5d71c01a3a4c2ba568a1e95f45065819b1df519d68335ab1a8a94a68da0c1ef
Opcode Fuzzy Hash: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
Instruction Fuzzy Hash: 1002BFB17146519BC318CF2EEC8053AB7E1BB8D301745863EE495C7795EB34E922CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00426E0E Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
Instruction ID: 4a18c9c21abf6ab3d0e9afb34562907cd60dbb70f6b305f111ae620774dcdf5c
Opcode Fuzzy Hash: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
Instruction Fuzzy Hash: 42F18C716142559FC304DF1EE89182BB3E1FB89301B450A2EF5C2C7391DB79EA16CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00437D33 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: b3ba5b81110409d95a5723b53b6c8744913893e641e186edab39e166e1bc966b
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7DC1B1723091930ADF2D4A3D853453FFBA15AA57B171A275FE8F2CB2C1EE18C524D524

Uniqueness

Uniqueness Score: -1.00%

Function 00438168 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 7f684bb0481695d58232a2b0d47c85f4cbd32b92c5f53758fc2a28b9861b6fac
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: EAC1C5723092930ADF2D463D853453FFBA15AA57B171A275EE8F2CB2C5FE28C524C614

Uniqueness

Uniqueness Score: -1.00%

Function 004378FE Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: b4bbf9256ac03f5d23606f900b1ff113549fac5ad7a5b3908127750d008d8003
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: FDC1B0B230D1930ADB3D4A3D953453FBBA15AA63B171A275ED8F2CB2C1FE18C524D624

Uniqueness

Uniqueness Score: -1.00%

Function 004374E6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c0cc860fb011aaa8bec1e183ca1ba44e4399d72b3d9d4532b0ef978257cdf629
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 08C1A0B230D1930ADB3D463D853853FBBA15AA67B171A276ED8F2CB2C1FE18C524D614

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB62 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
Instruction ID: 79373b44a76dcf5e8091c0b891bec819a00bcae964dee749e010b71610d2b526
Opcode Fuzzy Hash: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
Instruction Fuzzy Hash: F7B1A5795142998ACF05EF28C4913F63BA1EF6A300F4851B9EC9DCF757D2398506EB24

Uniqueness

Uniqueness Score: -1.00%

Function 0043E2FB Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
Instruction ID: 9176630f27626b4b14444871c43cfb7a364794bde640040d1d9abeeee83df0d0
Opcode Fuzzy Hash: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
Instruction Fuzzy Hash: E1614531602709E6EF349A2B48917BF2395AB1D304F58341BED42DB3C1D55DED428A1E

Uniqueness

Uniqueness Score: -1.00%

Function 0043E558 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
Instruction ID: c8a25274eb6ace22fd939f207aba0bb726f52b15d0dfb3f1b2e2615f3a586ecc
Opcode Fuzzy Hash: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
Instruction Fuzzy Hash: B2619C71602609A6DA34496B8893BBF6394EB6D308F94341BE443DB3C1E61DEC43875E

Uniqueness

Uniqueness Score: -1.00%

Function 0043DE9D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction ID: b97fed3bff06dc01e1c808345b9e1576e5435f58d5e0cb17a963d6e43aa39459
Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction Fuzzy Hash: C8516A21E01A4496DB38892964D67BF67A99B1E304F18390FE443CB7C2C64DED06C35E

Uniqueness

Uniqueness Score: -1.00%

Function 00427BAF Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
Instruction ID: 96b5c22f40dc969dc1399d427f9382315b517a9523814fa291cced01a0c32d8b
Opcode Fuzzy Hash: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
Instruction Fuzzy Hash: 5B617E72A083059FC304DF35D581A5FB7E5AFCC318F510E2EF499D6151EA35EA088B86

Uniqueness

Uniqueness Score: -1.00%

Function 00438770 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 78f0f7b5b7642c22d8ee35c169576c4e0068381375f86828a5140fd971b96714
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 9311E6BB24034143D6088A2DCCB85B7E797EADD321F7D626FF0424B758DB2AA9459608

Uniqueness

Uniqueness Score: -1.00%

Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
CreateCompatibleDC.GDI32(00000000), ref: 00418E9D

Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
DeleteDC.GDI32(00000000), ref: 00418F2A
DeleteDC.GDI32(00000000), ref: 00418F2D
DeleteObject.GDI32(00000000), ref: 00418F30
SelectObject.GDI32(00000000,00000000), ref: 00418F51
DeleteDC.GDI32(00000000), ref: 00418F62
DeleteDC.GDI32(00000000), ref: 00418F65
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
GetCursorInfo.USER32(?), ref: 00418FA7
GetIconInfo.USER32(?,?), ref: 00418FBD
DeleteObject.GDI32(?), ref: 00418FEC
DeleteObject.GDI32(?), ref: 00418FF9
DrawIcon.USER32(00000000,?,?,?), ref: 00419006
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
DeleteDC.GDI32(?), ref: 0041917C
DeleteDC.GDI32(00000000), ref: 0041917F
DeleteObject.GDI32(00000000), ref: 00419182
GlobalFree.KERNEL32(?), ref: 0041918D
DeleteObject.GDI32(00000000), ref: 00419241
GlobalFree.KERNEL32(?), ref: 00419248
DeleteDC.GDI32(?), ref: 00419258
DeleteDC.GDI32(00000000), ref: 00419263

Strings

DISPLAY, xrefs: 00418E89

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 4256916514-865373369
Opcode ID: f392394fe482629c540e7e64cf6a4c742858ec4acf93355850be4a976d5cc3ae
Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
Opcode Fuzzy Hash: f392394fe482629c540e7e64cf6a4c742858ec4acf93355850be4a976d5cc3ae
Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D420 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
ExitProcess.KERNEL32 ref: 0040D7D0

Strings

fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D773
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D471
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D4C2
Temp, xrefs: 0040D580
"), xrefs: 0040D5D5
fso.DeleteFolder ", xrefs: 0040D6AB
""", 0, xrefs: 0040D6E7
0qF, xrefs: 0040D737, 0040D778, 0040D661, 0040D68E
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D5AA
open, xrefs: 0040D7BE
wend, xrefs: 0040D689
dMG, xrefs: 0040D45B
0qF, xrefs: 0040D78C, 0040D797
hdF, xrefs: 0040D54D
hpF, xrefs: 0040D62C
\update.vbs, xrefs: 0040D57B
On Error Resume Next, xrefs: 0040D5B9
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D701
fso.DeleteFile ", xrefs: 0040D63A
bnupgxp, xrefs: 0040D4F7
8SG, xrefs: 0040D4CF
while fso.FileExists(", xrefs: 0040D5EC

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$bnupgxp$dMG$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$wend$while fso.FileExists("
API String ID: 1861856835-3142525146
Opcode ID: fee8ff9718fb40c9beafe4bb2eefbd291afa4f5ad22c135011e1b35f2f9dc20b
Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
Opcode Fuzzy Hash: fee8ff9718fb40c9beafe4bb2eefbd291afa4f5ad22c135011e1b35f2f9dc20b
Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
GetProcAddress.KERNEL32(00000000), ref: 00418139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
GetProcAddress.KERNEL32(00000000), ref: 0041814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
GetProcAddress.KERNEL32(00000000), ref: 00418161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
GetProcAddress.KERNEL32(00000000), ref: 00418175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
GetThreadContext.KERNEL32(?,00000000), ref: 00418245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
TerminateProcess.KERNEL32(?,00000000), ref: 00418301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
SetThreadContext.KERNEL32(?,00000000), ref: 00418428
ResumeThread.KERNEL32(?), ref: 00418435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
GetCurrentProcess.KERNEL32(?), ref: 00418457
TerminateProcess.KERNEL32(?,00000000), ref: 00418472
GetLastError.KERNEL32 ref: 0041847A

