Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
Analysis ID:	1436368
MD5:	813b31f7ee7bbdd8e42890394ea6f16f
SHA1:	31f3b24ab55399f61ca2a39055714883ba01807c
SHA256:	07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f
Tags:	exe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Detected VMProtect packer

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Machine Learning detection for dropped file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe (PID: 6876 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe" MD5: 813B31F7EE7BBDD8E42890394EA6F16F)

Cyber.exe (PID: 6992 cmdline: "C:\tcls\Cyber.exe" MD5: E30F528038EFC32CBA51643BF67B7AF2)

icacls.exe (PID: 2196 cmdline: icacls "C:\Windows\" /grant Administrator:(OI)(CI)F MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 7156 cmdline: icacls "C:\Windows\" /grant Administrators:(OI)(CI)F MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 6272 cmdline: icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrator:(OI)(CI)F MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 2640 cmdline: icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrators:(OI)(CI)F MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mbrmqqboi.exe (PID: 2200 cmdline: C:\Windows\mbrmqqboi.exe 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC l MD5: AE62909C8433ECDBE8289E3E1B5EC35E)

conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mbrmqqboi.exe (PID: 6276 cmdline: "C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC MD5: AE62909C8433ECDBE8289E3E1B5EC35E)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6924 cmdline: sc.exe config Winmgmt start= AUTO MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Windows\mbrmqqboi.exe	Avira: detection malicious, Label: HEUR/AGEN.1339215
Source: C:\tcls\Cyber.exe	Avira: detection malicious, Label: LINUX/Shelma.denpe

Multi AV Scanner detection for dropped file

Source: C:\Windows\mbrmqqboi.exe	ReversingLabs: Detection: 51%
Source: C:\Windows\mbrmqqboi.exe	Virustotal: Detection: 53%	Perma Link
Source: C:\tcls\Cyber.exe	ReversingLabs: Detection: 79%
Source: C:\tcls\Cyber.exe	Virustotal: Detection: 58%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	ReversingLabs: Detection: 70%
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Virustotal: Detection: 63%			Perma Link

Machine Learning detection for dropped file

Source: C:\Windows\mbrmqqboi.exe	Joe Sandbox ML: detected
Source: C:\tcls\Cyber.exe	Joe Sandbox ML: detected

Source: C:\tcls\Cyber.exe	Code function: 1_2_032A6322 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,	1_2_032A6322
Source: C:\tcls\Cyber.exe	Code function: 1_2_032A63B0 CryptAcquireContextA,CryptAcquireContextA,	1_2_032A63B0
Source: C:\tcls\Cyber.exe	Code function: 1_2_032A610D CryptEncrypt,	1_2_032A610D
Source: C:\tcls\Cyber.exe	Code function: 1_2_032A61D0 CryptDuplicateKey,	1_2_032A61D0
Source: C:\tcls\Cyber.exe	Code function: 1_2_032A6419 CryptDestroyKey,CryptDestroyKey,	1_2_032A6419
Source: C:\tcls\Cyber.exe	Code function: 1_2_032A64AB CryptDestroyKey,CryptDestroyKey,	1_2_032A64AB
Source: C:\tcls\Cyber.exe	Code function: 1_2_032A5F15 CryptDecrypt,CryptEncrypt,CryptEncrypt,	1_2_032A5F15

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\tcls\Cyber.exe

Unpacked PE file: 1.2.Cyber.exe.3290000.2.unpack

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
Source:	Binary string: name="naily.pdbm.exe" source: Cyber.exe
Source:	Binary string: naily.pdbm.exe source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000003.1619175656.0000000000802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1642748563.0000000000802000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cC:\tcls\Cyber.exe\??\C:\tcls\Cyber.exeen-GBenen-USnaily.pdbm.exe source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1636854745.0000000000790000.00000004.00000020.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B329F7 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00B329F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B3CD67 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00B3CD67
Source: C:\tcls\Cyber.exe	Code function: 1_2_103E4517 FindFirstFileW,GetLastError,__invoke_watson,	1_2_103E4517

Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View	IP Address: 162.159.36.2 162.159.36.2

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=okFYfBKbmACV4or&MD=d2putLvK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=okFYfBKbmACV4or&MD=d2putLvK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: Client.dll	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://pcinfoupload.110route.com/forum.php?from=discuz
Source: Cyber.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: Cyber.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: Cyber.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://sbk.sgamer.com/cyberdown.php?cc=
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://tj.110route.com/index.html
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://uploadimg.110route.com/Upload.php
Source: Client.dll	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Client.dll	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.yileyoo.com/help
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://beian.wwwscn.com/report.php?bd=

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2

System Summary

Detected VMProtect packer

Source: Cyber.exe.0.dr

Static PE information: .vmp0 and .vmp1 section names

Source: C:\tcls\Cyber.exe

File created: C:\Windows\mbrmqqboi.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B359CA	0_2_00B359CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B4C8C0	0_2_00B4C8C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B37A93	0_2_00B37A93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B512E4	0_2_00B512E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B41214	0_2_00B41214
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B42392	0_2_00B42392
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B41B28	0_2_00B41B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B45352	0_2_00B45352
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B4CD6E	0_2_00B4CD6E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B38677	0_2_00B38677
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B41710	0_2_00B41710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B31773	0_2_00B31773
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B41F5D	0_2_00B41F5D
Source: C:\tcls\Cyber.exe	Code function: 1_2_032C4320	1_2_032C4320
Source: C:\tcls\Cyber.exe	Code function: 1_2_032D11A0	1_2_032D11A0
Source: C:\tcls\Cyber.exe	Code function: 1_2_032B6090	1_2_032B6090
Source: C:\tcls\Cyber.exe	Code function: 1_2_032A4637	1_2_032A4637
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CF52E	1_2_032CF52E
Source: C:\tcls\Cyber.exe	Code function: 1_2_032C0525	1_2_032C0525
Source: C:\tcls\Cyber.exe	Code function: 1_2_032C3475	1_2_032C3475
Source: C:\tcls\Cyber.exe	Code function: 1_2_0329EF47	1_2_0329EF47
Source: C:\tcls\Cyber.exe	Code function: 1_2_03294F81	1_2_03294F81
Source: C:\tcls\Cyber.exe	Code function: 1_2_032D2EB7	1_2_032D2EB7
Source: C:\tcls\Cyber.exe	Code function: 1_2_032C4D00	1_2_032C4D00
Source: C:\tcls\Cyber.exe	Code function: 1_2_032D8D71	1_2_032D8D71
Source: C:\tcls\Cyber.exe	Code function: 1_2_032A4C8B	1_2_032A4C8B
Source: C:\tcls\Cyber.exe	Code function: 1_2_032DBCE0	1_2_032DBCE0
Source: C:\tcls\Cyber.exe	Code function: 1_2_102811D0	1_2_102811D0
Source: C:\tcls\Cyber.exe	Code function: 1_2_10281688	1_2_10281688
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_0040C9C0	10_2_0040C9C0

Source: C:\tcls\Cyber.exe	Code function: String function: 032C4A3A appears 89 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: String function: 00B3F4B0 appears 44 times
Source: C:\Windows\mbrmqqboi.exe	Code function: String function: 00405950 appears 33 times

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.evad.winEXE@23/3@0/6

Source: C:\tcls\Cyber.exe

Code function: 1_2_10481960 FSDK_GetCameraList,CoCreateInstance,

1_2_10481960

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\tcls\Cyber.exe	Mutant created: \Sessions\1\BaseNamedObjects\ClientWWWS
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Command line argument: sfxname	0_2_00B3E8DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Command line argument: sfxstime	0_2_00B3E8DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Command line argument: STARTDLG	0_2_00B3E8DE

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\tcls\Cyber.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name, %d+18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	ReversingLabs: Detection: 70%
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Process created: C:\tcls\Cyber.exe "C:\tcls\Cyber.exe"
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrator:(OI)(CI)F
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrators:(OI)(CI)F
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrator:(OI)(CI)F
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrators:(OI)(CI)F
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\mbrmqqboi.exe C:\Windows\mbrmqqboi.exe 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC l
Source: C:\Windows\mbrmqqboi.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\sc.exe sc.exe config Winmgmt start= AUTO
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\mbrmqqboi.exe	Process created: C:\Windows\mbrmqqboi.exe "C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Process created: C:\tcls\Cyber.exe "C:\tcls\Cyber.exe"	Jump to behavior
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrator:(OI)(CI)F	Jump to behavior
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrators:(OI)(CI)F	Jump to behavior
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrator:(OI)(CI)F	Jump to behavior
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrators:(OI)(CI)F	Jump to behavior
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\mbrmqqboi.exe C:\Windows\mbrmqqboi.exe 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC l	Jump to behavior
Source: C:\tcls\Cyber.exe	Process created: C:\Windows\SysWOW64\sc.exe sc.exe config Winmgmt start= AUTO	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Process created: C:\Windows\mbrmqqboi.exe "C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: version.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: quartz.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: client.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\tcls\Cyber.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Section loaded: iphlpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Static file information: File size 15256203 > 1048576

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
Source:	Binary string: name="naily.pdbm.exe" source: Cyber.exe
Source:	Binary string: naily.pdbm.exe source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000003.1619175656.0000000000802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1642748563.0000000000802000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cC:\tcls\Cyber.exe\??\C:\tcls\Cyber.exeen-GBenen-USnaily.pdbm.exe source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1636854745.0000000000790000.00000004.00000020.00040000.00000000.sdmp

Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\tcls\Cyber.exe

Unpacked PE file: 1.2.Cyber.exe.3290000.2.unpack

Source: C:\tcls\Cyber.exe

Code function: 1_2_032DB7E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_032DB7E4

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

File created: C:\tcls\__tmp_rar_sfx_access_check_6149296

Jump to behavior

Source: Cyber.exe.0.dr	Static PE information: section name: .vmp0
Source: Cyber.exe.0.dr	Static PE information: section name: .vmp1
Source: mbrmqqboi.exe.1.dr	Static PE information: section name: .WMV0
Source: mbrmqqboi.exe.1.dr	Static PE information: section name: .WMV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B400F6 push ecx; ret	0_2_00B40109
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B359BA push dword ptr [ebp+03046A00h]; ret	0_2_00B359C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B3F484 push eax; ret	0_2_00B3F4A2
Source: C:\tcls\Cyber.exe	Code function: 1_2_032D5370 push eax; ret	1_2_032D539E
Source: C:\tcls\Cyber.exe	Code function: 1_2_103EB47D push ecx; ret	1_2_103EB490
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_004055D4 push 00405639h; ret	10_2_00405631
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_0040586E push 0040589Ch; ret	10_2_00405894
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00405870 push 0040589Ch; ret	10_2_00405894
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409834 push 004098A3h; ret	10_2_0040989B
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_0040C968 push 0040C9B6h; ret	10_2_0040C9AE
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00405119 push eax; ret	10_2_00405155
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_0040D1A4 push 0040D1D0h; ret	10_2_0040D1C8
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00405A00 push 00405A2Ch; ret	10_2_00405A24
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00405A38 push 00405CF4h; ret	10_2_00405CEC
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409BC8 push 00409BFCh; ret	10_2_00409BF4
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409BD0 push 00409BFCh; ret	10_2_00409BF4
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409B90 push 00409BBCh; ret	10_2_00409BB4
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409C40 push 00409C74h; ret	10_2_00409C6C
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409C48 push 00409C74h; ret	10_2_00409C6C
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409C08 push 00409C34h; ret	10_2_00409C2C
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_0040D42E push 0040D456h; ret	10_2_0040D44E
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_0040D430 push 0040D456h; ret	10_2_0040D44E
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00405CC8 push 00405CF4h; ret	10_2_00405CEC
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409CF0 push 00409D74h; ret	10_2_00409D6C
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409C80 push 00409CACh; ret	10_2_00409CA4
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409CB8 push 00409CE4h; ret	10_2_00409CDC
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409D48 push 00409D74h; ret	10_2_00409D6C
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409DAB push 00409DF9h; ret	10_2_00409DF1
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_00409DAC push 00409DF9h; ret	10_2_00409DF1
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_0040C5B6 push 0040C66Bh; ret	10_2_0040C663
Source: C:\Windows\mbrmqqboi.exe	Code function: 10_2_0040C5B8 push 0040C66Bh; ret	10_2_0040C663

Source: mbrmqqboi.exe.1.dr

Static PE information: section name: .WMV1 entropy: 7.963072884561921

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\mbrmqqboi.exe

Executable created and started: C:\Windows\mbrmqqboi.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	File created: C:\tcls\Client.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	File created: C:\tcls\Cyber.exe	Jump to dropped file
Source: C:\tcls\Cyber.exe	File created: C:\Windows\mbrmqqboi.exe	Jump to dropped file

Source: C:\tcls\Cyber.exe

File created: C:\Windows\mbrmqqboi.exe

Jump to dropped file

Source: C:\tcls\Cyber.exe

Process created: C:\Windows\SysWOW64\sc.exe sc.exe config Winmgmt start= AUTO

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 1070005 value: E9 2B BA E5 75	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 76ECBA30 value: E9 DA 45 1A 8A	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 1090008 value: E9 8B 8E E8 75	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 76F18E90 value: E9 80 71 17 8A	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 10A0005 value: E9 8B 4D B5 74	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 75BF4D90 value: E9 7A B2 4A 8B	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 10C0005 value: E9 EB EB B4 74	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 75C0EBF0 value: E9 1A 14 4B 8B	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 10D0005 value: E9 8B 8A F0 73	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 74FD8A90 value: E9 7A 75 0F 8C	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 10F0005 value: E9 2B 02 F1 73	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 75000230 value: E9 DA FD 0E 8C	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 2CA0005 value: E9 8B 2F 26 74	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 76F02F90 value: E9 7A D0 D9 8B	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 2CB0007 value: E9 EB DF 28 74	Jump to behavior
Source: C:\tcls\Cyber.exe	Memory written: PID: 6992 base: 76F3DFF0 value: E9 1E 20 D7 8B	Jump to behavior

Source: C:\tcls\Cyber.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrator:(OI)(CI)F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\tcls\Cyber.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\tcls\Cyber.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\tcls\Cyber.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Cyber.exe, 00000001.00000002.2884996615.0000000000144000.00000020.00000001.01000000.00000007.sdmp

Binary or memory string: >SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\tcls\Cyber.exe

RDTSC instruction interceptor: First address: 4CAB14 second address: 4CAB1A instructions: 0x00000000 rdtsc 0x00000002 popfd 0x00000003 pop esi 0x00000004 cbw 0x00000006 rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\tcls\Cyber.exe

Special instruction interceptor: First address: ACEE0C instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\mbrmqqboi.exe

Code function: 10_2_00413D89 rdtsc

10_2_00413D89

Source: C:\Windows\mbrmqqboi.exe

Window / User API: threadDelayed 498

Jump to behavior

Source: C:\tcls\Cyber.exe	API coverage: 0.5 %
Source: C:\Windows\mbrmqqboi.exe	API coverage: 0.0 %