Strings

ZwClose, xrefs: 00418163
ZwUnmapViewOfSection, xrefs: 0041814F
ZwCreateSection, xrefs: 0041811C
ntdll, xrefs: 00418121, 00418140, 00418154, 00418168
ZwMapViewOfSection, xrefs: 0041813B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D096 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
ExitProcess.KERNEL32 ref: 0040D419

Strings

fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D3C1
.vbs, xrefs: 0040D201
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D0E7
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D138
Temp, xrefs: 0040D246
8SG, xrefs: 0040D15E
"), xrefs: 0040D2B1
fso.DeleteFolder ", xrefs: 0040D38A
hpF, xrefs: 0040D38F
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D285
open, xrefs: 0040D40C
wend, xrefs: 0040D364
pth_unenc, xrefs: 0040D09C
On Error Resume Next, xrefs: 0040D294
fso.DeleteFile ", xrefs: 0040D315
dMG, xrefs: 0040D0D1
bnupgxp, xrefs: 0040D181
hdF, xrefs: 0040D1BE
while fso.FileExists(", xrefs: 0040D2C8

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$bnupgxp$dMG$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-1685291368
Opcode ID: 4b4a4e1b4e3b5756a36c8647b5f37cacc16024b06e010f5374005e12c290012d
Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
Opcode Fuzzy Hash: 4b4a4e1b4e3b5756a36c8647b5f37cacc16024b06e010f5374005e12c290012d
Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00412475 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,(V,00000003), ref: 00412494
ExitProcess.KERNEL32(00000000), ref: 004124A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
CloseHandle.KERNEL32(00000000), ref: 0041253B
GetCurrentProcessId.KERNEL32 ref: 00412541
PathFileExistsW.SHLWAPI(?), ref: 00412572
GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
lstrcatW.KERNEL32(?,.exe), ref: 00412601

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
Sleep.KERNEL32(000001F4), ref: 00412682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
CloseHandle.KERNEL32(00000000), ref: 004126A9
GetCurrentProcessId.KERNEL32 ref: 004126AF

Strings

open, xrefs: 0041263B
.exe, xrefs: 004125F5
(V, xrefs: 0041247F
8SG, xrefs: 004124A6
bnupgxp, xrefs: 004124CC
temp_, xrefs: 004125E3
WDH, xrefs: 00412548, 004126B6

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: (V$.exe$8SG$WDH$bnupgxp$open$temp_
API String ID: 2649220323-3731402704
Opcode ID: 4f95786cf2f2c00e5bb866ed93791c3a94b5cceb6ba25eb1f7637f0f1d303f44
Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
Opcode Fuzzy Hash: 4f95786cf2f2c00e5bb866ed93791c3a94b5cceb6ba25eb1f7637f0f1d303f44
Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
SetEvent.KERNEL32 ref: 0041B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
CloseHandle.KERNEL32 ref: 0041B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266

Strings

play audio, xrefs: 0041B14B
close audio, xrefs: 0041B261
resume audio, xrefs: 0041B1E2
stopped, xrefs: 0041B202
pause audio, xrefs: 0041B1CA
open ", xrefs: 0041B0D0
alias audio, xrefs: 0041B0B8
status audio mode, xrefs: 0041B1F7
NG, xrefs: 0041B109, 0041B08B
stop audio, xrefs: 0041B257
" type , xrefs: 0041B0D5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: d8e8c206765fb8c6cce3e10abac076b9acf238fed8b3c118489cf00483a7f27b
Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
Opcode Fuzzy Hash: d8e8c206765fb8c6cce3e10abac076b9acf238fed8b3c118489cf00483a7f27b
Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7

Strings

RIFF, xrefs: 00401AFD
WAVE, xrefs: 00401B1D
data, xrefs: 00401BB1
fmt , xrefs: 00401B2D

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\SYQV60EVo9.exe,00000001,0040764D,C:\Users\user\Desktop\SYQV60EVo9.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

LdrEnumerateLoadedModules, xrefs: 004072EC
NtFreeVirtualMemory, xrefs: 004072B0
C:\Users\user\Desktop\SYQV60EVo9.exe, xrefs: 00407271
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
NtAllocateVirtualMemory, xrefs: 0040729C
RtlInitUnicodeString, xrefs: 0040727E
RtlAcquirePebLock, xrefs: 004072C4
RtlReleasePebLock, xrefs: 004072D8

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\Desktop\SYQV60EVo9.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-2018605394
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDF9 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040CE07
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,(V,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
CopyFileW.KERNEL32(C:\Users\user\Desktop\SYQV60EVo9.exe,00000000,00000000,00000000,00000000,00000000,?,(V,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
_wcslen.LIBCMT ref: 0040CEE6
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
CopyFileW.KERNEL32(C:\Users\user\Desktop\SYQV60EVo9.exe,00000000,00000000), ref: 0040CF84
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
_wcslen.LIBCMT ref: 0040CFC6
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,(V,0000000E), ref: 0040D02D
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
ExitProcess.KERNEL32 ref: 0040D062

Strings

open, xrefs: 0040D044
hdF, xrefs: 0040D035
6, xrefs: 0040CEDA
C:\Users\user\Desktop\SYQV60EVo9.exe, xrefs: 0040CE91, 0040CE96, 0040CEC9, 0040CF7E, 0040CF83, 0040CF8A, 0040CFEB
(V, xrefs: 0040CDFC
bom, xrefs: 0040CFF5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: (V$6$C:\Users\user\Desktop\SYQV60EVo9.exe$bom$hdF$open
API String ID: 1579085052-2641466241
Opcode ID: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
Opcode Fuzzy Hash: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041C036
_memcmp.LIBVCRUNTIME ref: 0041C04E
lstrlenW.KERNEL32(?), ref: 0041C067
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
lstrcmpW.KERNEL32(?,?), ref: 0041C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
_wcslen.LIBCMT ref: 0041C13B
FindVolumeClose.KERNEL32(?), ref: 0041C15B
GetLastError.KERNEL32 ref: 0041C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
lstrcatW.KERNEL32(?,?), ref: 0041C1B9
lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
GetLastError.KERNEL32 ref: 0041C1D0

Strings

?, xrefs: 0041C0CD

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F4BF
_free.LIBCMT ref: 0044F4E5
_free.LIBCMT ref: 0044F50E
_free.LIBCMT ref: 0044F546
_free.LIBCMT ref: 0044F577
_free.LIBCMT ref: 0044F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F639
_free.LIBCMT ref: 0044F652
_wcschr.LIBVCRUNTIME ref: 0044F68F
_free.LIBCMT ref: 0044F6FB
_free.LIBCMT ref: 0044F721
_free.LIBCMT ref: 0044F74A
_free.LIBCMT ref: 0044F77F
_free.LIBCMT ref: 0044F7B0
_free.LIBCMT ref: 0044F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F876
_free.LIBCMT ref: 0044F88F

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
Opcode Fuzzy Hash: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799

Uniqueness

Uniqueness Score: -1.00%

Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
Sleep.KERNEL32(00000064), ref: 00412E94

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

NG, xrefs: 004130C1
/stext ", xrefs: 00412BAA, 00412C4C, 00412CEE
0TG, xrefs: 0041314C
0TG, xrefs: 00413026
NG, xrefs: 00412F6C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$0TG$0TG$NG$NG
API String ID: 1223786279-2576077980
Opcode ID: 89a94b8c896a48b9abd92e3777bf29e17d021811548badae23ed776f81633e3e
Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
Opcode Fuzzy Hash: 89a94b8c896a48b9abd92e3777bf29e17d021811548badae23ed776f81633e3e
Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A

Uniqueness

Uniqueness Score: -1.00%

Function 00408B7A Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
__aulldiv.LIBCMT ref: 00408D4D

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
CloseHandle.KERNEL32(00000000), ref: 00408F64
CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
CloseHandle.KERNEL32(00000000), ref: 00408FFC

Strings

ReadFile error, xrefs: 00408FC8
Uploading file to Controller: , xrefs: 00408DD5
hdF, xrefs: 00408B9D
NG, xrefs: 00408C17
SetFilePointerEx error, xrefs: 00408FD4

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $hdF$NG
API String ID: 3086580692-1206044436
Opcode ID: 0e3b00f0d054dd9d4e65558b8748f047901974dbbd6c7312783ad86e8ae83a30
Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
Opcode Fuzzy Hash: 0e3b00f0d054dd9d4e65558b8748f047901974dbbd6c7312783ad86e8ae83a30
Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
GetCursorPos.USER32(?), ref: 0041D5E9
SetForegroundWindow.USER32(?), ref: 0041D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
ExitProcess.KERNEL32 ref: 0041D665
CreatePopupMenu.USER32 ref: 0041D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680

Strings

Close, xrefs: 0041D671

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445DC6
_free.LIBCMT ref: 00445DDC
_free.LIBCMT ref: 00445DED
_free.LIBCMT ref: 00445DFE
_free.LIBCMT ref: 00445E15
GetCPInfo.KERNEL32(?,?), ref: 00445E5D

Part of subcall function 00452E74: _free.LIBCMT ref: 00452EDF

_free.LIBCMT ref: 00446009
_free.LIBCMT ref: 0044601C
_free.LIBCMT ref: 0044602A
_free.LIBCMT ref: 00446035
_free.LIBCMT ref: 00446077
_free.LIBCMT ref: 0044607F
_free.LIBCMT ref: 00446087
_free.LIBCMT ref: 0044608F
_free.LIBCMT ref: 0044609D

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0040A740

Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927

Strings

8SG, xrefs: 0040A802
pQG, xrefs: 0040A771
pQG, xrefs: 0040A761
(V, xrefs: 0040A7AC, 0040A907
hdF, xrefs: 0040A74D
8SG, xrefs: 0040A7F7

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: (V$8SG$8SG$hdF$pQG$pQG
API String ID: 3795512280-2429434489
Opcode ID: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
Opcode Fuzzy Hash: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7FF Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
ExitProcess.KERNEL32 ref: 0040D9C4

Strings

.vbs, xrefs: 0040D85F
open, xrefs: 0040D9B2
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D967
Temp, xrefs: 0040D89A
8SG, xrefs: 0040D80F
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D8F9
""", 0, xrefs: 0040D8E1
bnupgxp, xrefs: 0040D831
hdF, xrefs: 0040D9A2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$bnupgxp$hdF$open
API String ID: 1913171305-797107608
Opcode ID: 920a0537c73373d1fa928f529e957bf362437fc51c5983c7c145f5f31e510bcc
Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
Opcode Fuzzy Hash: 920a0537c73373d1fa928f529e957bf362437fc51c5983c7c145f5f31e510bcc
Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98

Uniqueness

Uniqueness Score: -1.00%

Function 00414D86 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
LoadLibraryA.KERNEL32(?), ref: 00414E17
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
FreeLibrary.KERNEL32(00000000), ref: 00414E3E
LoadLibraryA.KERNEL32(?), ref: 00414E76
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
FreeLibrary.KERNEL32(00000000), ref: 00414E8F
GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
FreeLibrary.KERNEL32(00000000), ref: 00414EB5

Strings

\ws2_32, xrefs: 00414DFF
\wship6, xrefs: 00414E5E
getaddrinfo, xrefs: 00414D93, 00414E31, 00414E82

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$getaddrinfo
API String ID: 2490988753-3078833738
Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE

Uniqueness

Uniqueness Score: -1.00%

Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045130A

Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
Part of subcall function 00450502: _free.LIBCMT ref: 00450531
Part of subcall function 00450502: _free.LIBCMT ref: 00450543
Part of subcall function 00450502: _free.LIBCMT ref: 00450555
Part of subcall function 00450502: _free.LIBCMT ref: 00450567
Part of subcall function 00450502: _free.LIBCMT ref: 00450579
Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
Part of subcall function 00450502: _free.LIBCMT ref: 004505F7

_free.LIBCMT ref: 004512FF

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00451321
_free.LIBCMT ref: 00451336
_free.LIBCMT ref: 00451341
_free.LIBCMT ref: 00451363
_free.LIBCMT ref: 00451376
_free.LIBCMT ref: 00451384
_free.LIBCMT ref: 0045138F
_free.LIBCMT ref: 004513C7
_free.LIBCMT ref: 004513CE
_free.LIBCMT ref: 004513EB
_free.LIBCMT ref: 00451403

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59

Uniqueness

Uniqueness Score: -1.00%

Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450648
_free.LIBCMT ref: 0045066C
_free.LIBCMT ref: 00450679
_free.LIBCMT ref: 0045069E
_free.LIBCMT ref: 004506AB
_free.LIBCMT ref: 004506B4
_free.LIBCMT ref: 00450992
_free.LIBCMT ref: 0045099A

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798

Uniqueness

Uniqueness Score: -1.00%

Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
closesocket.WS2_32(000000FF), ref: 00404E5A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6

GetLastError.KERNEL32 ref: 00455CEF
__dosmaperr.LIBCMT ref: 00455CF6
GetFileType.KERNEL32(00000000), ref: 00455D02
GetLastError.KERNEL32 ref: 00455D0C
__dosmaperr.LIBCMT ref: 00455D15
CloseHandle.KERNEL32(00000000), ref: 00455D35
CloseHandle.KERNEL32(?), ref: 00455E7F
GetLastError.KERNEL32 ref: 00455EB1
__dosmaperr.LIBCMT ref: 00455EB8

Strings

H, xrefs: 00455E3D

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450A94
_free.LIBCMT ref: 00450AA2
_free.LIBCMT ref: 00450BD0
_free.LIBCMT ref: 00450BDB

Strings

\&G, xrefs: 00450C24
\&G, xrefs: 00450C1C
`&G, xrefs: 00450C34

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: 2933b358ac1f2d15da9e4f95fb537f888405f593b8ad3400f10d75b262a195a6
Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
Opcode Fuzzy Hash: 2933b358ac1f2d15da9e4f95fb537f888405f593b8ad3400f10d75b262a195a6
Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98

Uniqueness

Uniqueness Score: -1.00%

Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 00414C60, 00414C68, 00414C6C
65535, xrefs: 00414BB3

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040AD38
Sleep.KERNEL32(000001F4), ref: 0040AD43
GetForegroundWindow.USER32 ref: 0040AD49
GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
Sleep.KERNEL32(000003E8), ref: 0040AE54

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

{ User has been idle for , xrefs: 0040AE86
minutes }, xrefs: 0040AE7A
], xrefs: 0040ADE8
[, xrefs: 0040ADEE

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: d30eded23f2d0b67c27111b0931e30ad0153d7368d4db81ea9f9fcff43b90795
Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
Opcode Fuzzy Hash: d30eded23f2d0b67c27111b0931e30ad0153d7368d4db81ea9f9fcff43b90795
Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F