Source: C:\Windows\mbrmqqboi.exe TID: 864

Thread sleep time: -7470000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B329F7 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00B329F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B3CD67 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00B3CD67
Source: C:\tcls\Cyber.exe	Code function: 1_2_103E4517 FindFirstFileW,GetLastError,__invoke_watson,	1_2_103E4517

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Code function: 0_2_00B3F017 VirtualQuery,GetSystemInfo,

0_2_00B3F017

Source: Client.dll	Binary or memory string: VMware
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1642748563.0000000000802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Cyber.exe, 00000001.00000002.2886870763.000000000110E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: Client.dll	Binary or memory string: ANYTHING!VMwareHamachiPseudoJuniper Network Connect Virtual AdapterCisco AnyConnect VPNCisco Systems VPNMicrosoft%02x:%02x:%02x:%02x:%02x:%02x
Source: Cyber.exe, 00000001.00000003.1647597085.0000000001136000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

API call chain: ExitProcess graph end node

graph_0-18400

Source: C:\tcls\Cyber.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\tcls\Cyber.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\tcls\Cyber.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\tcls\Cyber.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\tcls\Cyber.exe	Process queried: DebugPort	Jump to behavior
Source: C:\tcls\Cyber.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: C:\Windows\mbrmqqboi.exe

Code function: 10_2_00413D89 rdtsc

10_2_00413D89

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Code function: 0_2_00B4855B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B4855B

Source: C:\tcls\Cyber.exe

Code function: 1_2_032DB7E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_032DB7E4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Code function: 0_2_00B47439 mov eax, dword ptr fs:[00000030h]

0_2_00B47439

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Code function: 0_2_00B4B4B6 GetProcessHeap,

0_2_00B4B4B6

Source: C:\tcls\Cyber.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B4004A SetUnhandledExceptionFilter,	0_2_00B4004A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B40358 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B40358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B4855B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B4855B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: 0_2_00B3FEB8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B3FEB8
Source: C:\tcls\Cyber.exe	Code function: 1_2_103E2766 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_103E2766

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Process created: C:\tcls\Cyber.exe "C:\tcls\Cyber.exe"			Jump to behavior
Source: C:\Windows\mbrmqqboi.exe	Process created: C:\Windows\mbrmqqboi.exe "C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Code function: 0_2_00B3FD07 cpuid

0_2_00B3FD07

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00B3BBF0
Source: C:\Windows\mbrmqqboi.exe	Code function: RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,	10_2_004047D4
Source: C:\Windows\mbrmqqboi.exe	Code function: GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,	10_2_004048A6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Code function: 0_2_00B3E8DE OleInitialize,GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,LoadBitmapW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,

0_2_00B3E8DE

Source: C:\tcls\Cyber.exe

Code function: 1_2_032D7BED GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

1_2_032D7BED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Code function: 0_2_00B32B7C GetVersionExW,

0_2_00B32B7C

Source: C:\tcls\Cyber.exe	Code function: 1_2_032CD203 sqlite3_transfer_bindings,	1_2_032CD203
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CD185 sqlite3_bind_parameter_index,	1_2_032CD185
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CD078 sqlite3_bind_text16,	1_2_032CD078
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CD040 sqlite3_bind_null,	1_2_032CD040
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CD055 sqlite3_bind_text,	1_2_032CD055
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CD0A8 sqlite3_bind_parameter_count,	1_2_032CD0A8
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CD0D3 sqlite3_bind_parameter_name,	1_2_032CD0D3
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CCF89 sqlite3_bind_double,	1_2_032CCF89
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CCFF2 sqlite3_bind_int64,	1_2_032CCFF2
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CCFD7 sqlite3_bind_int,	1_2_032CCFD7
Source: C:\tcls\Cyber.exe	Code function: 1_2_032CCDFB sqlite3_bind_blob,	1_2_032CCDFB

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	12 Masquerading	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Credential API Hooking	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 Services File Permissions Weakness	11 Process Injection	13 Virtualization/Sandbox Evasion	LSASS Memory	551 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	1 DLL Side-Loading	1 Services File Permissions Weakness	11 Process Injection	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	225 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	71%	ReversingLabs	Win32.Trojan.Shelma
SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	63%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\mbrmqqboi.exe	100%	Avira	HEUR/AGEN.1339215
C:\tcls\Cyber.exe	100%	Avira	LINUX/Shelma.denpe
C:\Windows\mbrmqqboi.exe	100%	Joe Sandbox ML
C:\tcls\Cyber.exe	100%	Joe Sandbox ML
C:\Windows\mbrmqqboi.exe	51%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\mbrmqqboi.exe	54%	Virustotal		Browse
C:\tcls\Client.dll	0%	ReversingLabs
C:\tcls\Client.dll	0%	Virustotal		Browse
C:\tcls\Cyber.exe	79%	ReversingLabs	Win32.Trojan.Shelma
C:\tcls\Cyber.exe	58%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://pki-ocsp.symauth.com0	0%	URL Reputation	safe
http://www.yileyoo.com/help	0%	Avira URL Cloud	safe
http://uploadimg.110route.com/Upload.php	0%	Avira URL Cloud	safe
http://tj.110route.com/index.html	0%	Avira URL Cloud	safe
http://pcinfoupload.110route.com/forum.php?from=discuz	0%	Avira URL Cloud	safe
https://beian.wwwscn.com/report.php?bd=	0%	Avira URL Cloud	safe
http://www.yileyoo.com/help	0%	Virustotal		Browse
http://tj.110route.com/index.html	2%	Virustotal		Browse
https://beian.wwwscn.com/report.php?bd=	0%	Virustotal		Browse
http://pcinfoupload.110route.com/forum.php?from=discuz	2%	Virustotal		Browse
http://uploadimg.110route.com/Upload.php	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://sbk.sgamer.com/cyberdown.php?cc=	Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.yileyoo.com/help	Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://beian.wwwscn.com/report.php?bd=	Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	Cyber.exe	false		high
http://curl.haxx.se/rfc/cookie_spec.html	Client.dll	false		high
http://pcinfoupload.110route.com/forum.php?from=discuz	Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	Cyber.exe	false		high
http://pki-ocsp.symauth.com0	Cyber.exe	false	URL Reputation: safe	unknown
http://uploadimg.110route.com/Upload.php	Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html....................	Client.dll	false		high
http://tj.110route.com/index.html	Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	Client.dll	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
20.114.59.183	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.36.2	unknown	United States	13335	CLOUDFLARENETUS	false
199.232.210.172	unknown	United States	54113	FASTLYUS	false

Private

IP
192.168.2.1
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436368
Start date and time:	2024-05-04 20:25:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@23/3@0/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 80 Number of non-executed functions: 161
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240, 192.229.211.108
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:25:56	API Interceptor	498x Sleep call for process: mbrmqqboi.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1.1.1.1	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
20.114.59.183	W9vVOVhMMq.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
20.114.59.183	b6HXTGQmJN.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
162.159.36.2	EGQqjPn5p3.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz	Browse
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	j1FDxfhkS3.exe	Get hash	malicious	Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
	ZN5KdHxjL1.exe	Get hash	malicious	Wannacry	Browse
	W9vVOVhMMq.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
	b6HXTGQmJN.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
199.232.210.172	VOrqSh1Fts.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse
	http://launch.getgo.com/launcher2/helper?token=e0-JlwZpYnk5RjfhNwQJAWSnycGxuTNEKMFcGUnp8bMbh1HaoP3nxnwmbsPoRN3nHS6IqeGWl2BtZZUCiukZPAadAO_rWBJQKlxiyBmgLzhLL5R1ewSQF5jnb934RWY3OJM4kRqjf_0K6R7ugG8LH4WlOOqPNJSmMAD3RS6UgEzBOJaT4rPu0bb59qQi8o861c7OLxMI07Ibv0hJmk7HIy2a92xS-gyU5pKlOvVQGniMuxPSF1Y2k0dJ7ra2hAUmCxtd7ob9yDXB05la9g0bQ38dMF0kvhP2rIVGwG36NAwouMDXY-2MML1XoElq2qVGdets-czFXiGaDVyOFme0t6cF1YereSTdXIEtXIzFxS1lrYL3AiV4hFsDVKqI1kqih-PHY4ks3RqBBIj3H1iVlVq_2U3M6VZflUvwyNSk_ZcHfCbJHyTQt10oMuj0lOFvXOTuhJST9RLaFmO5ibIH5ghIchA_BWTrCyQVmuuQQoEQ-jWemgg7keHjSvL1bR2V_VwnqgTgcf_VuVAuqEEQIekmsEEzCXev7G-pEchKLy2fT1tAyJJH9VB4Yx_vAKsd_0C38BiMHPEYdOMSboIQg-rfko0GyZWpzeel94gvtGvyMHY-jXpYAwX_2iK2KJpkVnbzstjnbhvopB2XYgkB4GiaV845Xp274vfZNI7_XUn7Ih_SbuB&downloadTrigger=javascript&renameFile=1	Get hash	malicious	Unknown	Browse
	https://webex-install.com	Get hash	malicious	NetSupport RAT	Browse
	digitalform.msi	Get hash	malicious	AteraAgent	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	7Ql51TchBG.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	INVOICE KAD-0138-2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Orden de compra 0001-00255454.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	0KRPn.vbs	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	Supplier Order Scan 0001293039493.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	file.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105453.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse	104.21.45.138
MICROSOFT-CORP-MSN-AS-BLOCKUS	OgcktrbHkI.exe	Get hash	malicious	Tofsee	Browse	104.47.53.36
	1CMweaqlKp.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	13.89.179.12
	sora.x86-20240504-0115.elf	Get hash	malicious	Mirai	Browse	20.199.232.188
	https://www.bjvpza.cn/	Get hash	malicious	Unknown	Browse	13.107.213.40
	https://www.uhnrya.cn/	Get hash	malicious	Unknown	Browse	13.107.213.69
	https://portal.cpscompressors.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.71
	https://www.soqsrkk.cn/	Get hash	malicious	Unknown	Browse	13.107.246.69
	https://www.evernote.com/shard/s593/sh/34d5323e-5e68-2022-e399-8b6a9f22d260/e4DIh4rAMOdx8UQxrqSgHb8GiJxwwBeZjn9dT_57KOFldDUBp5VNPxZHmw/res/782d1fe9-3270-5412-662f-9e3e990fa372	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	Copy of BARBOT CONSTRUCTION.xlsx	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	52.109.28.46
	Scanned from Xerox KwlawMultiftr.rtf	Get hash	malicious	HTMLPhisher	Browse	52.109.52.131
FASTLYUS	https://www.bjvpza.cn/	Get hash	malicious	Unknown	Browse	151.101.65.195
	https://broken-rain-1a74.1rwvvy66.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://www.uhnrya.cn/	Get hash	malicious	Unknown	Browse	151.101.65.195
	https://jango.pet	Get hash	malicious	Unknown	Browse	151.101.66.137
	https://portal.cpscompressors.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://collettre-7jk.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://www.soqsrkk.cn/	Get hash	malicious	Unknown	Browse	151.101.65.195
	http://jango.pet	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	151.101.66.137
	https://www.sqrhpva.cn/	Get hash	malicious	Unknown	Browse	199.232.214.128
	https://www.evernote.com/shard/s593/sh/34d5323e-5e68-2022-e399-8b6a9f22d260/e4DIh4rAMOdx8UQxrqSgHb8GiJxwwBeZjn9dT_57KOFldDUBp5VNPxZHmw/res/782d1fe9-3270-5412-662f-9e3e990fa372	Get hash	malicious	HTMLPhisher	Browse	151.101.65.197
CLOUDFLARENETUS	7Ql51TchBG.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	INVOICE KAD-0138-2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Orden de compra 0001-00255454.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	0KRPn.vbs	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	Supplier Order Scan 0001293039493.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	file.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105453.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse	104.21.45.138

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	OgcktrbHkI.exe	Get hash	malicious	Tofsee	Browse	20.114.59.183
	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.18101.30858.exe	Get hash	malicious	Unknown	Browse	20.114.59.183
	mBW2MzlcHN.exe	Get hash	malicious	LockBit ransomware, PureLog Stealer	Browse	20.114.59.183
	eiQXaKJ75nCjEWn.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	20.114.59.183
	0e46.scr.exe	Get hash	malicious	AgentTesla	Browse	20.114.59.183
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	20.114.59.183
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	20.114.59.183
	#U00d6deme tavsiyesi.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	20.114.59.183
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse	20.114.59.183
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	20.114.59.183

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\mbrmqqboi.exe

Download File

Process:	C:\tcls\Cyber.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	344064
Entropy (8bit):	7.954625895452996
Encrypted:	false
SSDEEP:	6144:vheZ5ndgOAWcTYZqKjwTdkPSSxG/9m/R36kSt2Kskibq4mcoo2:vhy5ndg/lT8qKjudu/RKkT/qcR2
MD5:	AE62909C8433ECDBE8289E3E1B5EC35E
SHA1:	D1D8302130ADA1B22D18D3E5A3B4FCACC60D3340
SHA-256:	6CF2B9A34AB1F04433DF6E6B0284777EAB479C3C0D855C2462DF17CB88FFA167
SHA-512:	CF2F8F62F80C839358EA81E7A4FB2BE36D0F905E3D82A303440852C18A7E232ABF5F2F360C8C3814E3D0EE240A7E083D12110DB64691F9D4C83E36BEE41CD86D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 51% Antivirus: Virustotal, Detection: 54%, Browse
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................8......x.............@..............................................@...................J..P...(................................................................... .......................X...........................CODE................................ ..`DATA....L...........................@...BSS......................................idata..............................@....tls.....................................rdata....... ......................@..P.WMV0....d...0......................`....WMV1....8.......:..................`....rsrc................>..............@..P........................................................................................................................................

C:\tcls\Client.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20037632
Entropy (8bit):	6.637497816081563
Encrypted:	false
SSDEEP:	393216:iMIpYEbN9vTwB8gM9iadWsoQ8lFGXhJRHDoqTKSU8KRDYbJtcjtzNCS7SLXSEu0J:iMIpYEbN9vTwBNUiadrovlFGXhjP7KRA
MD5:	76EB13182111ADDD7F0AF02BC8C17420
SHA1:	99E249DD8A7FAFFB3E185B54FE2022DFB244637B
SHA-256:	A3841858E540AA052CE043D231CC32B23D5E3C977E4E95AEAC5611F1BC31F35C
SHA-512:	98AC0B075A02F08D5057C3C425934C76B99F4C68D9C12E297B590A655F5A833370F0CF752B208B9CB348EB61183A5D7B726CF968422F174E96E37C9156A95F1C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......&..b..Fb..Fb..F..tFe..F\|.wFW..F\|.aF..FEN.Fs..Fb..F...Fk.aF...Fb..F...FEN.F...Fg..F7..F\|.fF"..FEN.Fa..Fk.hF_..Fk.pFc..F\|.vFc..Fb.uFc..Fk.sFc..FRichb..F........PE..L....f.N...........!......H..".......R>.......H...............................8.......#.............................09p.@....+p.......'.0.............".@.....6. 1..................................0.p.@.............H..............................text.....H.......H................. ..`.rdata..p.'...H...'...H.............@..@.data...(....Pp.....6p.............@....rsrc...0.....'....... .............@..@.reloc........6......./.............@..B........................................................................................................................................................................................................................................................................