Uniqueness

Uniqueness Score: -1.00%

Function 00416940 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416941
EmptyClipboard.USER32 ref: 0041694F
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

hdF, xrefs: 0041698C
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !D@$hdF
API String ID: 2172192267-3475379602
Opcode ID: d2446446bc78ff156cd0a5b9c1ed5396e902ca05eeaaad5f80401f9e45e0f5b8
Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
Opcode Fuzzy Hash: d2446446bc78ff156cd0a5b9c1ed5396e902ca05eeaaad5f80401f9e45e0f5b8
Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
__dosmaperr.LIBCMT ref: 0043A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
__dosmaperr.LIBCMT ref: 0043A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
__dosmaperr.LIBCMT ref: 0043A937
_free.LIBCMT ref: 0043A943
_free.LIBCMT ref: 0043A94A

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 019acc7a2e3de953c23e11cafa5877634505dff612e887b7d59a77d89ef25481
Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
Opcode Fuzzy Hash: 019acc7a2e3de953c23e11cafa5877634505dff612e887b7d59a77d89ef25481
Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00419FB4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419FB9
GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
Sleep.KERNEL32(000003E8), ref: 0041A0FD
GetLocalTime.KERNEL32(?), ref: 0041A105
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09A, 0041A0BB, 0041A129
time_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09F
(V, xrefs: 0041A016, 0041A0C9, 0041A1AD

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: (V$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-2787871309
Opcode ID: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
Opcode Fuzzy Hash: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799

Uniqueness

Uniqueness Score: -1.00%

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32(?), ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

CloseChat, xrefs: 00405609
GetMessage, xrefs: 004055F8
DisplayMessage, xrefs: 004055EC

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 4e03373af7eeeb9936375b269bef3945a6131de3e34cc77984f59bad7a7b41d8
Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
Opcode Fuzzy Hash: 4e03373af7eeeb9936375b269bef3945a6131de3e34cc77984f59bad7a7b41d8
Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
CloseHandle.KERNEL32(00000000), ref: 00417DE5
DeleteFileA.KERNEL32(00000000), ref: 00417DF4
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

Temp, xrefs: 00417D00
0VG, xrefs: 00417DB5
<, xrefs: 00417D83
0VG, xrefs: 00417E21
@, xrefs: 00417D8A

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$0VG$<$@$Temp
API String ID: 1704390241-2575729100
Opcode ID: 0e0595c1528403dfbc3bd7d0ff12dc6c712b705655a801e4077f90c78fb903f7
Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
Opcode Fuzzy Hash: 0e0595c1528403dfbc3bd7d0ff12dc6c712b705655a801e4077f90c78fb903f7
Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 00410E61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
int.LIBCPMT ref: 00410E81

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 00410EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
__CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04
@!G, xrefs: 00410E79

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID: ,kG$0kG$@!G
API String ID: 3815856325-312998898
Opcode ID: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
Opcode Fuzzy Hash: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
Opcode Fuzzy Hash: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA

Uniqueness

Uniqueness Score: -1.00%

Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448135

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00448141
_free.LIBCMT ref: 0044814C
_free.LIBCMT ref: 00448157
_free.LIBCMT ref: 00448162
_free.LIBCMT ref: 0044816D
_free.LIBCMT ref: 00448178
_free.LIBCMT ref: 00448183
_free.LIBCMT ref: 0044818E
_free.LIBCMT ref: 0044819C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5

Uniqueness

Uniqueness Score: -1.00%

Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411514
inet_ntoa.WS2_32(?), ref: 004115AF

Strings

GetDirectListeningPort, xrefs: 004116B2
NG, xrefs: 0041153A
StopReverse, xrefs: 004116A1
StartReverse, xrefs: 0041167F
StartForward, xrefs: 00411673
StopForward, xrefs: 00411690

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: 20528a15954f59aac111f9e7d943c93a7287b72f37baef0b959ea8c11a64da4c
Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
Opcode Fuzzy Hash: 20528a15954f59aac111f9e7d943c93a7287b72f37baef0b959ea8c11a64da4c
Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE

Uniqueness

Uniqueness Score: -1.00%

Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E

Sleep.KERNEL32(00000064), ref: 00417521
DeleteFileW.KERNEL32(00000000), ref: 00417555

Strings

\sysinfo.txt, xrefs: 004174A0
open, xrefs: 004174EF
temp, xrefs: 004174A5
/t , xrefs: 004174D4
dxdiag, xrefs: 004174EA

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 446d5803efde6a9f1d6c5190944227576de240e19d7a317c876067d7af06ff34
Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
Opcode Fuzzy Hash: 446d5803efde6a9f1d6c5190944227576de240e19d7a317c876067d7af06ff34
Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C

Uniqueness

Uniqueness Score: -1.00%

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\SYQV60EVo9.exe), ref: 0040749E

Strings

explorer.exe, xrefs: 00407450, 0040747B
windir, xrefs: 004073EA
PEB: %x, xrefs: 004074AF
\explorer.exe, xrefs: 00407400
[-] NtAllocateVirtualMemory Error, xrefs: 0040743D
[+] NtAllocateVirtualMemory Success, xrefs: 00407410

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D50

Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F

Strings

%Y-%m-%d %H.%M, xrefs: 00401D41
|MG, xrefs: 00401E08
dMG, xrefs: 00401D81
.wav, xrefs: 00401D69

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
Opcode Fuzzy Hash: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
waveInStart.WINMM ref: 00401CFE

Strings

dMG, xrefs: 00401BED
|MG, xrefs: 00401C9B
(V, xrefs: 00401C27

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: (V$dMG$|MG
API String ID: 1356121797-3997115684
Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476

Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
TranslateMessage.USER32(?), ref: 0041D4E9
DispatchMessageA.USER32(?), ref: 0041D4F3
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500

Strings

Remcos, xrefs: 0041D4B8

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
Opcode Fuzzy Hash: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00453D83 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00453E2F
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453EB2
__alloca_probe_16.LIBCMT ref: 00453EEA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453F45
__alloca_probe_16.LIBCMT ref: 00453F94
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F5C

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FD8
__freea.LIBCMT ref: 00454003
__freea.LIBCMT ref: 0045400F

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 1452827cb3eb1bc769cd2803b66b83105d8708c6945aeeff223bf30089c8c308
Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
Opcode Fuzzy Hash: 1452827cb3eb1bc769cd2803b66b83105d8708c6945aeeff223bf30089c8c308
Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768

Uniqueness

Uniqueness Score: -1.00%

Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

_memcmp.LIBVCRUNTIME ref: 00445423
_free.LIBCMT ref: 00445494
_free.LIBCMT ref: 004454AD
_free.LIBCMT ref: 004454DF
_free.LIBCMT ref: 004454E8
_free.LIBCMT ref: 004454F4

Strings

C, xrefs: 004452E1

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 7211fadd18adb59f2d5684a8a47ee4c6e47293f8742e9a604408f3b76dec3ffb
Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
Opcode Fuzzy Hash: 7211fadd18adb59f2d5684a8a47ee4c6e47293f8742e9a604408f3b76dec3ffb
Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 00414A46
tcp, xrefs: 00414A73

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
ExitThread.KERNEL32 ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

Strings

XMG, xrefs: 00401902
NG, xrefs: 00401990
PkG, xrefs: 00401888
NG, xrefs: 0040190D

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: PkG$XMG$NG$NG
API String ID: 1649129571-3151166067
Opcode ID: 3112d8a7119d3212cc95ed1c57af8847b596d544db43cbe7024ea2d1079bf73c
Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
Opcode Fuzzy Hash: 3112d8a7119d3212cc95ed1c57af8847b596d544db43cbe7024ea2d1079bf73c
Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E

Uniqueness

Uniqueness Score: -1.00%

Function 00413D0D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46

Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4

Strings

hdF, xrefs: 00413E80
TG, xrefs: 00413E9A
NG, xrefs: 00413E23
NG, xrefs: 00413D69
xUG, xrefs: 00413EA6

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: hdF$xUG$NG$NG$TG
API String ID: 3114080316-2774981958
Opcode ID: d5d568273ac789f380ea000cc321d881b21a875cc534d84a08e4633975987438
Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
Opcode Fuzzy Hash: d5d568273ac789f380ea000cc321d881b21a875cc534d84a08e4633975987438
Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E

Uniqueness

Uniqueness Score: -1.00%

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: c2a296b167e086494c659215c5e52d087b3aa464f6e1000890bb20d2f8d2fd06
Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
Opcode Fuzzy Hash: c2a296b167e086494c659215c5e52d087b3aa464f6e1000890bb20d2f8d2fd06
Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B68A Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,(V), ref: 0041363D
Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

_wcslen.LIBCMT ref: 0041B763

Strings

program files\, xrefs: 0041B749, 0041B750, 0041B762
.exe, xrefs: 0041B6B5
program files (x86)\, xrefs: 0041B75D
(V, xrefs: 0041B696
8SG, xrefs: 0041B709, 0041B70E
http\shell\open\command, xrefs: 0041B69A

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
String ID: (V$.exe$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 3286818993-2861172965
Opcode ID: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
Opcode Fuzzy Hash: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00475338), ref: 0041CDA4
GetConsoleWindow.KERNEL32 ref: 0041CDAA
ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

Remcos v, xrefs: 0041CDFD
4.9.3 Pro, xrefs: 0041CE0B
CONOUT$, xrefs: 0041CDD0

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID: Remcos v$4.9.3 Pro$CONOUT$
API String ID: 4067487056-3419043855
Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E

Uniqueness

Uniqueness Score: -1.00%

Function 00407260 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SYQV60EVo9.exe, xrefs: 004076C4
%VR^&bty-4RZCYZ, xrefs: 004076DA
hdF, xrefs: 004076A9
(V, xrefs: 00407697

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID: %VR^&bty-4RZCYZ$(V$C:\Users\user\Desktop\SYQV60EVo9.exe$hdF
API String ID: 0-2465815253
Opcode ID: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Uniqueness

Uniqueness Score: -1.00%

Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
__alloca_probe_16.LIBCMT ref: 0044ACDB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
__alloca_probe_16.LIBCMT ref: 0044ADC0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
__freea.LIBCMT ref: 0044AE30

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

__freea.LIBCMT ref: 0044AE39
__freea.LIBCMT ref: 0044AE5E

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: f133f672f31cad4c1eaa5701a27b160f43f27f2d719f30c1e4d65ec3bb2f8dff
Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
Opcode Fuzzy Hash: f133f672f31cad4c1eaa5701a27b160f43f27f2d719f30c1e4d65ec3bb2f8dff
Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A

Uniqueness

Uniqueness Score: -1.00%

Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97

Uniqueness

Uniqueness Score: -1.00%

Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447679
__freea.LIBCMT ref: 00447723
__freea.LIBCMT ref: 00447741

Part of subcall function 00435E40: _free.LIBCMT ref: 00435E56

Strings

a/p, xrefs: 00447808
zD, xrefs: 004479AB
am/pm, xrefs: 004477A4

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zD
API String ID: 2936374016-2723203690
Opcode ID: ffdf125771be3930cd34b67c2c4896bc65d4a075ba9d32331fcf35df296b8716
Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
Opcode Fuzzy Hash: ffdf125771be3930cd34b67c2c4896bc65d4a075ba9d32331fcf35df296b8716
Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C6F3 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041C726
RegCloseKey.ADVAPI32(?), ref: 0041C9BF

Strings

DisplayName, xrefs: 0041C73C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName
API String ID: 1332880857-3786665039
Opcode ID: f8c39a8c5312d126ce2fea3caf237c12ed67f6eb61076c5a3b07a390ba7738a1
Instruction ID: 30dd124696def6d144da0f01c12024620090e461f41beb3abd2b2340f2562d2c
Opcode Fuzzy Hash: f8c39a8c5312d126ce2fea3caf237c12ed67f6eb61076c5a3b07a390ba7738a1
Instruction Fuzzy Hash: E961F3711082419AD325EF11D851EEFB3E8BF94309F10493FB589921A2FF789E49CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B

Strings

xUG, xrefs: 00413C46
[regsplt], xrefs: 00413C17
TG, xrefs: 00413BFD

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xUG$TG
API String ID: 3554306468-1165877943
Opcode ID: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
Opcode Fuzzy Hash: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
__fassign.LIBCMT ref: 0044B479
__fassign.LIBCMT ref: 0044B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
PathFileExistsA.SHLWAPI(?), ref: 0040BF78

Strings

[IE cookies not found], xrefs: 0040BF40
Cookies, xrefs: 0040BEFD
[IE cookies cleared!], xrefs: 0040BFC5, 0040BFEA
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040BF02

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
Opcode Fuzzy Hash: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
Opcode Fuzzy Hash: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
CloseHandle.KERNEL32(00000000), ref: 0041C459
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
CloseHandle.KERNEL32(00000000), ref: 0041C477

Strings

hpF, xrefs: 0041C3F2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID: hpF
API String ID: 1852769593-151379673
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A

Uniqueness

Uniqueness Score: -1.00%

Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A

_free.LIBCMT ref: 00450F48

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00450F53
_free.LIBCMT ref: 00450F5E
_free.LIBCMT ref: 00450FB2
_free.LIBCMT ref: 00450FBD
_free.LIBCMT ref: 00450FC8
_free.LIBCMT ref: 00450FD3

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745

Uniqueness

Uniqueness Score: -1.00%

Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00411170
int.LIBCPMT ref: 00411183

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 004111C3
std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004111EA

Strings

(mG, xrefs: 0041117B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D

Uniqueness

Uniqueness Score: -1.00%

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\SYQV60EVo9.exe), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

CoUninitialize.OLE32 ref: 00407629

Strings

C:\Users\user\Desktop\SYQV60EVo9.exe, xrefs: 004075B0, 004075B3, 00407605
[+] ShellExec success, xrefs: 0040760E
[+] before ShellExec, xrefs: 004075F1
[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\SYQV60EVo9.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-2558919921
Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
GetLastError.KERNEL32 ref: 0040BAE7

Strings

[Chrome Cookies found, cleared!], xrefs: 0040BB0D
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
[Chrome Cookies not found], xrefs: 0040BB01
UserProfile, xrefs: 0040BAAD

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE

Uniqueness

Uniqueness Score: -1.00%

Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0043AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
__allrem.LIBCMT ref: 0043AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
__allrem.LIBCMT ref: 0043ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
Opcode Fuzzy Hash: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,0040D262), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

GetFrame, xrefs: 0040459F
OpenCamera, xrefs: 00404582
FreeFrame, xrefs: 004045B0
CloseCamera, xrefs: 0040458E
HNG, xrefs: 004045E6

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: cd90b27e917ca089b67d7d34f698c3359d294e5eeadafa87bd93eb15658e6d2e
Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
Opcode Fuzzy Hash: cd90b27e917ca089b67d7d34f698c3359d294e5eeadafa87bd93eb15658e6d2e
Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E

Uniqueness

Uniqueness Score: -1.00%

Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9

Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A

Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445925
__cftoe.LIBCMT ref: 00445957