C:\tcls\Cyber.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5338624
Entropy (8bit):	7.997345410431866
Encrypted:	true
SSDEEP:	98304:e+7UX9OhhuzVIxoi8Qov105OKvgK61esFrG0Xxu/Dv7ICZ06s68r24cGE:erXSQVe8Xd05OB1esFrG0oDTI8TIy
MD5:	E30F528038EFC32CBA51643BF67B7AF2
SHA1:	2F09511FB2057E85A51487221D4C9DEB5B234695
SHA-256:	E6544E5013F949FBB7F478B2857811E62AC3E1C58961177A68F6A5C043FA80A5
SHA-512:	B4FEF9D3D5AD5C1F52B26767B8D9D2A7B87D5D33B69F28802D93E24F1BB263CDF4648899CC4370EC34F4DCF70FEFB9F96D14ABFA8589841BFB92A37674C52152
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................P...\......'.[......`...............................@...................@....................f.O...._].........%"...................................................Y........................c.\|...........................CODE....TO.......................... ..`DATA....l....`......................@...BSS......B...............................idata..v4..........................@....tls......... ...........................rdata.......0......................@..P.vmp0....qH..@......................`..`.vmp1....LQ...[..NQ.................`..`.rsrc...%".......$...RQ.............@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.995894383607539
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
File size:	15'256'203 bytes
MD5:	813b31f7ee7bbdd8e42890394ea6f16f
SHA1:	31f3b24ab55399f61ca2a39055714883ba01807c
SHA256:	07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f
SHA512:	8c216ea0d1ca43ffaca7a4370a1fd3142faedcf395fa0f37639b314b3675ecbf50e883c9b6ca57086ee1bed3138d9f5805c219df57ca8ef99b710b110c5ca90d
SSDEEP:	393216:myEVlfhmA+m6RNWYL0YIl4NJrjC/s9gGj5fbD:SlZnL6fHL1NNJKE9gW5ff
TLSH:	20E633B29BDD95B0CC13587087B8FF72903698010759279F0291EA7DBFB29948D7A273
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.}.on..on..on......bn.......n......wn...3..yn...3..\|n...3..En..f...en..f...ln..on...n...3..Mn...3..nn...3..nn...3..nn..Richon.

File Icon


Icon Hash:	2775250905472797

Static PE Info

General

Entrypoint:	0x40fce7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x57B0C36A [Sun Aug 14 19:15:54 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	49091c5c46d1ed156931ed11f43d3afa

Entrypoint Preview

Instruction
call 00007FBC31431ACEh
jmp 00007FBC31431445h
cmp ecx, dword ptr [0042B0A8h]
jne 00007FBC314315C5h
ret
jmp 00007FBC31431C44h
jmp 00007FBC3143624Eh
push ebp
mov ebp, esp
and dword ptr [00457960h], 00000000h
sub esp, 2Ch
push ebx
xor ebx, ebx
inc ebx
or dword ptr [0042B0ACh], ebx
push 0000000Ah
call 00007FBC31443182h
test eax, eax
je 00007FBC3143173Ah
and dword ptr [ebp-14h], 00000000h
xor eax, eax
or dword ptr [0042B0ACh], 02h
xor ecx, ecx
push esi
push edi
mov dword ptr [00457960h], ebx
lea edi, dword ptr [ebp-2Ch]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-2Ch]
mov ecx, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor ecx, 49656E69h
mov eax, dword ptr [ebp-24h]
xor eax, 6C65746Eh
or ecx, eax
mov eax, dword ptr [ebp-28h]
xor eax, 756E6547h
or ecx, eax
neg ecx
push 00000001h
pop eax
sbb cl, cl
push 00000000h
add cl, 00000001h
pop ecx
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
mov dword ptr [edi+0Ch], edx
je 00007FBC31431605h
mov eax, dword ptr [ebp-2Ch]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FBC314315E5h
cmp eax, 00020660h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD2 build 23918
[EXP] VS2015 UPD2 build 23918
[RES] VS2015 UPD2 build 23918
[LNK] VS2015 UPD2 build 23918

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2a510	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a544	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x39c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0x2354	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x28c20	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x235c0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x22000	0x1d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x29bd4	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20f77	0x21000	792daf1ebbf0f019d3486580dfe317d1	False	0.5852790601325758	data	6.621622506076134	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x22000	0x8fd4	0x9000	9d62ca750ab21611bd69d7a3e5333d52	False	0.4624565972222222	data	5.135489014865361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x2d370	0xc00	ab0f244b352be8b4c7ffac28b0999542	False	0.23697916666666666	data	2.7652001050956354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x59000	0xfc	0x200	7af9f45b4511d68a2575fde63622b162	False	0.353515625	data	2.163164717821436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x39c4	0x3a00	1e77adc716984508b1f8675d2a446dab	False	0.4030845905172414	data	5.363454690938261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0x2354	0x2400	f61d7f0f6bcc5a445f5126dff171e1c0	False	0.7889539930555556	data	6.69514422609229	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x5a57c	0xbb6	Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/m	Chinese	China	0.2581721147431621
RT_ICON	0x5b134	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.6047297297297297
RT_ICON	0x5b25c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Chinese	China	0.4703757225433526
RT_ICON	0x5b7c4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.4986559139784946
RT_ICON	0x5baac	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Chinese	China	0.4444945848375451
RT_DIALOG	0x5c354	0x176	data	Chinese	China	0.6898395721925134
RT_DIALOG	0x5c4cc	0xd6	data	Chinese	China	0.6962616822429907
RT_DIALOG	0x5c5a4	0xba	data	Chinese	China	0.7204301075268817
RT_DIALOG	0x5c660	0x102	data	Chinese	China	0.6201550387596899
RT_DIALOG	0x5c764	0x286	data	Chinese	China	0.4953560371517028
RT_DIALOG	0x5c9ec	0x1ce	data	Chinese	China	0.6645021645021645
RT_STRING	0x5cbbc	0xb6	data	Chinese	China	0.7472527472527473
RT_STRING	0x5cc74	0xd6	data	Chinese	China	0.6962616822429907
RT_STRING	0x5cd4c	0xca	data	Chinese	China	0.7920792079207921
RT_STRING	0x5ce18	0x76	data	Chinese	China	0.9152542372881356
RT_STRING	0x5ce90	0x282	data	Chinese	China	0.6417445482866043
RT_STRING	0x5d114	0x94	data	Chinese	China	0.777027027027027
RT_STRING	0x5d1a8	0x78	data	Chinese	China	0.9083333333333333
RT_STRING	0x5d220	0x64	data	Chinese	China	0.63
RT_STRING	0x5d284	0x52	data	Chinese	China	0.8780487804878049
RT_STRING	0x5d2d8	0x6a	data	Chinese	China	0.7452830188679245
RT_GROUP_ICON	0x5d344	0x3e	data	Chinese	China	0.8387096774193549
RT_MANIFEST	0x5d384	0x640	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.423125

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, SetCurrentDirectoryW, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, RtlUnwind, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, HeapSize, GetConsoleCP, GetConsoleMode, SetFilePointerEx, DecodePointer

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 20:25:48.079384089 CEST	49675	443	192.168.2.4	173.222.162.32
May 4, 2024 20:25:49.126283884 CEST	49678	443	192.168.2.4	104.46.162.224
May 4, 2024 20:25:57.688657045 CEST	49675	443	192.168.2.4	173.222.162.32
May 4, 2024 20:26:10.089307070 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:10.089342117 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:10.089410067 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:10.097976923 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:10.097991943 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:10.651349068 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:10.651439905 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:10.653938055 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:10.653949976 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:10.654164076 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:10.704430103 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:11.208059072 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:11.252120018 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:11.569032907 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:11.569051027 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:11.569057941 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:11.569066048 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:11.569087982 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:11.569134951 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:11.569169044 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:11.569190979 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:11.569199085 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:11.569228888 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:11.569274902 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:11.949506998 CEST	49730	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:11.949546099 CEST	443	49730	20.114.59.183	192.168.2.4
May 4, 2024 20:26:54.201906919 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:54.201946020 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:54.202009916 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:54.202938080 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:54.202950954 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:54.753175020 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:54.753273010 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:54.762706995 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:54.762763977 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:54.762979031 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:54.775732040 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:54.820113897 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:55.295838118 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:55.295861959 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:55.295876980 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:55.295938969 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:55.295963049 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:55.296022892 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:55.296036005 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:55.296077967 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:55.312602997 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:55.312633991 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:26:55.312663078 CEST	49736	443	192.168.2.4	20.114.59.183
May 4, 2024 20:26:55.312669992 CEST	443	49736	20.114.59.183	192.168.2.4
May 4, 2024 20:27:08.127165079 CEST	49723	80	192.168.2.4	199.232.210.172
May 4, 2024 20:27:08.127911091 CEST	49724	80	192.168.2.4	199.232.210.172
May 4, 2024 20:27:08.277546883 CEST	80	49724	199.232.210.172	192.168.2.4
May 4, 2024 20:27:08.277571917 CEST	80	49724	199.232.210.172	192.168.2.4
May 4, 2024 20:27:08.277658939 CEST	49724	80	192.168.2.4	199.232.210.172
May 4, 2024 20:27:08.277704000 CEST	80	49723	199.232.210.172	192.168.2.4
May 4, 2024 20:27:08.277715921 CEST	80	49723	199.232.210.172	192.168.2.4
May 4, 2024 20:27:08.277760029 CEST	49723	80	192.168.2.4	199.232.210.172

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 20:26:19.648261070 CEST	138	138	192.168.2.4	192.168.2.255

HTTP Request Dependency Graph

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-05-04 18:26:11 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=okFYfBKbmACV4or&MD=d2putLvK HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49730	20.114.59.183	443	6992	C:\tcls\Cyber.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 18:26:11 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: e8faa2fa-e055-49f2-a63b-070d43084301 MS-RequestId: 605c0619-8ad0-4f7e-a4ae-f992342fef4f MS-CV: koMlJoM9T06YKH+9.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 04 May 2024 18:26:10 GMT Connection: close Content-Length: 24490
2024-05-04 18:26:11 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-04 18:26:11 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-05-04 18:26:54 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=okFYfBKbmACV4or&MD=d2putLvK HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	20.114.59.183	443	6992	C:\tcls\Cyber.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 18:26:55 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 0e0915a8-6f45-458d-8bec-81fa384a2f31 MS-RequestId: 5411214a-43f6-40fb-b68b-4a82532b41bf MS-CV: U0YVENCwJE2pv1P+.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 04 May 2024 18:26:54 GMT Connection: close Content-Length: 25457
2024-05-04 18:26:55 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-04 18:26:55 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	20:25:51
Start date:	04/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe"
Imagebase:	0xb30000
File size:	15'256'203 bytes
MD5 hash:	813B31F7EE7BBDD8E42890394EA6F16F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:25:52
Start date:	04/05/2024
Path:	C:\tcls\Cyber.exe
Wow64 process (32bit):	true
Commandline:	"C:\tcls\Cyber.exe"
Imagebase:	0x10000
File size:	5'338'624 bytes
MD5 hash:	E30F528038EFC32CBA51643BF67B7AF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs Detection: 58%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Windows\" /grant Administrator:(OI)(CI)F
Imagebase:	0x420000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Windows\" /grant Administrators:(OI)(CI)F
Imagebase:	0x420000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrator:(OI)(CI)F
Imagebase:	0x420000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrators:(OI)(CI)F
Imagebase:	0x420000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\mbrmqqboi.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\mbrmqqboi.exe 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC l
Imagebase:	0x400000
File size:	344'064 bytes
MD5 hash:	AE62909C8433ECDBE8289E3E1B5EC35E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 51%, ReversingLabs Detection: 54%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc.exe config Winmgmt start= AUTO
Imagebase:	0xa70000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\mbrmqqboi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC
Imagebase:	0x400000
File size:	344'064 bytes
MD5 hash:	AE62909C8433ECDBE8289E3E1B5EC35E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	20:25:55
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 00B3E8DE Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 180
filecomwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B347F4: GetModuleHandleW.KERNEL32 ref: 00B3480C
Part of subcall function 00B347F4: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B34824
Part of subcall function 00B347F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B34847

OleInitialize.OLE32(00000000), ref: 00B3E8F1

Part of subcall function 00B353BF: GetCPInfo.KERNEL32(00000000,?), ref: 00B353D0
Part of subcall function 00B353BF: IsDBCSLeadByte.KERNEL32(00000000), ref: 00B353E4

GetCommandLineW.KERNEL32 ref: 00B3E914
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00B3E93B
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007002), ref: 00B3E950
UnmapViewOfFile.KERNEL32(00000000), ref: 00B3E97D

Part of subcall function 00B3E5C3: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00B3E5D9
Part of subcall function 00B3E5C3: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B3E615

CloseHandle.KERNEL32(00000000), ref: 00B3E984
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe,00000800), ref: 00B3E99E
SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe), ref: 00B3E9B0
GetLocalTime.KERNEL32(?), ref: 00B3E9B7
_swprintf.LIBCMT ref: 00B3E9F6
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00B3EA08
GetModuleHandleW.KERNEL32(00000000), ref: 00B3EA0B
LoadIconW.USER32(00000000,00000064), ref: 00B3EA22
LoadBitmapW.USER32(00000065), ref: 00B3EA35
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0000C3C5,00000000), ref: 00B3EA85
Sleep.KERNEL32(?), ref: 00B3EABC
DeleteObject.GDI32 ref: 00B3EAFA
DeleteObject.GDI32(?), ref: 00B3EB06

Part of subcall function 00B3D104: CharUpperW.USER32(?,?,?,?,00001000), ref: 00B3D15C
Part of subcall function 00B3D104: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00B3D183

CloseHandle.KERNEL32 ref: 00B3EB48
OleUninitialize.OLE32 ref: 00B3EB4E

Strings

winrarsfxmappingfile.tmp, xrefs: 00B3E92F
sfxname, xrefs: 00B3E9AB
sfxstime, xrefs: 00B3EA03
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, xrefs: 00B3E997, 00B3E99C, 00B3E9AA, 00B3EA49
STARTDLG, xrefs: 00B3EA7A
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00B3E9E7

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteLoadObjectProcUpperView$BitmapByteCommandDialogIconInfoInitializeLeadLineLocalMappingNameOpenParamSleepTimeUninitializeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3132662180-2443902774
Opcode ID: e7d0258e22715fb36e7392936798fa2d5fa62284a9b249e04d9ce367c1cd1992
Instruction ID: 4754479df88c553b4f3d83e4ef67848235e51fa251373ac66c3a9500db1d9101
Opcode Fuzzy Hash: e7d0258e22715fb36e7392936798fa2d5fa62284a9b249e04d9ce367c1cd1992
Instruction Fuzzy Hash: D251E231942300ABC310AB65EC49F6B7BE8EB49B01F5444DAF949A32F1DF34D984CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B359CA Relevance: 15.1, APIs: 2, Strings: 6, Instructions: 1051COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B35F0A
__allrem.LIBCMT ref: 00B35F86