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 5e612228480a368e38a3c2cd5c9ced2759c3311217c7fd18b84c82b5e53f56ae
Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
Opcode Fuzzy Hash: 5e612228480a368e38a3c2cd5c9ced2759c3311217c7fd18b84c82b5e53f56ae
Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
Opcode Fuzzy Hash: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE

Uniqueness

Uniqueness Score: -1.00%

Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
_free.LIBCMT ref: 0044824C
_free.LIBCMT ref: 00448274
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
_abort.LIBCMT ref: 00448293

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
Opcode Fuzzy Hash: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
Opcode Fuzzy Hash: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
Opcode Fuzzy Hash: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9

Uniqueness

Uniqueness Score: -1.00%

Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SYQV60EVo9.exe,00000104), ref: 00443475
_free.LIBCMT ref: 00443540
_free.LIBCMT ref: 0044354A

Strings

C:\Users\user\Desktop\SYQV60EVo9.exe, xrefs: 0044346C, 00443473, 004434A2, 004434DA
%T, xrefs: 0044347B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\SYQV60EVo9.exe$%T
API String ID: 2506810119-2860608404
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B17B
], xrefs: 0040B180
Offline Keylogger Started, xrefs: 0040B16B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 019b08523464e22314e75dadd92c4793bb6a1200063bbceefb562f85266a5f2e
Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
Opcode Fuzzy Hash: 019b08523464e22314e75dadd92c4793bb6a1200063bbceefb562f85266a5f2e
Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

Strings

XQG, xrefs: 0040A6A0

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: XQG
API String ID: 1958988193-3606453820
Opcode ID: a1c719673f0d7440ec25b2c996448bd066d6d4fa0d0bcd8bc203fb9c13a9478f
Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
Opcode Fuzzy Hash: a1c719673f0d7440ec25b2c996448bd066d6d4fa0d0bcd8bc203fb9c13a9478f
Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E

Uniqueness

Uniqueness Score: -1.00%

Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041D55B
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
GetLastError.KERNEL32 ref: 0041D580

Strings

0, xrefs: 0041D52B
MsgWindowClass, xrefs: 0041D526

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

C:\Windows\System32\cmd.exe, xrefs: 00407796
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390

Strings

mscoree.dll, xrefs: 00443353
CorExitProcess, xrefs: 00443365

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
Opcode Fuzzy Hash: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
Sleep.KERNEL32(00002710), ref: 0041AE07
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10

Strings

Alarm triggered, xrefs: 0041ADC9

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
Opcode Fuzzy Hash: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

_free.LIBCMT ref: 00444E06
_free.LIBCMT ref: 00444E1D
_free.LIBCMT ref: 00444E3C
_free.LIBCMT ref: 00444E57
_free.LIBCMT ref: 00444E6E

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
Opcode Fuzzy Hash: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
CloseHandle.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: e6f2a931ab95e18956fb0cb6133098acbc9c67bef40703332bd554151389558f
Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
Opcode Fuzzy Hash: e6f2a931ab95e18956fb0cb6133098acbc9c67bef40703332bd554151389558f
Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443E6B
_free.LIBCMT ref: 00443E8B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
__alloca_probe_16.LIBCMT ref: 004511B1
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
__freea.LIBCMT ref: 0045121D

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 96f15bfe140a09faeb809ebc5c29b58b41f03d59f1561ac9dee06a5207780793
Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
Opcode Fuzzy Hash: 96f15bfe140a09faeb809ebc5c29b58b41f03d59f1561ac9dee06a5207780793
Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
_free.LIBCMT ref: 0044F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
Opcode Fuzzy Hash: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9

Uniqueness

Uniqueness Score: -1.00%

Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
_free.LIBCMT ref: 004482D3
_free.LIBCMT ref: 004482FA
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679

Uniqueness

Uniqueness Score: -1.00%

Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D4

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 004509E6
_free.LIBCMT ref: 004509F8
_free.LIBCMT ref: 00450A0A
_free.LIBCMT ref: 00450A1C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C

Uniqueness

Uniqueness Score: -1.00%

Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444066

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00444078
_free.LIBCMT ref: 0044408B
_free.LIBCMT ref: 0044409C
_free.LIBCMT ref: 004440AD

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF

Uniqueness

Uniqueness Score: -1.00%

Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3

Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0

Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

XQG, xrefs: 00409F48
(V, xrefs: 00409EFE
NG, xrefs: 00409F33

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsend
String ID: (V$XQG$NG
API String ID: 1634807452-2633768401
Opcode ID: 934c9aa093908ab335a10b57edccd74f40d48793ee2b97ba21a009012bb151db
Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
Opcode Fuzzy Hash: 934c9aa093908ab335a10b57edccd74f40d48793ee2b97ba21a009012bb151db
Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649

Uniqueness

Uniqueness Score: -1.00%

Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3

Strings

`#D, xrefs: 00442400
`#D, xrefs: 004424ED

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#D$`#D
API String ID: 885266447-2450397995
Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

0NG, xrefs: 00404097
/sort "Visit Time" /stext ", xrefs: 004040B2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 4ca3e23d37222fde7400e40ebd3a0efd5546e71d852519533edc46d7893c20f4
Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
Opcode Fuzzy Hash: 4ca3e23d37222fde7400e40ebd3a0efd5546e71d852519533edc46d7893c20f4
Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B748 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 0040B797

Strings

hdF, xrefs: 0040B7C4
[End of clipboard], xrefs: 0040B7D9
[Text copied to clipboard], xrefs: 0040B7E6

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]$hdF
API String ID: 1881088180-1379921833
Opcode ID: 2eae899f8ba581f34df27902f50da260665bdd85b11323c7a3e8a97bd898f5f2
Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
Opcode Fuzzy Hash: 2eae899f8ba581f34df27902f50da260665bdd85b11323c7a3e8a97bd898f5f2
Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004162F5

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

okmode, xrefs: 0041630F
(V, xrefs: 00416322
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$(V$okmode
API String ID: 3411444782-1111941254
Opcode ID: 0b5bfbcb24497edc23cadcade7b987103f73c59b25c5745cb5cc2b363945fd23
Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
Opcode Fuzzy Hash: 0b5bfbcb24497edc23cadcade7b987103f73c59b25c5745cb5cc2b363945fd23
Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688

Strings

User Data\Profile ?\Network\Cookies, xrefs: 0040C635
User Data\Default\Network\Cookies, xrefs: 0040C603

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
Opcode Fuzzy Hash: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757

Strings

User Data\Profile ?\Network\Cookies, xrefs: 0040C704
User Data\Default\Network\Cookies, xrefs: 0040C6D2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
Opcode Fuzzy Hash: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 55a16279e41a4eb0e07dba326af5b95eb925ebcd43a87b2f064c41ffa6f026f3
Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
Opcode Fuzzy Hash: 55a16279e41a4eb0e07dba326af5b95eb925ebcd43a87b2f064c41ffa6f026f3
Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86

Strings

Online Keylogger Started, xrefs: 0040AF03, 0040AF0C, 0040AF36

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 39a444be4c26427c66e441a6ad0e63281db5954b57e76310a56fe4e2cf5f1819
Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
Opcode Fuzzy Hash: 39a444be4c26427c66e441a6ad0e63281db5954b57e76310a56fe4e2cf5f1819
Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB

Uniqueness

Uniqueness Score: -1.00%

Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
GetProcAddress.KERNEL32(00000000), ref: 00406A89

Strings

crypt32, xrefs: 00406A7D
CryptUnprotectData, xrefs: 00406A78

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
Opcode Fuzzy Hash: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E833

Strings

ios_base::eofbit set, xrefs: 0040E822
ios_base::badbit set, xrefs: 0040E7EF
ios_base::failbit set, xrefs: 0040E815

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B

Uniqueness

Uniqueness Score: -1.00%

Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858

Strings

pth_unenc, xrefs: 00413818

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
Opcode Fuzzy Hash: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0

Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E016

Strings

bad locale name, xrefs: 0040E000

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C

Uniqueness

Uniqueness Score: -1.00%

Function 0041361B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,(V), ref: 0041363D
RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
RegCloseKey.ADVAPI32(?), ref: 00413665

Strings

(V, xrefs: 00413624

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: (V
API String ID: 3677997916-2767085487
Opcode ID: f8021bfd515d837cd78af2754fa90286b7de4a0a46112e11e0f2f857281b4111
Instruction ID: f34a781dc69553a1478c4d1e38e8143fd29b0d6f10a6f19acb5bd71dd86b2662
Opcode Fuzzy Hash: f8021bfd515d837cd78af2754fa90286b7de4a0a46112e11e0f2f857281b4111
Instruction Fuzzy Hash: 00F04F75600218FBDF209B90DC05FDD77BCEB04B11F1040A2BA45B5291DB749F849BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
ShowWindow.USER32(00000009), ref: 00416C61
SetForegroundWindow.USER32 ref: 00416C6D

Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Window$Console$Show$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 186401046-604454484
Opcode ID: e059714e8af422b030354d623efbd6a9b9292f4f91efc962f73d79e52ecb3699
Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
Opcode Fuzzy Hash: e059714e8af422b030354d623efbd6a9b9292f4f91efc962f73d79e52ecb3699
Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D

Uniqueness

Uniqueness Score: -1.00%

Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130

Strings

/C , xrefs: 0041610E
open, xrefs: 0041612A
cmd.exe, xrefs: 00416125

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
Opcode Fuzzy Hash: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659

Uniqueness

Uniqueness Score: -1.00%

Function 0040B869 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1

Strings

pth_unenc, xrefs: 0040B869
hdF, xrefs: 0040B884

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: hdF$pth_unenc
API String ID: 3325800564-514923600
Opcode ID: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
Opcode Fuzzy Hash: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5

Strings

pth_unenc, xrefs: 0040B8AC

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A08F
__alldvrm.LIBCMT ref: 0044A290
__alldvrm.LIBCMT ref: 0044A2B2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00456C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00456D49

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D

Uniqueness

Uniqueness Score: -1.00%

Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788

Uniqueness

Uniqueness Score: -1.00%

Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C021
Sleep.KERNEL32(00001388), ref: 0040C0A9

Strings

[Cleared browsers logins and cookies.], xrefs: 0040C0E4
Cleared browsers logins and cookies., xrefs: 0040C0F5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 869c68868b6bc63859781ffb2e009ba49a6506eb104a18a1f5cb86d920a24655
Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
Opcode Fuzzy Hash: 869c68868b6bc63859781ffb2e009ba49a6506eb104a18a1f5cb86d920a24655
Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF

Uniqueness

Uniqueness Score: -1.00%

Function 004126DB Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738

Sleep.KERNEL32(00000BB8), ref: 0041277A

Strings

8SG, xrefs: 004126FE
bnupgxp, xrefs: 00412703, 00412743, 004127C4
hdF, xrefs: 004126EB

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: 8SG$bnupgxp$hdF
API String ID: 4119054056-581176908
Opcode ID: abf20036ad70d98174a07eb652c7711c4b2f7adaf8a1d534f2fe302cffeed402
Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
Opcode Fuzzy Hash: abf20036ad70d98174a07eb652c7711c4b2f7adaf8a1d534f2fe302cffeed402
Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594

Sleep.KERNEL32(000001F4), ref: 0040A573
Sleep.KERNEL32(00000064), ref: 0040A5FD

Strings

], xrefs: 0040A57B
[ , xrefs: 0040A58F

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
Opcode Fuzzy Hash: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0041B815
Sleep.KERNEL32(000003E8), ref: 0041B820
GetSystemTimes.KERNEL32(?,?,?), ref: 0041B835
__aulldiv.LIBCMT ref: 0041B89C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5

Uniqueness

Uniqueness Score: -1.00%

Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568

Uniqueness

Uniqueness Score: -1.00%

Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169

Uniqueness

Uniqueness Score: -1.00%

Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
CloseHandle.KERNEL32(00000000), ref: 0041C4E5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
Opcode Fuzzy Hash: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A

Uniqueness

Uniqueness Score: -1.00%

Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043987A

Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC

_UnwindNestedFrames.LIBCMT ref: 00439891
___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
CallCatchBlock.LIBVCRUNTIME ref: 004398C7

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004193F0
GetSystemMetrics.USER32(0000004D), ref: 004193F6
GetSystemMetrics.USER32(0000004E), ref: 004193FC
GetSystemMetrics.USER32(0000004F), ref: 00419402

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785

Uniqueness

Uniqueness Score: -1.00%

Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B

Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F

Uniqueness

Uniqueness Score: -1.00%

Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00442CED

Strings

pow, xrefs: 00442CC5, 00442CE2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F

Uniqueness

Uniqueness Score: -1.00%

Function 0044561B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00445703
__freea.LIBCMT ref: 00445789

Strings

(V, xrefs: 0044562C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: (V
API String ID: 1635606685-2767085487
Opcode ID: 228f7cd71659edae6035a863d0e99aed1fa0890dcdca1630c76f36a9c7a6e0ee
Instruction ID: 8ea394e19242d531593115f3ad9b67f2d9726ff50e2d779c509e1c2fd2e4051b
Opcode Fuzzy Hash: 228f7cd71659edae6035a863d0e99aed1fa0890dcdca1630c76f36a9c7a6e0ee
Instruction Fuzzy Hash: F141D431A00511EBFF219B65CC42A5F77A4EF55720F65452BF808DB252EB3CD841C66D

Uniqueness

Uniqueness Score: -1.00%

Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE

Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A

SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B

Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD

Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682

Strings

image/jpeg, xrefs: 00418AD5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Stream$GdipImage$Create$DisposeFromLoadSave
String ID: image/jpeg
API String ID: 1291196975-3785015651
Opcode ID: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
Opcode Fuzzy Hash: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C12

Strings

ACP, xrefs: 00451B55
OCP, xrefs: 00451B8B

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C

Uniqueness

Uniqueness Score: -1.00%

Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA

Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A

SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF

Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD

Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682

Strings

image/png, xrefs: 00418BC1

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Stream$GdipImage$Create$DisposeFromLoadSave
String ID: image/png
API String ID: 1291196975-2966254431
Opcode ID: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
Opcode Fuzzy Hash: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00449BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
GetFileType.KERNEL32(00000000), ref: 00449C4E

Strings

8^V, xrefs: 00449C85

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID: 8^V
API String ID: 3000768030-1930029345
Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49

Uniqueness

Uniqueness Score: -1.00%

Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040501F

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 3f67727009873c9d3c2a4a6009232aaaac5af89ba315697c65e6eed3dbf6c9b0
Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
Opcode Fuzzy Hash: 3f67727009873c9d3c2a4a6009232aaaac5af89ba315697c65e6eed3dbf6c9b0
Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF

Uniqueness

Uniqueness Score: -1.00%

Function 0043C0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043C11E
_free.LIBCMT ref: 0043C144