Strings

Cyber.exe, xrefs: 00B359F3, 00B35ACD, 00B35AD8, 00B35AE4, 00B35AEF, 00B35AF0, 00B35BA1, 00B35C35, 00B35C96, 00B35CD5, 00B35CED, 00B36196, 00B361BA, 00B361BF, 00B36207, 00B3624D, 00B36257, 00B36265, 00B3626C, 00B3626D, 00B362E7, 00B36300, 00B3630A, 00B3633E, 00B36343, 00B36344, 00B3636C, 00B36378, 00B363A9, 00B363D8, 00B363F4, 00B36404, 00B36418, 00B36421, 00B3642B, 00B36447, 00B3644C, 00B36496, 00B3652D, 00B3657C, 00B36592
z01, xrefs: 00B35D5B, 00B35D65
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, xrefs: 00B35C9B, 00B35CDA, 00B35CF2, 00B35D42, 00B35D66, 00B35D92, 00B35E0A, 00B35E0F, 00B35E29, 00B35E58, 00B35EB7, 00B35F36, 00B35FAA, 00B36070, 00B360CB, 00B36176, 00B361C0, 00B3642C, 00B366BA, 00B366F4
zipx, xrefs: 00B35E17
zx01, xrefs: 00B35D54
zip, xrefs: 00B35E1E, 00B35E28

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: __allrem
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe$Cyber.exe$z01$zip$zipx$zx01
API String ID: 2933888876-3295552768
Opcode ID: dcd984be6770beee6d30876cb40cc9e1135fc99fc17b2e17dd7c766ad0acd6a5
Instruction ID: ac21913cdc2abea1c0c9669a3e2174cc775a187b44f16ef0026724faad42da8c
Opcode Fuzzy Hash: dcd984be6770beee6d30876cb40cc9e1135fc99fc17b2e17dd7c766ad0acd6a5
Instruction Fuzzy Hash: EC8290B1A10218EFDB24EF28DC91BAA77E4FB15350F2444EAF949D7262DB709D84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B329F7 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00B328F5,000000FF,?,?), ref: 00B32A2C
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00B328F5,000000FF,?,?), ref: 00B32A62
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00B328F5,000000FF,?,?), ref: 00B32A6A
FindNextFileW.KERNEL32(?,?,?,?,?,?,00B328F5,000000FF,?,?), ref: 00B32A92
GetLastError.KERNEL32(?,?,?,?,00B328F5,000000FF,?,?), ref: 00B32A9E

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: ab13afe311742c23afea9ef8c01c758d73b21e3d112d6875111462b98c395ed8
Instruction ID: 440df985f9f100d560968cecd69493f009143b5b5730cde9e182c1195da522af
Opcode Fuzzy Hash: ab13afe311742c23afea9ef8c01c758d73b21e3d112d6875111462b98c395ed8
Instruction Fuzzy Hash: 77416E76609245AFC324EF68C880ADBF7E8FF48351F144A6AF5A9D3240DB34AD54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B47439 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00B4740F,?,00B598A8,0000000C,00B47522,?,00000002,00000000), ref: 00B4745A
TerminateProcess.KERNEL32(00000000,?,00B4740F,?,00B598A8,0000000C,00B47522,?,00000002,00000000), ref: 00B47461
ExitProcess.KERNEL32 ref: 00B47473

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d935b440ed387f314db1f81001694b34310118154d07e123ef700fed802f6d75
Instruction ID: 9c7ba27c96579d5801c01b4daee6736fb9871e0c7c3d079c7bad6ce4a51dd2f4
Opcode Fuzzy Hash: d935b440ed387f314db1f81001694b34310118154d07e123ef700fed802f6d75
Instruction Fuzzy Hash: EAE04F31041604ABCF116F54DD08B593FA9EB01352F044494F94897231CF35DE51EA80

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C3C5 Relevance: 97.0, APIs: 46, Strings: 9, Instructions: 713COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B3C3CA

Strings

winrarsfxmappingfile.tmp, xrefs: 00B3C795
"%s"%s, xrefs: 00B3C8E1
LICENSEDLG, xrefs: 00B3CC0A
-el -s2 "-d%s" "-p%s" "-sp%s", xrefs: 00B3C75A
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, xrefs: 00B3C9AF, 00B3CB36
STARTDLG, xrefs: 00B3C3E9
<, xrefs: 00B3C773
@, xrefs: 00B3C780
__tmp_rar_sfx_access_check_%u, xrefs: 00B3C697

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: "%s"%s$-el -s2 "-d%s" "-p%s" "-sp%s"$<$@$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3519838083-2639842667
Opcode ID: 794751942a2a66af2decf0d581c321cb3209c664b902a2bdf8685d52e000ae39
Instruction ID: b632e432ce15ea23e454d7dba629e91b7bb149e94b5a2423d7aca271cf51fee9
Opcode Fuzzy Hash: 794751942a2a66af2decf0d581c321cb3209c664b902a2bdf8685d52e000ae39
Instruction Fuzzy Hash: 6732C371940348BEEB21ABA49C8AFBA3BE8EB05701F6040E5F645B71E1CF745D85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B347F4 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00B3480C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B34824
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B34847
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B34AF2
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B34B0A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B34B1C
ReadFile.KERNEL32(00000000,?,00007FFE,00B52470,00000000), ref: 00B34B3B
CloseHandle.KERNEL32(00000000), ref: 00B34B93
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B34BA9
CompareStringW.KERNEL32(00000400,00001001,00B524BC,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00B34C03
GetFileAttributesW.KERNELBASE(?,?,00B52488,00000800,?,00000000,?,00000800), ref: 00B34C2C
GetFileAttributesW.KERNEL32(?,?,00B52548,00000800), ref: 00B34C65

Part of subcall function 00B347AA: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B347C5
Part of subcall function 00B347AA: LoadLibraryW.KERNELBASE(?,?,00B341B6,Crypt32.dll,?,00B34239,?,00B3421C,?,?,?,?), ref: 00B347E7

_swprintf.LIBCMT ref: 00B34CD5
_swprintf.LIBCMT ref: 00B34D21

Part of subcall function 00B337C1: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B337D4

AllocConsole.KERNEL32 ref: 00B34D29
GetCurrentProcessId.KERNEL32 ref: 00B34D33
AttachConsole.KERNEL32(00000000), ref: 00B34D3A
_wcslen.LIBCMT ref: 00B34D4F
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00B34D60
WriteConsoleW.KERNEL32(00000000), ref: 00B34D67
Sleep.KERNEL32(00002710), ref: 00B34D72
FreeConsole.KERNEL32 ref: 00B34D78
ExitProcess.KERNEL32 ref: 00B34D80

Strings

dwmapi.dll, xrefs: 00B348AF, 00B34C98
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00B34D0F
DXGIDebug.dll, xrefs: 00B34884, 00B34BEF
kernel32, xrefs: 00B34802
uxtheme.dll, xrefs: 00B34CA2
SetDefaultDllDirectories, xrefs: 00B34841
SetDllDirectoryW, xrefs: 00B3481E

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 102917b9f8240fce7348c36d188ee841fbc00a93e2ac8c714b9209950ff404bb
Instruction ID: bba4887f61bcd493ac5de6af064ab9ce8a6dac16e2f842c429cd720eae4b3d74
Opcode Fuzzy Hash: 102917b9f8240fce7348c36d188ee841fbc00a93e2ac8c714b9209950ff404bb
Instruction Fuzzy Hash: D7D183B250A3849ED735DF50C849B9FB7E8EF86306F5008DCE98997290DBB0954CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D273 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 435
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B3D278

Part of subcall function 00B3BFEA: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00B3C0B2

SetFileAttributesW.KERNEL32(-00003C84,00000005,-00007C84,00000800,-0000FC8C,75C05540,?,00000000,00B3C327,?,00000003), ref: 00B3D3AD
_wcslen.LIBCMT ref: 00B3D3E8
_wcslen.LIBCMT ref: 00B3D3FC
_wcslen.LIBCMT ref: 00B3D421
GetFileAttributesW.KERNEL32(-00003C84), ref: 00B3D467
DeleteFileW.KERNEL32(-00003C84), ref: 00B3D475
_wcslen.LIBCMT ref: 00B3D557
_wcslen.LIBCMT ref: 00B3D560
SetWindowTextW.USER32(?,-00005C84), ref: 00B3D5BE
_wcslen.LIBCMT ref: 00B3D600
_wcsrchr.LIBVCRUNTIME ref: 00B3D73E
GetDlgItem.USER32(?,00000066), ref: 00B3D77E
SetWindowTextW.USER32(00000000,-0000103C), ref: 00B3D78E
SendMessageW.USER32(00000000,00000143,00000000,00B848F0), ref: 00B3D7A2
SendMessageW.USER32(00000000,00000143,00000000,-0000103C), ref: 00B3D7CB

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00B3D664
ProgramFilesDir, xrefs: 00B3D68F
<br>, xrefs: 00B3D521
%s.%d.tmp, xrefs: 00B3D48D

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _wcslen$File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 1808871598-312220925
Opcode ID: 1b2a523b12d9c559e7c0b5262b850589b522b8d0d8103f0eeb02cf4e5a998627
Instruction ID: b4f794fe2ba938f15b9715f05cc14035a92f31a9c5d962a2148675a0da8dbe3b
Opcode Fuzzy Hash: 1b2a523b12d9c559e7c0b5262b850589b522b8d0d8103f0eeb02cf4e5a998627
Instruction Fuzzy Hash: 87E15072900259AAEF24ABA4ED85EEE77FCEF04350F2040E6F555E7151EF709B848B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B33E2E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowRect.USER32(?,?), ref: 00B33E65
GetClientRect.USER32(?,?), ref: 00B33E71
GetWindowLongW.USER32(?,000000F0), ref: 00B33F20
GetWindowRect.USER32(?,?), ref: 00B33F4D
GetWindowTextW.USER32(?,?,00000400), ref: 00B33F6C
SetWindowTextW.USER32(?,?), ref: 00B33F93
GetSystemMetrics.USER32(00000008), ref: 00B33F9B
GetWindow.USER32(?,00000005), ref: 00B33FA6
GetWindowTextW.USER32(00000000,?,00000400), ref: 00B33FD1
SetWindowTextW.USER32(00000000,00000000), ref: 00B33FFE
GetWindowRect.USER32(00000000,?), ref: 00B34011
GetWindow.USER32(00000000,00000002), ref: 00B34083

Strings

d, xrefs: 00B33E91

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Window$RectText$ClientLongMetricsSystem
String ID: d
API String ID: 701536498-2564639436
Opcode ID: 5ff8f056681e52d698a09479740560c272ddda331947f1d9b539467194bb6ebd
Instruction ID: 8ed2737936516970353046907d3adca24b81f518a63f840890e69ffa2b61bdd6
Opcode Fuzzy Hash: 5ff8f056681e52d698a09479740560c272ddda331947f1d9b539467194bb6ebd
Instruction Fuzzy Hash: 3C716972208300AFD714DF68CD88F6BBBE9FB88714F54495DFA8593290DB74E9098B52

Uniqueness

Uniqueness Score: -1.00%

Function 00B3DF38 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00B858F8), ref: 00B3DF47
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00B3BBE6,00000001,?,?,00B3C3B4,00B53090,00B858F8,00B858F8), ref: 00B3DF72
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B3DF81
SendMessageW.USER32(00000000,000000C2,00000000,00B52310), ref: 00B3DF8B
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B3DFA1
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B3DFB7
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B3DFF7
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B3E001
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B3E010
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B3E033
SendMessageW.USER32(00000000,000000C2,00000000,00B53018), ref: 00B3E03E

Strings

\, xrefs: 00B3DFA7

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: 131f98a4dcc0e57a2ddafb2c536657154f9c1881abf2eff2607c895da000f2af
Instruction ID: e558cec311584133920457b03f56504cefcc6227a95e348938e019e8c5f2b8fd
Opcode Fuzzy Hash: 131f98a4dcc0e57a2ddafb2c536657154f9c1881abf2eff2607c895da000f2af
Instruction Fuzzy Hash: 332146712857443EE311EB249C85FAB7FDCDF82710F100518FA90A71D1CBA54A098ABB

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E1D2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00B3E1F1
ShellExecuteExW.SHELL32(?), ref: 00B3E2FA
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00B3E33F
GetExitCodeProcess.KERNEL32(?,?), ref: 00B3E36D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B3E391
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00B3E3F5

Strings

.exe, xrefs: 00B3E39B
.inf, xrefs: 00B3E2B6

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: d070178d724fe697114993c5164d9c007a978c5b143903023e64f372eb61a1cf
Instruction ID: 9ec1b24e097633166c4e2bdccd456800e406adb7e8c6d4ca1bbff75fe71440fa
Opcode Fuzzy Hash: d070178d724fe697114993c5164d9c007a978c5b143903023e64f372eb61a1cf
Instruction Fuzzy Hash: 385102315043819ADB329F24CC40ABBB7E8EF80744F28049FE4E1971E1EBB1D988DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00B33A2C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B33A31
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00B33A13,?), ref: 00B33A69
_wcsrchr.LIBVCRUNTIME ref: 00B33A77

Part of subcall function 00B35386: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00B333D2,00000000,?,?), ref: 00B353A2

Strings

*messages***, xrefs: 00B33B62
*messages***, xrefs: 00B33B29
a, xrefs: 00B33B7E
R, xrefs: 00B33B74

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide_wcsrchr
String ID: *messages***$*messages***$R$a
API String ID: 2549165012-2900423073
Opcode ID: f3afbc11756ec12de060ddea75a4b6972ff25e61f923b71694c5c66c81471c65
Instruction ID: 5b4f152f2cf5259e0d8bcb92d7f01d7f4415bac823b9223b00eb83c05616b1c4
Opcode Fuzzy Hash: f3afbc11756ec12de060ddea75a4b6972ff25e61f923b71694c5c66c81471c65
Instruction Fuzzy Hash: 57911872A006059BDB34DB68CC91BAFB7E8EF40B10F3445EAE545A72D1EB709B84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B49DB5 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B4579C,00B4579C,?,?,?,00B4A006,00000001,00000001,23E85006), ref: 00B49E0F
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B4A006,00000001,00000001,23E85006,?,?,?), ref: 00B49E95
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B49F8F
__freea.LIBCMT ref: 00B49F9C

Part of subcall function 00B4846D: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B44B84,?,0000015D,?,?,?,?,00B45703,000000FF,00000000,?,?), ref: 00B4849F

__freea.LIBCMT ref: 00B49FA5
__freea.LIBCMT ref: 00B49FCA

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9698d89271b7cc8e167030f519ee20e96b0e42f957a5ca4b5eb5d8a4d1d1aed8
Instruction ID: b784091880633259b1c79554e203c6cff50335e7b37cd3d963c376ccac4a7880
Opcode Fuzzy Hash: 9698d89271b7cc8e167030f519ee20e96b0e42f957a5ca4b5eb5d8a4d1d1aed8
Instruction Fuzzy Hash: 7851D072610216AFDB258FA4CC81EBF77E9EB44750F1546A9FC04D7140EB35EE48E690

Uniqueness

Uniqueness Score: -1.00%

Function 00B34E15 Relevance: 9.1, APIs: 6, Instructions: 96
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToFileTime.KERNEL32(?,00B34E0F), ref: 00B34E6A
LocalFileTimeToFileTime.KERNEL32(00B34E0F,?), ref: 00B34E99
FileTimeToSystemTime.KERNEL32(00B34E0F,?), ref: 00B34EAF
TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 00B34EC0
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B34ECE
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B34ED8

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Time$File$System$Local$Specific
String ID:
API String ID: 3144155402-0
Opcode ID: 8f3b8f1e95f2000b9537014632cd6b3f59dcabe9b47bb6953e745c12f433efba
Instruction ID: feda4acb3c5d7eb6b80b7c4652e3bbefe753732df373234fa98919df4d765b1a
Opcode Fuzzy Hash: 8f3b8f1e95f2000b9537014632cd6b3f59dcabe9b47bb6953e745c12f433efba
Instruction Fuzzy Hash: A6310A7A900219EBCB04DFE8C8809EFF7B8FF48700F14455AE956E3200E730A945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B97D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00B3B994
SHAutoComplete.SHLWAPI(?,00000010), ref: 00B3B9CB

Part of subcall function 00B35644: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00B32EC7,?,?,?,00B32E74,?,-00000002,?,00000000,?), ref: 00B3565A

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00B3B9BB

Strings

EDIT, xrefs: 00B3B99F, 00B3B9AA, 00B3B9B7

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: b344120dbdad843cd39eaaff3c2e5700d67a74bf925106f1e5821024512e18bc
Instruction ID: b28d93e9e4ec7a8c0953d1cf35054400d7e2dc339ead5e4eb8f78951a3beda7e
Opcode Fuzzy Hash: b344120dbdad843cd39eaaff3c2e5700d67a74bf925106f1e5821024512e18bc
Instruction Fuzzy Hash: 71F0823260272877D73056659C05FAB77ACEF46B51F5401D5BF04A7184DB60A9018AF6

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E5C3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00B3E5D9
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B3E615

Strings

sfxcmd, xrefs: 00B3E5D4
sfxpar, xrefs: 00B3E610

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 28948883da3c787d290bc3cb564689ed88feb1ba92acaaf635008723a4059af2
Instruction ID: d8b2a6ed7efaaa6e1d80591c94800a74635094cf3788ae1cbd242cf7eab0f03c
Opcode Fuzzy Hash: 28948883da3c787d290bc3cb564689ed88feb1ba92acaaf635008723a4059af2
Instruction Fuzzy Hash: 28F0A772402324E6D7212B948C4ABBA77DCDF19B92F1040D6FC4597291DA61DD40D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B9EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B347AA: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B347C5
Part of subcall function 00B347AA: LoadLibraryW.KERNELBASE(?,?,00B341B6,Crypt32.dll,?,00B34239,?,00B3421C,?,?,?,?), ref: 00B347E7

OleInitialize.OLE32(00000000), ref: 00B3BA01
SHGetMalloc.SHELL32(00B711B0), ref: 00B3BA24

Strings

3Qo, xrefs: 00B3BA19
riched20.dll, xrefs: 00B3B9F1

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryInitializeLibraryLoadMallocSystem
String ID: riched20.dll$3Qo
API String ID: 1045004029-4232643773
Opcode ID: 4c823ab2e2dc77e02467b814baf960d24d44ec7deb4cb9acf09730de0ccddd71
Instruction ID: 7d0b13b0a82e3368ff87a93ce0710efceb13b508a7b66074098cab4f6ba8725b
Opcode Fuzzy Hash: 4c823ab2e2dc77e02467b814baf960d24d44ec7deb4cb9acf09730de0ccddd71
Instruction Fuzzy Hash: 0DE04F71641318ABD7105FA4DC0EF597BFCEB05716F0041E9F949A7250DFB569048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B31F07 Relevance: 6.1, APIs: 4, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000), ref: 00B31F87
GetLastError.KERNEL32(?,?,00000000,00000003,-00000001,00000000), ref: 00B31F94
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 00B31FC9
GetLastError.KERNEL32(?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 00B31FD1

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 5bd0532e5853d21f418be7f906391c10a1f6c2d533c131c86ada2798438c3454
Instruction ID: 563b3b4759f1949dd42493dbeccdc85693b60f31fd85bd4826bb0e7855cb5621
Opcode Fuzzy Hash: 5bd0532e5853d21f418be7f906391c10a1f6c2d533c131c86ada2798438c3454
Instruction Fuzzy Hash: 203158718413416FE3219B288C45BEBBBE8FB45364F244A59FD90872C1D7B59988CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B31DF7 Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B31E07
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00B31E1F
GetLastError.KERNEL32 ref: 00B31E51
GetLastError.KERNEL32 ref: 00B31E70

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 0f17f79aa5194755a4eb193b1e7a786a1310e24c4198b6567a973dddebb1e20d
Instruction ID: 29bbeed399823d27859289c9e6b27ae141330fe0ad8c10f65f1b7b146ad9c80b
Opcode Fuzzy Hash: 0f17f79aa5194755a4eb193b1e7a786a1310e24c4198b6567a973dddebb1e20d
Instruction Fuzzy Hash: 28118230501228EFDB209BA8C944A6A77EDEB05762F208DAAFD1686190DB339D50DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A241 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00B449ED,00000000,00000000,?,00B4A1E8,00B449ED,00000000,00000000,00000000,?,00B4A3E5,00000006,FlsSetValue), ref: 00B4A273
GetLastError.KERNEL32(?,00B4A1E8,00B449ED,00000000,00000000,00000000,?,00B4A3E5,00000006,FlsSetValue,00B554A0,00B554A8,00000000,00000364,?,00B48DF8), ref: 00B4A27F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B4A1E8,00B449ED,00000000,00000000,00000000,?,00B4A3E5,00000006,FlsSetValue,00B554A0,00B554A8,00000000), ref: 00B4A28D

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 2f0dc8343d178bc19cdde237a0b9ebeee075967623498eb1b618b68352666ea3
Instruction ID: 8bd4c6146524603d7fe0245c1badfb7c795787bb5e1b114a3f398c7af9899177
Opcode Fuzzy Hash: 2f0dc8343d178bc19cdde237a0b9ebeee075967623498eb1b618b68352666ea3
Instruction Fuzzy Hash: 2F01FC327427229BC7214F78EC44F5777D8EF45B6171506A4F906D7180DB61D901E6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C21C Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B3C22D
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B3C23E
TranslateMessage.USER32(?), ref: 00B3C248
DispatchMessageW.USER32(?), ref: 00B3C252

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 4226dff595ea1824c1013757b7b62a795cf5b4e0f07696f1e2828fffdbf5deac
Instruction ID: adc5e85dec10e9645f90ba2e272a8f1293f5c49e7593aa6555d64fa672a55118
Opcode Fuzzy Hash: 4226dff595ea1824c1013757b7b62a795cf5b4e0f07696f1e2828fffdbf5deac
Instruction Fuzzy Hash: ABE07DB2D0226EA78B20ABF6AC4DDEB7F7CEE46262B004591BA19D3110DB649505C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00B35903 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B3590C
__allrem.LIBCMT ref: 00B35F0A

Strings

Cyber.exe, xrefs: 00B359F3, 00B35ACD, 00B35AD8, 00B35AE4, 00B35AEF, 00B35AF0, 00B35BA1, 00B35C35
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, xrefs: 00B35926

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog__allrem
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe$Cyber.exe
API String ID: 2283500502-2023509382
Opcode ID: 0b6a32c7c52828c4dfb9db94b4a862a9bf234b60779a8dc4c77abd676c58a286
Instruction ID: fc69da0ccb95ae7e794649f3d151fef21acaf85ac2f3bed40892598d3017cd06
Opcode Fuzzy Hash: 0b6a32c7c52828c4dfb9db94b4a862a9bf234b60779a8dc4c77abd676c58a286
Instruction Fuzzy Hash: 519174B1910319DEDB20EF65DD81BAA77E8FB08354F6040EAF948E7292DB749D44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3260D Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B3368A: _wcslen.LIBCMT ref: 00B33690

CreateDirectoryW.KERNELBASE(?,00000000,?), ref: 00B32634
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?), ref: 00B32667
GetLastError.KERNEL32(?,?), ref: 00B32684

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: a3ddffbcd56c92d5357d29b2adeba760a48bc21dd2ed8b702896c59bbd670a13
Instruction ID: 025785d73285a176deaafa67e311a2677761f061e4b380859ac72ef44b0dec3b
Opcode Fuzzy Hash: a3ddffbcd56c92d5357d29b2adeba760a48bc21dd2ed8b702896c59bbd670a13
Instruction Fuzzy Hash: CD01D43251221466DF216B685C47BFF33DCDF1B781F3844D5F940E6091DF64A980CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00B4AD33 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00B4AD58

Strings

, xrefs: 00B4AD9D

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: b6173b1ff13bce65f85c317f31f5bd6a5a37380fec751fd09030a78c36a8e49a
Instruction ID: 3647b7616c202a5618438327d0c536c2d9ff0173a6e65023aaa7dc1bcdf8ada6
Opcode Fuzzy Hash: b6173b1ff13bce65f85c317f31f5bd6a5a37380fec751fd09030a78c36a8e49a
Instruction Fuzzy Hash: F9412A709443889EDB228E648C84BF6BBFEDB45704F2404ECE59A87142D235AB45EF21

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A479 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,23E85006,00000001,?,000000FF), ref: 00B4A4EA

Strings

LCMapStringEx, xrefs: 00B4A48A, 00B4A494

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 090d08e182263bee65f96fa75a9ccc2a2fd4faea712fe4a7958bf8cb10eae8d0
Instruction ID: ff24ce558d60fc01ae17e8f1ad537b428c2c2d3d2ab8bfe78680ce4c6b512d77
Opcode Fuzzy Hash: 090d08e182263bee65f96fa75a9ccc2a2fd4faea712fe4a7958bf8cb10eae8d0
Instruction Fuzzy Hash: CD014C3254020DBBDF125F90DC05EEE3FA2EF48722F014094FE1826260CA728A71FB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E463 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B3E468

Part of subcall function 00B3468A: _wcslen.LIBCMT ref: 00B346A0

Part of subcall function 00B3A446: __EH_prolog.LIBCMT ref: 00B3A44B

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, xrefs: 00B3E497

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
API String ID: 2838827086-3224907921
Opcode ID: 13d6484b9778ffc3062818042aa12d926092e097a7545b79b31c6aa723a33318
Instruction ID: bb309a5cf3c4e9719b59003e0a6600cbfde0e4ad8655c687e62b91f33a2e61dd
Opcode Fuzzy Hash: 13d6484b9778ffc3062818042aa12d926092e097a7545b79b31c6aa723a33318
Instruction Fuzzy Hash: 8D01F572549240AED300AB68AC167AA7FE4D725720F1040DFE858573B2DFB21644DB36

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A417 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00B49AA1), ref: 00B4A462

Strings

InitializeCriticalSectionEx, xrefs: 00B4A432

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 96a09933fbc548533101b3f3bd46a7284c83b10a5a469a249c9fe13c9ef68378
Instruction ID: 8f0eae110f7589bcdcfadfda162a60ed2f6e32598077e2f036e427010c4814fa
Opcode Fuzzy Hash: 96a09933fbc548533101b3f3bd46a7284c83b10a5a469a249c9fe13c9ef68378
Instruction Fuzzy Hash: 47F09A31681318BBCB116F54CC05EAE7FE1EF49B22B0080E4FD092A260CE714A51EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A2BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00B4A2FB

Strings

FlsAlloc, xrefs: 00B4A2D7

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 823b070fddac34ae0cd639f8d90f3e4cbbc02a18d4d69a94b89e311d38e72fad
Instruction ID: af4c2d3b98ecba5eb980e6e19c72e85feacc2835684a767dc305c99b6be1514f
Opcode Fuzzy Hash: 823b070fddac34ae0cd639f8d90f3e4cbbc02a18d4d69a94b89e311d38e72fad
Instruction Fuzzy Hash: 71E0E570A85718BB9310AF649C12E7EBBD4DB59B23F4001D5FC0967350DE611F41A6D6

Uniqueness

Uniqueness Score: -1.00%

Function 00B444F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00B4450E

Strings

FlsAlloc, xrefs: 00B444FD, 00B44507

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 215337b7e8cc92f62e49aba58583cc0acfa7c158f913f22186560f8011a00a6d
Instruction ID: 4d21922a91ef8c160f21e14793e88ea37c180bc32dca937cc3ed2990f74764b0
Opcode Fuzzy Hash: 215337b7e8cc92f62e49aba58583cc0acfa7c158f913f22186560f8011a00a6d
Instruction Fuzzy Hash: 71D012A1B8172867951036A45C02FAAFAC4D608FE3F0400D2FF086575195A24B3465D2

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EB6B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EB7D

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Strings

3Qo, xrefs: 00B3EB6B, 00B3EB77

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Qo
API String ID: 1269201914-1944013411
Opcode ID: c3cd901740a89b0892b74e70bf4bcda27b3418a8a44af3b9b9fd077564215371
Instruction ID: c5af3aa6dbf38c01354b9c1253b37ae1f64d4c80e121cd74770873509a7ee3e5
Opcode Fuzzy Hash: c3cd901740a89b0892b74e70bf4bcda27b3418a8a44af3b9b9fd077564215371
Instruction Fuzzy Hash: 32B01286259202FC361513147D46E3611DCC5C0F12B3081EBBC01F80C0B8404C081132

Uniqueness

Uniqueness Score: -1.00%

Function 00B4B088 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00B4AC5B: GetOEMCP.KERNEL32(00000000,?,?,00B4AEE4,?), ref: 00B4AC86

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00B4AF29,?,00000000), ref: 00B4B0FC
GetCPInfo.KERNEL32(00000000,00B4AF29,?,?,?,00B4AF29,?,00000000), ref: 00B4B10F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: d0933d036681bd4eb4a825814c20c2e508714cac55a92d2bdd563167ce715ca4
Instruction ID: 0d7f5e1108c6df90dee573311fb97b40ca59c9baa060d0ac9579f0cf04719f8f
Opcode Fuzzy Hash: d0933d036681bd4eb4a825814c20c2e508714cac55a92d2bdd563167ce715ca4
Instruction Fuzzy Hash: E1514070A042459FDB24CF25C891EBBBBE5EF01300F1484EEE2969B252D774DB42EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B4AEC7 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00B48D26: GetLastError.KERNEL32(?,?,00B44E4E,?,00000000,?,00B449ED,00000200,00000000,?), ref: 00B48D2A
Part of subcall function 00B48D26: _free.LIBCMT ref: 00B48D5D
Part of subcall function 00B48D26: SetLastError.KERNEL32(00000000,00000000,?), ref: 00B48D9E
Part of subcall function 00B48D26: _abort.LIBCMT ref: 00B48DA4

Part of subcall function 00B4AFE6: _abort.LIBCMT ref: 00B4B018
Part of subcall function 00B4AFE6: _free.LIBCMT ref: 00B4B04C

Part of subcall function 00B4AC5B: GetOEMCP.KERNEL32(00000000,?,?,00B4AEE4,?), ref: 00B4AC86

_free.LIBCMT ref: 00B4AF3F
_free.LIBCMT ref: 00B4AF75

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 8473b1be0659c37d3a3da07b0c7fde7538352c41c94a1e20779f1ed2005611d7
Instruction ID: d3a10d7ac2b4a5df6eca51f45d7fc4eaa5a21a8ad599f7ef2bd698bed94cff15
Opcode Fuzzy Hash: 8473b1be0659c37d3a3da07b0c7fde7538352c41c94a1e20779f1ed2005611d7
Instruction Fuzzy Hash: EF31B171944208AFDB10EFA8D881BADBBF4EF41321F2540D9F4149B291EB329F45EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B31CD2 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,-C0000001,?,00000000,00000002,00000000,00000000,?), ref: 00B31D4E
CreateFileW.KERNEL32(?,-C0000001,?,00000000,00000002,00000000,00000000,?,?,00000800,?), ref: 00B31D8F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a5f9af9fe22be207d8f5b4221a5b6ee9cfc9db3374a051b871481202dfa1bde1
Instruction ID: 82054040a44ba8cdc5dcb953df5c9751e8f98279da7af4fe2e25f79983e5bfe3
Opcode Fuzzy Hash: a5f9af9fe22be207d8f5b4221a5b6ee9cfc9db3374a051b871481202dfa1bde1
Instruction Fuzzy Hash: 8C21E471444744AFE7308F28CC85BB7BBECDB05324F208E69F9E5C6190D77499489B61

Uniqueness

Uniqueness Score: -1.00%

Function 00B32398 Relevance: 3.1, APIs: 2, Instructions: 83fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B32370
WriteFile.KERNELBASE(?), ref: 00B3239D

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f7c8865a252b97ac8adae6c9886abf82f72248a695008aed30585b52972a167d
Instruction ID: 7e340b90b37fc6c6a197e26b9a9b486b556bc83608795c412d409c5b482e081b
Opcode Fuzzy Hash: f7c8865a252b97ac8adae6c9886abf82f72248a695008aed30585b52972a167d
Instruction Fuzzy Hash: CA216A71144206AFEB208F24CC49BAAB7E8FB40300F244969F599971C1CB38F889CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00B321AD Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00B321C7
SetFileTime.KERNELBASE(?,?,?,?), ref: 00B32277

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: d568e83c7c1aa258d3fdfc15b5a82c6487838911ee218a9fd679bb61b4029e04
Instruction ID: 1fde0bc197c810dc1ad9ab71052886ba41fd4eeb66ca9c0a0477a964ad405648
Opcode Fuzzy Hash: d568e83c7c1aa258d3fdfc15b5a82c6487838911ee218a9fd679bb61b4029e04
Instruction Fuzzy Hash: 8021BF31259295ABC715DF24CD81EABBBD4EF96304F18099DB8C187151D725ED0CC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A1A5 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000000), ref: 00B4A205
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B4A212

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: eaef9e2570d20a052416970eaf58034df972504587a7c82be740e184b50bfcb8
Instruction ID: a320ca7294eace9db00a3b420f8f7d9d440a91820bb743828363fb74ed597ee7
Opcode Fuzzy Hash: eaef9e2570d20a052416970eaf58034df972504587a7c82be740e184b50bfcb8
Instruction Fuzzy Hash: A1110A33A40621AF9B259E28EC4096B73D5EB8532071A02A0FC15BB284DB31EE41F7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00B32286 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00B322BC
GetLastError.KERNEL32 ref: 00B322C8

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: ebf5608864e33db3b9b9b9fcd632551071009777d283833e4484af16344c9a5a
Instruction ID: 81fb2ea030ed0153ac4448f511cb79cb93e81d132a80b302baceda86c05f8e10
Opcode Fuzzy Hash: ebf5608864e33db3b9b9b9fcd632551071009777d283833e4484af16344c9a5a
Instruction Fuzzy Hash: B5019EB17023406BEB349B29CC84B6BB6D9EB85316F2449BEB152C36C0DA71DC08D621

Uniqueness

Uniqueness Score: -1.00%

Function 00B32032 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00B32086
GetLastError.KERNEL32 ref: 00B32093

Part of subcall function 00B31E8E: __EH_prolog.LIBCMT ref: 00B31E93

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: 9779116e1c8669f53723ac8b72f23e5de793992aa100394fd778c1c8d1302227
Instruction ID: 297e198e30945c4c254656fd6ea3621736d8622454ae9e2faf57b51b584973c1
Opcode Fuzzy Hash: 9779116e1c8669f53723ac8b72f23e5de793992aa100394fd778c1c8d1302227
Instruction Fuzzy Hash: 7201B5366012109B9B1C8F59CC84AAB77D9FF95721B344299FC268B291DB71D809D760

Uniqueness

Uniqueness Score: -1.00%

Function 00B340A7 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,00000200,?), ref: 00B340EC
LoadStringW.USER32(?,?,00000200,?), ref: 00B34102

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 34f72958ba7707569489faa16f64fbd5dca09362b4914714a655c3a0f53ddb70
Instruction ID: 10eb6400017ad7a8b0591743c06d5c62230dc13ba4338612ff03845945b32c7d
Opcode Fuzzy Hash: 34f72958ba7707569489faa16f64fbd5dca09362b4914714a655c3a0f53ddb70
Instruction Fuzzy Hash: ABF0F6727003287BDA219F20AC44F6B7FEDDB19782F1104B5FE48A7461DE215C4197A4

Uniqueness

Uniqueness Score: -1.00%

Function 00B3284A Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,?,00B32680,?,?), ref: 00B3285E
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,?,00B32680,?,?), ref: 00B3288F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 33a811e4f22819d415131cd4654441fef1785f1a86206904a5ed8274a3a40fbf
Instruction ID: b997b3beb4fbd4021a78cf45b48c9a8d1f9cb651f6c49124aa788f035c03ab12
Opcode Fuzzy Hash: 33a811e4f22819d415131cd4654441fef1785f1a86206904a5ed8274a3a40fbf
Instruction Fuzzy Hash: 64F01C322822096ADB115F649C01BE977ACBF15782F4480A1B98896161DA3299949A54

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E87D Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B3E8AB
SetDlgItemTextW.USER32(00000065,?), ref: 00B3E8C2

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 690a134658c4e237099cebc7d89aefd04234dd00e622005bcadf1d584fa20141
Instruction ID: 408e2eda6566a44a88eecb5b55c24b536f028345e3ea7f9b1fd725cd52a00962
Opcode Fuzzy Hash: 690a134658c4e237099cebc7d89aefd04234dd00e622005bcadf1d584fa20141
Instruction Fuzzy Hash: 9EF0EC71E443486AD711A7A0DC06FAA3B9D9704742F2400E6B705671E2DE719A6147A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B32525 Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00B31DF5,?,?,00B31C16), ref: 00B32536
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00B31DF5,?,?,00B31C16), ref: 00B32564

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 10f9a05b5cd7214aaf34beb8594251a52e56ca6716617ee7768a83eb2243f1b6
Instruction ID: caa78ac39464161cfd64fe387924169b1d247a3ca75980f6a07542783f9861eb
Opcode Fuzzy Hash: 10f9a05b5cd7214aaf34beb8594251a52e56ca6716617ee7768a83eb2243f1b6
Instruction Fuzzy Hash: 82E09232552209ABDB009F65DC01BEA77ECFB157C2F5880E1BC84C31A5DF22DE94DA64

Uniqueness

Uniqueness Score: -1.00%

Function 00B3258C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00B3259D
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00B325C9

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fa2f5bba83fdc2a67e2cf6e7ad39ca126219c2ce97671380f15a65ea3642681c
Instruction ID: a5fea582267717daf682c5edcfac82fd3d420efaad0ea20e4038558db48284ba
Opcode Fuzzy Hash: fa2f5bba83fdc2a67e2cf6e7ad39ca126219c2ce97671380f15a65ea3642681c
Instruction Fuzzy Hash: D8E092329022285BCB10AB68DC04BE977ECEB197E2F0442E1FD48D3291DE719EC48AD4

Uniqueness

Uniqueness Score: -1.00%

Function 00B347AA Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B347C5
LoadLibraryW.KERNELBASE(?,?,00B341B6,Crypt32.dll,?,00B34239,?,00B3421C,?,?,?,?), ref: 00B347E7

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 097f903de8fac5912bd1f492fb0b3519d8e59d0a768d4dae7a76dd3b1f0edde4
Instruction ID: a6ac955ba9de8d3e74b65b2d2e4ad69919e08166338f67ea2be8917f60b22c68
Opcode Fuzzy Hash: 097f903de8fac5912bd1f492fb0b3519d8e59d0a768d4dae7a76dd3b1f0edde4
Instruction Fuzzy Hash: 0FE092728012586BCB10AB949C04FEB77ACEB09382F0400E1B948D3100DB749A80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B43415 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00B444F9: try_get_function.LIBVCRUNTIME ref: 00B4450E

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B43433
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00B4343E

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: a62869dd4d11f02c0b66c4aa9864b52b97efb58082c707f427a2cd4decbfa818
Instruction ID: 156e663ea4dc7e0a66f71e3f5ad2c25341d915662eb398181a33acd7bd1d3966
Opcode Fuzzy Hash: a62869dd4d11f02c0b66c4aa9864b52b97efb58082c707f427a2cd4decbfa818
Instruction Fuzzy Hash: 0BD0A920048304550C823AB438A3BD923C48932FB836C52DAE130A62E2EF1083013523

Uniqueness

Uniqueness Score: -1.00%

Function 00B3138B Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00B313A0
ShowWindow.USER32(00000000), ref: 00B313A7

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 722e9875c7dc8f82bae3df37c9a801baf84a4a82c3e8a17b49ba3a82eb61578f
Instruction ID: 59a9aa27b857c8f56acd5efc208bbd8cb294968c649cd0e78a21535d1405c05e
Opcode Fuzzy Hash: 722e9875c7dc8f82bae3df37c9a801baf84a4a82c3e8a17b49ba3a82eb61578f
Instruction Fuzzy Hash: 11C01272158204BECB418B70DC09D2A7BA8EB94212F04C948B0B5D1060CF38C010DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B3BD46 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B3BD4B

Part of subcall function 00B31F07: CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000), ref: 00B31F87
Part of subcall function 00B31F07: GetLastError.KERNEL32(?,?,00000000,00000003,-00000001,00000000), ref: 00B31F94
Part of subcall function 00B31F07: CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 00B31FC9
Part of subcall function 00B31F07: GetLastError.KERNEL32(?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 00B31FD1

Part of subcall function 00B32286: SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00B322BC
Part of subcall function 00B32286: GetLastError.KERNEL32 ref: 00B322C8

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLast$Create$H_prologPointer
String ID:
API String ID: 3930172495-0
Opcode ID: 591aca92e6f0c9963b9ff79ae4a40251fb4eccf97383457850ff2414acbf0b9f
Instruction ID: 529bbe3f3f37fdabf36d9e92f5cbdbc70a63e3116212dada5659739f95af2ce7
Opcode Fuzzy Hash: 591aca92e6f0c9963b9ff79ae4a40251fb4eccf97383457850ff2414acbf0b9f
Instruction Fuzzy Hash: 0241B375900965ABDB24DF28CCC1EEB73E8EF44790F2009E9F6469624AEB309E44C690

Uniqueness

Uniqueness Score: -1.00%

Function 00B31000 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

___vcrt_EventRegister.LIBVCRUNTIME ref: 00B31029

Part of subcall function 00B3105D: ___vcrt_EventSetInformation.LIBVCRUNTIME ref: 00B31072

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Event___vcrt_$InformationRegister
String ID:
API String ID: 1509250826-0
Opcode ID: 131f1d3a9344ba49629931691b73cf2561a4fbc2b6f502b7819e1aa933fb083b
Instruction ID: 1850833d009e7cf35258c066252ac620d93c828a82d2fb8d6b1a37b30eee8ded
Opcode Fuzzy Hash: 131f1d3a9344ba49629931691b73cf2561a4fbc2b6f502b7819e1aa933fb083b
Instruction Fuzzy Hash: 9CF0C272600255ABC318CE5DC841EB6B3ECFB45B10F5005AAFD18D7640E735EC60D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B31E8E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B31E93

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c5572526c57f0867fa7f3a4ed41cf9abfed4a9ccaadeba2e4851e86fb458e476
Instruction ID: 8807375e9f5aa9e675ed1a543afd0a235151ad5f1320105dd1f51c4aca827d0a
Opcode Fuzzy Hash: c5572526c57f0867fa7f3a4ed41cf9abfed4a9ccaadeba2e4851e86fb458e476
Instruction Fuzzy Hash: ABF03775E001148FDB18EF5CD40AA6DF7F8EF88610B1049AEE816E3351DAB09D018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B4846D Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B44B84,?,0000015D,?,?,?,?,00B45703,000000FF,00000000,?,?), ref: 00B4849F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1259ba54b659f8cf1fdee0c00fb32d00ca542e246d902eb1c01560dfea8ccf74
Instruction ID: 21492a6111ae7ab4eda1f48ca8b10154005a92af3a97592afb8147ae715a85dc
Opcode Fuzzy Hash: 1259ba54b659f8cf1fdee0c00fb32d00ca542e246d902eb1c01560dfea8ccf74
Instruction Fuzzy Hash: 05E06D321452226BEA316B7AEC41B5F3AD8DF427B0F1501E1BD15AB290DF20CF00B6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00B31C84 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00B31C1D), ref: 00B31C9F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9b8e163da2fc098be6e77f345f6fb453003590b8e6e4cb51abf18a8c8582d7a1
Instruction ID: 8fc042ed1602878c2efe3b02efcf630f54f0793d79ac055653fe5e562471c860
Opcode Fuzzy Hash: 9b8e163da2fc098be6e77f345f6fb453003590b8e6e4cb51abf18a8c8582d7a1
Instruction Fuzzy Hash: ABF05E70982B044EDB319B28C958792B7E8DB12731F189F9ED0F6479E0C765688DCB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E723 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00B3E740

Part of subcall function 00B3C21C: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B3C22D
Part of subcall function 00B3C21C: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B3C23E
Part of subcall function 00B3C21C: TranslateMessage.USER32(?), ref: 00B3C248
Part of subcall function 00B3C21C: DispatchMessageW.USER32(?), ref: 00B3C252

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: 318945c54c88b1d378d2256c1bdc492f3b89dfd276b0740617ec77240608fbd0
Instruction ID: bd0a9370e29e5bca3b61e49f92aeeab7adee4ed1f5dfca892e9e9b6012028900
Opcode Fuzzy Hash: 318945c54c88b1d378d2256c1bdc492f3b89dfd276b0740617ec77240608fbd0
Instruction Fuzzy Hash: D9C012702803006ED7016B50DC07F2A3A56BB94701F6084547341340F18A7148219A15

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EB86 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EB98

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b3594db21026ff3af14ec876b6df9f682bad6897f8ab07f3db9cf30952a672e0
Instruction ID: f083c73bc81980b99eba2b2f08b890d469d57e79ca3cb012a54819bb6e2934fa
Opcode Fuzzy Hash: b3594db21026ff3af14ec876b6df9f682bad6897f8ab07f3db9cf30952a672e0
Instruction Fuzzy Hash: 80B01292668202FC32045204BD86F3A21CCC1C0B1273046EBB801D0080A8809C480137

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EEA1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EE7A

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 595d14309386ad12f2dc1a85ad0498415b026d90097c78560e9c11df9a0eb25b
Instruction ID: fc0523f4d06629de36c36fe7c7c3d1e5a46073911d942599e4f8ca24a6074a30
Opcode Fuzzy Hash: 595d14309386ad12f2dc1a85ad0498415b026d90097c78560e9c11df9a0eb25b
Instruction Fuzzy Hash: 52B012C62D8203FC334453086D46E3621CCC5C4B1273083EFB801D10C0D8804C4C0232

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EE83 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EE7A

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a2645f8322886c8e9a7e78e742c833d5cee51f8bf6b7496268e05416352798ec
Instruction ID: 3b617f3fb5ea343b4d7692eb808cbc9704d0f135cc02ca795c3eb7e881d9a6fb
Opcode Fuzzy Hash: a2645f8322886c8e9a7e78e742c833d5cee51f8bf6b7496268e05416352798ec
Instruction Fuzzy Hash: 8BB012D6298202FC334863086D02E3621DCC1C4B2273082EFBC01D1080D8804C080132

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EE8D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EE7A

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 055efb2126e17c102f0126e8042bf08d5be4c86df4856cc250d052449784f885
Instruction ID: 7fa2830a2edc051fba6fc8d3c37895b6a97b4eaa526153cb27294734f5975d61
Opcode Fuzzy Hash: 055efb2126e17c102f0126e8042bf08d5be4c86df4856cc250d052449784f885
Instruction Fuzzy Hash: 15B012C62D8103FC334453086D06E3621CCC5C4B1273086EFB801D10C0D8804C0C0133

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EEF8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EEDB

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e7c6b49a1bfaf0bebd477d98c38763b98d155fafc10868573a72394b36070f76
Instruction ID: 9c1d4005006fec8cc1fd7c949923a9bbd41048fb1d0e1202c1e521661418fda5
Opcode Fuzzy Hash: e7c6b49a1bfaf0bebd477d98c38763b98d155fafc10868573a72394b36070f76
Instruction Fuzzy Hash: DEB01286258112FC325453186E02E3B11CCC0C0B1273091FBB804C10C0DC406C0D0532

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EE68 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EE7A

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1a81582dbac068db64df02763478a7b27dec60e558cdb5c85001ecd337560f13
Instruction ID: 152692624af7da6fb4c2dbd202295bc409c06e28ecb5ff74bc60d0d320bebad3
Opcode Fuzzy Hash: 1a81582dbac068db64df02763478a7b27dec60e558cdb5c85001ecd337560f13
Instruction Fuzzy Hash: 3AB012C6298302FC370413547E43D3721CCC1C0B1273082EFB802F009098C04C0A0032

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EF02 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EEDB

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9cd6985e75a63b5b37001ff1e5d813600360e9b30def4daae700ded867cc7488
Instruction ID: 7e4738f7d8bc90a0c7dfc82ff89b68dbec3eaaded0aac9756d1221324a75d760
Opcode Fuzzy Hash: 9cd6985e75a63b5b37001ff1e5d813600360e9b30def4daae700ded867cc7488
Instruction Fuzzy Hash: C1B01286258212FC325453086D02E3B11CCC0C0B2273092FBB804C10C0DC406C4C0632

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EEB0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EE7A

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 34d8ad63f411760f81aae4b0c997a16157909c4f20ffc0e5567641c97c0fc55e
Instruction ID: 2dc46d4e49a0464397b158e4aa4731cac184bb3c0bd5ffe475630467b3e12264
Opcode Fuzzy Hash: 34d8ad63f411760f81aae4b0c997a16157909c4f20ffc0e5567641c97c0fc55e
Instruction Fuzzy Hash: 1AA011CA2A8203FC32082300AE02C3A22CCC0C8B22B308AEEB802E0080A8800C080032

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EEBA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EE7A

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b8602684ae1d1e5f2faa3beb1820860d8cedd31f75a177c62361df089c6f8f8d
Instruction ID: 2dc46d4e49a0464397b158e4aa4731cac184bb3c0bd5ffe475630467b3e12264
Opcode Fuzzy Hash: b8602684ae1d1e5f2faa3beb1820860d8cedd31f75a177c62361df089c6f8f8d
Instruction Fuzzy Hash: 1AA011CA2A8203FC32082300AE02C3A22CCC0C8B22B308AEEB802E0080A8800C080032

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EE9C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EE7A

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c73cb77aa9887e1b356393ce6f0c992ba4be0265a781b2556cb82c5fb3204e41
Instruction ID: 2dc46d4e49a0464397b158e4aa4731cac184bb3c0bd5ffe475630467b3e12264
Opcode Fuzzy Hash: c73cb77aa9887e1b356393ce6f0c992ba4be0265a781b2556cb82c5fb3204e41
Instruction Fuzzy Hash: 1AA011CA2A8203FC32082300AE02C3A22CCC0C8B22B308AEEB802E0080A8800C080032

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EEF3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EEDB

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2abdfb8bb99398e784eb432e0fdfab46b488d82ad63a899d11fcad87c491d69e
Instruction ID: 906bea1b03040f4b09d1663e88ccb0a1b289b205037b60ec734ec61f0131b77d
Opcode Fuzzy Hash: 2abdfb8bb99398e784eb432e0fdfab46b488d82ad63a899d11fcad87c491d69e
Instruction Fuzzy Hash: 86A0019A6A9623FC32686355AE46D3B22DCC4C4B62B309AEAB81695091A8846C491532

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EEE9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EEDB

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 042eb151d07f9571753923674d31363a4d3a058224968a36d053651f2a531d4c
Instruction ID: 906bea1b03040f4b09d1663e88ccb0a1b289b205037b60ec734ec61f0131b77d
Opcode Fuzzy Hash: 042eb151d07f9571753923674d31363a4d3a058224968a36d053651f2a531d4c
Instruction Fuzzy Hash: 86A0019A6A9623FC32686355AE46D3B22DCC4C4B62B309AEAB81695091A8846C491532

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EEC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EE7A

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 49462e803e7ddcda0cc51c8264bfb102a6a5e6e9021fe497846f533d69ff2a6e
Instruction ID: 2dc46d4e49a0464397b158e4aa4731cac184bb3c0bd5ffe475630467b3e12264
Opcode Fuzzy Hash: 49462e803e7ddcda0cc51c8264bfb102a6a5e6e9021fe497846f533d69ff2a6e
Instruction Fuzzy Hash: 1AA011CA2A8203FC32082300AE02C3A22CCC0C8B22B308AEEB802E0080A8800C080032

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EECE Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3EEDB

Part of subcall function 00B3F1FE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B3F27B
Part of subcall function 00B3F1FE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B3F28C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e2a748a5f8fd7a5cbe9d1401ae77c440d278e30df9ac23a5a27ac6faae81a8b7
Instruction ID: 547108f6e29389bedba8828d2cee9c992d17c8aa6266391f9be682a31110a7b3
Opcode Fuzzy Hash: e2a748a5f8fd7a5cbe9d1401ae77c440d278e30df9ac23a5a27ac6faae81a8b7
Instruction Fuzzy Hash: C0A0118A2A8222BC32282300BE02C3B22CCC0C0B22B3082EAB800A0080A8802C080032

Uniqueness

Uniqueness Score: -1.00%

Function 00B32305 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00B36AC7,?,Cyber.exe,?,00000000,?,?,00B365A4,Cyber.exe,?,00000000,00000000,Cyber.exe,Cyber.exe,Cyber.exe), ref: 00B32308

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: a993e551648e2ffc2da1a8e561fbe1841dc2c05bd2b7b06665114f4c8511238d
Instruction ID: 92c3a89089bfd1bb344f40f03507902d048087a47c278627186b287ae4ec6492
Opcode Fuzzy Hash: a993e551648e2ffc2da1a8e561fbe1841dc2c05bd2b7b06665114f4c8511238d
Instruction Fuzzy Hash: B6B011320A200A8A8E202B30CC088203A20EA2230B30882A0A002CA0A0CF22C023AA00

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B9D8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00B3BB4E,00B5226C,00000000,?,00000006,?,00000800), ref: 00B3B9DC

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b01d36be9b85a8e714abda1109f45ff01303ceb6adf8ab8be560e03f266bb0da
Instruction ID: 0a184cfd797156380dd48410d3c5d0aca384db8764794aba957a83310d1a0949
Opcode Fuzzy Hash: b01d36be9b85a8e714abda1109f45ff01303ceb6adf8ab8be560e03f266bb0da
Instruction Fuzzy Hash: CDA01270196106468B010B30CC09D15B6505761703B008621B006C20E0CF304414E514

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B3CD67 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00B3CDF8
EndDialog.USER32(?,00000006), ref: 00B3CE0B
GetDlgItem.USER32(?,0000006C), ref: 00B3CE27
SetFocus.USER32(00000000), ref: 00B3CE2E
SetDlgItemTextW.USER32(?,00000065,?), ref: 00B3CE6E
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00B3CEA1
FindFirstFileW.KERNEL32(?,?), ref: 00B3CEB7
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B3CED5
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B3CEE5
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B3CF02
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B3CF20

Part of subcall function 00B340A7: LoadStringW.USER32(?,?,00000200,?), ref: 00B340EC
Part of subcall function 00B340A7: LoadStringW.USER32(?,?,00000200,?), ref: 00B34102

_swprintf.LIBCMT ref: 00B3CF50

Part of subcall function 00B337C1: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B337D4

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00B3CF63
FindClose.KERNEL32(00000000), ref: 00B3CF66
_swprintf.LIBCMT ref: 00B3CFC1
SetDlgItemTextW.USER32(?,00000068,?), ref: 00B3CFD4
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00B3CFEA
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00B3D00A
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B3D01A
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B3D034
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B3D04C
_swprintf.LIBCMT ref: 00B3D07D
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00B3D090
_swprintf.LIBCMT ref: 00B3D0E0
SetDlgItemTextW.USER32(?,00000069,?), ref: 00B3D0F3

Part of subcall function 00B3BBF0: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B3BC16
Part of subcall function 00B3BBF0: GetNumberFormatW.KERNEL32(00000400,00000000,?,00B5B03C,?,?), ref: 00B3BC65

Strings

%s %s %s, xrefs: 00B3CF3E, 00B3D06A
%s %s, xrefs: 00B3CFAF, 00B3D0D2
REPLACEFILEDLG, xrefs: 00B3CD8E

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Time$Item$File$FormatText$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumber__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3610457056-1840816070
Opcode ID: 89102f61abbeb37f3e390aa17b6b576f25655e699d2e2691aba84a0ee8367bda
Instruction ID: c3b80ee296822f040b2cafeb3d77368eb1105763a1f783c2b4e3573d0250cb65
Opcode Fuzzy Hash: 89102f61abbeb37f3e390aa17b6b576f25655e699d2e2691aba84a0ee8367bda
Instruction Fuzzy Hash: 2391A372644348BFE231DBA0CC49FFB77ECEB49B01F144869B749D6091DB71A6098762

Uniqueness

Uniqueness Score: -1.00%

Function 00B4CD6E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B4CEB4

Strings

1#QNAN, xrefs: 00B4E0BA
1#INF, xrefs: 00B4E0C1
1#IND, xrefs: 00B4E0AC
1#SNAN, xrefs: 00B4E0B3

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fd33a07a7a37626a001505f389687399633057bffb51b4a6cfe26c689d353fa9
Instruction ID: 3df61deb06729c1464d9acaf1b86c000e4602be360f4f964b83471c78c7e05fe
Opcode Fuzzy Hash: fd33a07a7a37626a001505f389687399633057bffb51b4a6cfe26c689d353fa9
Instruction Fuzzy Hash: 27C21671E086288FDB25CE289D807EAB7F5EB85305F1541EAD84DE7240E774AF85AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00B4855B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B48653
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B4865D
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00B4866A

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2741046d8f91a10bf8bc6a8f3de677ba877e6887d850a2dc06713ed1683bb04e
Instruction ID: a2171ccbea430ea3c632e299918c04031434c5cd2df7f09915c16924ea6f800c
Opcode Fuzzy Hash: 2741046d8f91a10bf8bc6a8f3de677ba877e6887d850a2dc06713ed1683bb04e
Instruction Fuzzy Hash: 2F31D37591131C9BCB61DF65D888B9DBBF8AF08310F5042EAE91CA7250EB309F859F54

Uniqueness

Uniqueness Score: -1.00%

Function 00B3FD07 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B3FD20

Strings

, xrefs: 00B3FE84

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: 61a58c0598c4fc3a6084529c78a711e96a914ba3e28fba4945b6bc7cda1f8f25
Instruction ID: 059994333ec3714309168cf722c94bbd1b40f6a55631747c5f9fe79a9796f3f1
Opcode Fuzzy Hash: 61a58c0598c4fc3a6084529c78a711e96a914ba3e28fba4945b6bc7cda1f8f25
Instruction Fuzzy Hash: A3516EB1D0520A9FEB24CF69D885BAABBF4FB48314F2485BAD415E72A0D7749940CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B4C8C0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5826e262e05846006aa707909c2c08ce371c576bfdba0dcab0e4486e13c9c615
Instruction ID: ab04e8b876af822721875a3b64d107cdb1cd528f8c3b4b4b25d15b5539aa4021
Opcode Fuzzy Hash: 5826e262e05846006aa707909c2c08ce371c576bfdba0dcab0e4486e13c9c615
Instruction Fuzzy Hash: F4024B71E012199FDF54CFA9C8806ADBBF1FF88714F2582AAD819E7345D730AA41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B3BBF0 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B3BC16
GetNumberFormatW.KERNEL32(00000400,00000000,?,00B5B03C,?,?), ref: 00B3BC65

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 09af2b7b7296f9435929f4bc77781dd416e27456e4e4eed43ae1b9ca421ba7cc
Instruction ID: 2facdffdf328f47e5d7de0ff93e7d00f5e4bf9e5af1f420bf873072511712b40
Opcode Fuzzy Hash: 09af2b7b7296f9435929f4bc77781dd416e27456e4e4eed43ae1b9ca421ba7cc
Instruction Fuzzy Hash: DA017136100309EAD720DF64DC05F9B77FCEF09721F5040A2BA15E71A0DB709914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B512E4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B512DF,?,?,00000008,?,?,00B50F7F,00000000), ref: 00B51511

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bc18ff07ab515ecf9400cbe1dcbf9feb662c4af815d80ee96309da944f48b698
Instruction ID: 35b5a1ccc61538f36e4f717b5a51384552be43830d0f5c8a14a5cb57248f5cb2
Opcode Fuzzy Hash: bc18ff07ab515ecf9400cbe1dcbf9feb662c4af815d80ee96309da944f48b698
Instruction Fuzzy Hash: 6AB13C356106089FD719CF2CC486B657BE0FF45366F298AD8E89ACF2A1D335D986CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00B38677 Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

, xrefs: 00B387EE

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 349741beb0e4e2d5c9e4887cc1253cea8cb6afdc2638d434881ea08fcaf69fe1
Instruction ID: c7cfd3208fe6990ddeab42ef33276c0d3364d50d0847afc8b17a4fc691a49949
Opcode Fuzzy Hash: 349741beb0e4e2d5c9e4887cc1253cea8cb6afdc2638d434881ea08fcaf69fe1
Instruction Fuzzy Hash: CFF1E3B1508715CBC710DF28CC9062AB7E2FB84334F754BAAF9A9572A0DF7199458B83

Uniqueness

Uniqueness Score: -1.00%

Function 00B37A93 Relevance: 1.6, Strings: 1, Instructions: 359COMMON

Download Yara Rule

Strings

c, xrefs: 00B37DB7

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: 394658f14ab66037e5a3086b609cc48d2f0377a9d0b08a4239e900b1c5802734
Instruction ID: 1a323f532565a7fa6361cb92f0b726254b0e81cafc36282e2b54600cf79c08db
Opcode Fuzzy Hash: 394658f14ab66037e5a3086b609cc48d2f0377a9d0b08a4239e900b1c5802734
Instruction Fuzzy Hash: 75E157B1A483558FC724DF28D480A6EBBE5FFC8708F2049ADE59997350DB31E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B32B7C Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00B32BA1

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b02f754ad42355bf4bff5650103232a85ed694d437271ba6f5811ebd3033ea83
Instruction ID: 30f778d3b36ec152419be86dde24d1a5e1b2d42ca65728208320e21124515cd3
Opcode Fuzzy Hash: b02f754ad42355bf4bff5650103232a85ed694d437271ba6f5811ebd3033ea83
Instruction Fuzzy Hash: 92F012B590421C8BDB24CF28EC817EAB3A5F758711F2046D5DA1593790EB706980CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B4004A Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010056,00B3FB64), ref: 00B4004F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 65160f4015a74511ed06474a18fd83712d413b8267947dab5337baa79d3a310b
Instruction ID: 54a6cbe435ac825c3124c5635302dbf6bf9d26919461b5ed34ee518d260ad8b4
Opcode Fuzzy Hash: 65160f4015a74511ed06474a18fd83712d413b8267947dab5337baa79d3a310b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00B4B4B6 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B4B4B6

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3654e2b9faac54bdc94ee7c7d48e55cf914b68b7d131278064dfb4b07be328b0
Instruction ID: 7a76b348abcc375554c9941de6c820f23a3d3f73745fba6e9b500cde9b049f6e
Opcode Fuzzy Hash: 3654e2b9faac54bdc94ee7c7d48e55cf914b68b7d131278064dfb4b07be328b0
Instruction Fuzzy Hash: D9A001746436018B97808F35AA8970A3AA9AA56ED274A50A9A609D7170EE248490AB05

Uniqueness

Uniqueness Score: -1.00%

Function 00B41F5D Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 95b828cba6b4d2de7997806198af9def539f131674c820794c213845fa05e49a
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: C8C150326055930ADF2D463E847413FBAE1DAA17B131A17EDE4B2CB1D4FE20C669F620

Uniqueness

Uniqueness Score: -1.00%

Function 00B42392 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 2e1d2b9f7b2bd8634c2d6d47226eca310738d4cd53b3bb7440644613caebb058
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: E8C1533220559309DF2D473D947413EBAE1DAA27B131A17DDE4B2CB1D5FE20CA69F620

Uniqueness

Uniqueness Score: -1.00%

Function 00B41B28 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 27dde6cf844e748ce4dd846b8c573b09fae3923f9cd1a5ed7be4c5aaf027a40c
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 6CC18336A0559309DF2D463D947413FBAE1DAA27B131A1BEDD4B3CB0C5FE10C6A9A620

Uniqueness

Uniqueness Score: -1.00%

Function 00B41710 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c0060dd2a460725461177018f54025a7fa0d606a05d9b7adfa8436d50f64e6c6
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: FCC1513260559309DF2D463E947413FBBE1DAA17B131A1BEDD4B2CB1D4FE20C6A9E620

Uniqueness

Uniqueness Score: -1.00%

Function 00B45352 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e60f1eb8535692d3b522a7c3775175520a61252bb7d57cc916f9c7306491ca
Instruction ID: f00ab883edfe3517b6b73c58b4881b9aa8e28ab20e185ed1fdef20c51636ddbc
Opcode Fuzzy Hash: 95e60f1eb8535692d3b522a7c3775175520a61252bb7d57cc916f9c7306491ca
Instruction Fuzzy Hash: D0616671600F0867DA389E6848967BE23E5EB41741F2008DAE983CF387D655DF81B359

Uniqueness

Uniqueness Score: -1.00%

Function 00B31773 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618e8da4ab10fc13031c9bfdaf2826663ed666212431e0f9b8e60bf2cf0d1d74
Instruction ID: 8c7a226005e1c5c06bf43eca0fe58e4eddffa6fd637649d3689ebb2aba94942e
Opcode Fuzzy Hash: 618e8da4ab10fc13031c9bfdaf2826663ed666212431e0f9b8e60bf2cf0d1d74
Instruction Fuzzy Hash: 0721DD71A202658FDB18CF2DDCD093A7BA5E74630275681ABED4687381C935ED15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B4386B Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00B4396F
_GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 00B439EA
___TypeMatch.LIBVCRUNTIME ref: 00B43A5E
___DestructExceptionObject.LIBVCRUNTIME ref: 00B43AE3
IsInExceptionSpec.LIBVCRUNTIME ref: 00B43B1E
FindHandlerForForeignException.LIBVCRUNTIME ref: 00B43B6D
___DestructExceptionObject.LIBVCRUNTIME ref: 00B43B8F
__CxxThrowException@8.LIBVCRUNTIME ref: 00B43BA7
_UnwindNestedFrames.LIBCMT ref: 00B43BAF
___FrameUnwindToState.LIBVCRUNTIME ref: 00B43BBB
CallUnexpected.LIBVCRUNTIME ref: 00B43BC6

Strings

csm, xrefs: 00B4399E
csm, xrefs: 00B438AC
csm, xrefs: 00B43919

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Exception$DestructObjectSpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
String ID: csm$csm$csm
API String ID: 410073093-393685449
Opcode ID: bb981c6c4968072ab66617368b887bb150a275832e0a1b8ef02efedf7efa7604
Instruction ID: 86f744f61240055f2c1f79412e5f103f52e13aa8a62f03d71ab830626f2ad044
Opcode Fuzzy Hash: bb981c6c4968072ab66617368b887bb150a275832e0a1b8ef02efedf7efa7604
Instruction Fuzzy Hash: F6B19B30800209AFDF28DF94C885BAEBBF4FF18B14F188199E85167251C7759B45EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B4BF99 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B4BFDD

Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BB95
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BBA7
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BBB9
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BBCB
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BBDD
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BBEF
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BC01
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BC13
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BC25
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BC37
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BC49
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BC5B
Part of subcall function 00B4BB78: _free.LIBCMT ref: 00B4BC6D

_free.LIBCMT ref: 00B4BFD2

Part of subcall function 00B48433: RtlFreeHeap.NTDLL(00000000,00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000), ref: 00B48449
Part of subcall function 00B48433: GetLastError.KERNEL32(00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000,00000000), ref: 00B4845B

_free.LIBCMT ref: 00B4BFF4
_free.LIBCMT ref: 00B4C009
_free.LIBCMT ref: 00B4C014
_free.LIBCMT ref: 00B4C036
_free.LIBCMT ref: 00B4C049
_free.LIBCMT ref: 00B4C057
_free.LIBCMT ref: 00B4C062
_free.LIBCMT ref: 00B4C09A
_free.LIBCMT ref: 00B4C0A1
_free.LIBCMT ref: 00B4C0BE
_free.LIBCMT ref: 00B4C0D6

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f2badd6d70e525db6745fdd30c7a086bfa1488ab33c332ad2ed4e2b290c5aaca
Instruction ID: d9bfd935b4380a9661bc8278d87936c7bda2530d2865e438ae10a6e744f47cf3
Opcode Fuzzy Hash: f2badd6d70e525db6745fdd30c7a086bfa1488ab33c332ad2ed4e2b290c5aaca
Instruction Fuzzy Hash: 5A315071601705DFEB70AB39E845B6ABBE8EF00750F5484AAE459D7251DF31EF40AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B48C32 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B48C46

Part of subcall function 00B48433: RtlFreeHeap.NTDLL(00000000,00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000), ref: 00B48449
Part of subcall function 00B48433: GetLastError.KERNEL32(00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000,00000000), ref: 00B4845B

_free.LIBCMT ref: 00B48C52
_free.LIBCMT ref: 00B48C5D
_free.LIBCMT ref: 00B48C68
_free.LIBCMT ref: 00B48C73
_free.LIBCMT ref: 00B48C7E
_free.LIBCMT ref: 00B48C89
_free.LIBCMT ref: 00B48C94
_free.LIBCMT ref: 00B48C9F
_free.LIBCMT ref: 00B48CAD

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6e52601b2b9a6bc4f867ab9784aef64cf098ede6d797b437babc495aac8c2f2d
Instruction ID: fb050ccb31b28458515e0910ba6a3bead1a00c36e9c0ed020324d318bdf6a2d9
Opcode Fuzzy Hash: 6e52601b2b9a6bc4f867ab9784aef64cf098ede6d797b437babc495aac8c2f2d
Instruction Fuzzy Hash: 77117476A14109AFCB05EF58E942DDD3BB5EF04390B9141E5BA088B222DA71EB51AB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AA67 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B3AA8C
_wcslen.LIBCMT ref: 00B3AB2D
GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00B3B2A0,?), ref: 00B3AB3C
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00B3AB5D

Strings

<html>, xrefs: 00B3AAAB, 00B3AAE4
</html>, xrefs: 00B3AB0E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00B3AAB6
utf-8"></head>, xrefs: 00B3AAC1

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: 1f9941fc11555e789562cad4225a23da501c6f5ebae61f78b9aa423bfa500995
Instruction ID: 292a068c38866cf58b4e17c434db814428cda171cf2d879e9788b7c477f237d7
Opcode Fuzzy Hash: 1f9941fc11555e789562cad4225a23da501c6f5ebae61f78b9aa423bfa500995
Instruction Fuzzy Hash: 953112321097017FE725AB209C06F6BB7E9DF52321F3041DAF490A61D2EF749A0993A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E0DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00B3E0FD
GetClassNameW.USER32(00000000,?,00000800), ref: 00B3E12C

Part of subcall function 00B35644: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00B32EC7,?,?,?,00B32E74,?,-00000002,?,00000000,?), ref: 00B3565A

GetWindowLongW.USER32(00000000,000000F0), ref: 00B3E14A
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00B3E161

Part of subcall function 00B3B5FB: GetDC.USER32(00000000), ref: 00B3B607
Part of subcall function 00B3B5FB: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B3B616
Part of subcall function 00B3B5FB: ReleaseDC.USER32(00000000,00000000), ref: 00B3B624

Part of subcall function 00B3B5B8: GetDC.USER32(00000000), ref: 00B3B5C4
Part of subcall function 00B3B5B8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00B3B5D3
Part of subcall function 00B3B5B8: ReleaseDC.USER32(00000000,00000000), ref: 00B3B5E1

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00B3E19B
DeleteObject.GDI32(00000000), ref: 00B3E1AA
GetWindow.USER32(00000000,00000002), ref: 00B3E1B3

Strings

STATIC, xrefs: 00B3E132

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Window$CapsDeviceMessageReleaseSend$ClassCompareDeleteLongNameObjectString
String ID: STATIC
API String ID: 2770908980-1882779555
Opcode ID: 7f2deba61fab1d1556cd19706ef5af2da2a72601e4ff99571001802e5a74f385
Instruction ID: 53b4e98e4e9d2c68314878896f4124d3916f6ff563e7945e67e70494dde0481a
Opcode Fuzzy Hash: 7f2deba61fab1d1556cd19706ef5af2da2a72601e4ff99571001802e5a74f385
Instruction Fuzzy Hash: 9221D172541B15BBDB226B548C46FBE77ACEF00B52F200091FA10B71D1CF349E4186A4

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D8E4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00B3D8FA

Part of subcall function 00B32FFE: _wcslen.LIBCMT ref: 00B33004

_swprintf.LIBCMT ref: 00B3D92C

Part of subcall function 00B337C1: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B337D4

_swprintf.LIBCMT ref: 00B3D959
GetFileAttributesW.KERNEL32(?), ref: 00B3D968
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B3D97B
EndDialog.USER32(?,00000001), ref: 00B3DA81

Strings

%s%s%d, xrefs: 00B3D91F, 00B3D948

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _swprintf$AttributesDialogFileItemPathTempText__vswprintf_c_l_wcslen
String ID: %s%s%d
API String ID: 2779928984-1000756122
Opcode ID: 2986a0a07eca066a5c56a675835d5a32876486b4f0592d1ba9a1a320c2b875a6
Instruction ID: 69ac20928500d822221d18ad52fa338b5a48b9b72a46b0f639e911d8888991eb
Opcode Fuzzy Hash: 2986a0a07eca066a5c56a675835d5a32876486b4f0592d1ba9a1a320c2b875a6
Instruction Fuzzy Hash: 7A511AB2804259AEEF25DB60DD84EEA77FCEB04300F5041E6E618E7051EF709B888F50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C25D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000080,00000001,?), ref: 00B3C2CD
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00B3C2E2
GetDlgItem.USER32(?,00000065), ref: 00B3C2F1
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00B3C305
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00B3C317
EndDialog.USER32(?,00000001), ref: 00B3C361

Strings

LICENSEDLG, xrefs: 00B3C271

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Item$Dialog
String ID: LICENSEDLG
API String ID: 781181374-2177901306
Opcode ID: 83a19f67ee4ad8427ff2bea0cdd9c7ab2f6af5630988c0df049608713941164d
Instruction ID: 4e56da26c5568fd24c1cf6f9d14faf0839000f4abc04f301bd744691a57feaf9
Opcode Fuzzy Hash: 83a19f67ee4ad8427ff2bea0cdd9c7ab2f6af5630988c0df049608713941164d
Instruction Fuzzy Hash: A021AF322412497FD6216BA5EC49F6B3FEDEB8AB42F114484F241B70A1CF7299119B78

Uniqueness

Uniqueness Score: -1.00%

Function 00B3A918 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00B3A931
GetTickCount.KERNEL32 ref: 00B3A94F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B3A965
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B3A979
TranslateMessage.USER32(?), ref: 00B3A984
DispatchMessageW.USER32(?), ref: 00B3A98F
ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00B3AA3F
SetWindowTextW.USER32(?,00000000), ref: 00B3AA49

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
String ID:
API String ID: 4150546248-0
Opcode ID: 05f0278565dd2335bcb527c31a0380878b5aa86fe6561ba982279acfb0809d4b
Instruction ID: 