Strings

8^V, xrefs: 0043C119, 0043C126, 0043C13F, 0043C14C, 0043C172

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free
String ID: 8^V
API String ID: 269201875-1930029345
Opcode ID: 84a0aec2fcd2e2198f060eb42423dc6b0e3e67b852f19c5b56d6cf535939c4c8
Instruction ID: 33e0fe0941749f3336bda6be3c0f63978f5ebcf9e4adac19a04b7d23778c801b
Opcode Fuzzy Hash: 84a0aec2fcd2e2198f060eb42423dc6b0e3e67b852f19c5b56d6cf535939c4c8
Instruction Fuzzy Hash: A511D371A002104BEF209F39AC81B567294A714734F14162BF929EA2D5D6BCD8815F89

Uniqueness

Uniqueness Score: -1.00%

Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00416640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: a0ec73807b07b55f12d7be1e643fec4cddf46813b039fcbaa5035cf5dcd737ac
Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
Opcode Fuzzy Hash: a0ec73807b07b55f12d7be1e643fec4cddf46813b039fcbaa5035cf5dcd737ac
Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

%02i:%02i:%02i:%03i , xrefs: 0041B51E
| , xrefs: 0041B53C

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
Opcode Fuzzy Hash: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C

Strings

alarm.wav, xrefs: 0041AD27
hYG, xrefs: 0041AD46

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$hYG
API String ID: 1174141254-2782910960
Opcode ID: 1ca1b3cc47252a1631e26160b8d0d2f72150c654b90b32622389016ea0759ec0
Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
Opcode Fuzzy Hash: 1ca1b3cc47252a1631e26160b8d0d2f72150c654b90b32622389016ea0759ec0
Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CloseHandle.KERNEL32(?), ref: 0040B0B4
UnhookWindowsHookEx.USER32 ref: 0040B0C7

Strings

Online Keylogger Stopped, xrefs: 0040B061, 0040B069, 0040B090

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: d7c91131cf9b851dd7cc064ac3bcb4510fe1c2efc3eda534d05ad9cc028e90d0
Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
Opcode Fuzzy Hash: d7c91131cf9b851dd7cc064ac3bcb4510fe1c2efc3eda534d05ad9cc028e90d0
Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE

Uniqueness

Uniqueness Score: -1.00%

Function 00449A5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
_free.LIBCMT ref: 00449ACC

Strings

8^V, xrefs: 00449A86, 00449A9C, 00449AB2, 00449AC4, 00449AD2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: 8^V
API String ID: 1836352639-1930029345
Opcode ID: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
Instruction ID: d8668749b8f053f3b87a5db4b07a71174a174bb0d30b2be9e7ca2d93a8738622
Opcode Fuzzy Hash: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
Instruction Fuzzy Hash: 491161315002149FE720DFA9D846B5D73B0FB04315F10455AE959AB2E6CBBCEC82DB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(0055FB70,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
waveInAddBuffer.WINMM(0055FB70,00000020,?,00000000,00401A15), ref: 0040185F

Strings

XMG, xrefs: 004017F8

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004437DA

Strings

$G, xrefs: 004437C0

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free
String ID: $G
API String ID: 269201875-4251033865
Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E

Uniqueness

Uniqueness Score: -1.00%

Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32

Strings

JD, xrefs: 00448B29, 00448B16
IsValidLocaleName, xrefs: 00448AF7, 00448B01

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$JD
API String ID: 1901932003-2234456777
Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040C4E0
UserProfile, xrefs: 0040C4CA

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
Opcode Fuzzy Hash: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

Strings

UserProfile, xrefs: 0040C52D
\AppData\Local\Microsoft\Edge\, xrefs: 0040C543

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
Opcode Fuzzy Hash: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC

Strings

\Opera Software\Opera Stable\, xrefs: 0040C5A6
AppData, xrefs: 0040C590

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
Opcode Fuzzy Hash: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA

Uniqueness

Uniqueness Score: -1.00%

Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044382E

Strings

$G, xrefs: 00443814

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free
String ID: $G
API String ID: 269201875-4251033865
Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B64B

Part of subcall function 0040A3E0: GetForegroundWindow.USER32(?,?,00000000), ref: 0040A416
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?,?,00000000), ref: 0040A43E
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 0040A461
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

[AltR], xrefs: 0040B681
[AltL], xrefs: 0040B68D

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: ebf392733fa6af1cef2b299d24dcfaafd055ccf9a66db9e14e7d9e277e57d489
Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
Opcode Fuzzy Hash: ebf392733fa6af1cef2b299d24dcfaafd055ccf9a66db9e14e7d9e277e57d489
Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF

Uniqueness

Uniqueness Score: -1.00%

Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E

Strings

uD, xrefs: 0044ED05

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID:
String ID: uD
API String ID: 0-2547262877
Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49

Uniqueness

Uniqueness Score: -1.00%

Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8

Strings

open, xrefs: 004161A2
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: 28875262e4bf0174853db4a5e6fd65081a004c09e6690994ece775789ea22bec
Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
Opcode Fuzzy Hash: 28875262e4bf0174853db4a5e6fd65081a004c09e6690994ece775789ea22bec
Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B6A5

Strings

[CtrlL], xrefs: 0040B6D3
[CtrlR], xrefs: 0040B6C2

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
Opcode Fuzzy Hash: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF

Uniqueness

Uniqueness Score: -1.00%

Function 0043C1C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00449A5C: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
Part of subcall function 00449A5C: _free.LIBCMT ref: 00449ACC

Part of subcall function 00449AFC: _free.LIBCMT ref: 00449B1E

DeleteCriticalSection.KERNEL32(00565E18), ref: 0043C1F1
_free.LIBCMT ref: 0043C205

Strings

8^V, xrefs: 0043C1D7, 0043C1E4, 0043C20A

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: _free$CriticalDeleteSection
String ID: 8^V
API String ID: 1906768660-1930029345
Opcode ID: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
Instruction ID: 43a050214315618beeb9c81765b0605937ca417edd614e55d144c525631042cd
Opcode Fuzzy Hash: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
Instruction Fuzzy Hash: 69E04F329145108FEB717F6AFD8595A73E49B4D325B11082FFC0DA316ACA6DAC809B8D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
Opcode Fuzzy Hash: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668

Uniqueness

Uniqueness Score: -1.00%

Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Strings

pth_unenc, xrefs: 00412850

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAE6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetLastInputInfo.USER32(NG), ref: 0041BAF6
GetTickCount.KERNEL32 ref: 0041BAFC

Strings

NG, xrefs: 0041BAEB, 0041BAF5

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CountInfoInputLastTick
String ID: NG
API String ID: 3478931382-1651712548
Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95

Uniqueness

Uniqueness Score: -1.00%

Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0044F30A
GetCommandLineW.KERNEL32 ref: 0044F315

Strings

%T, xrefs: 0044F310

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: %T
API String ID: 3253501508-1623511446
Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08

Uniqueness

Uniqueness Score: -1.00%

Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
GetLastError.KERNEL32 ref: 00440D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759

Uniqueness

Uniqueness Score: -1.00%

Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91

Memory Dump Source

Source File: 00000000.00000002.4101548132.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4101537231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101578115.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101593359.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101616190.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4101627780.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SYQV60EVo9.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SYQV60EVo9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
SYQV60EVo9.exe

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Function 0040E9C5 Relevance: 62.0, APIs: 15, Strings: 20, Instructions: 795
COMMON

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
networkfileCOMMON

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
timethreadCOMMON

Function 0041B60D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
COMMON

Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809
sleepnetworkCOMMON

Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Function 0041B2C3 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61
COMMON

Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163
COMMON

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121
synchronizationthreadCOMMON

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93
synchronizationnetworkCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Tactics:	Impact
Data Sources:	Application Log: Application Log Content, File: File Creation, File: File Modification, Network Traffic: Network Traffic Content
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre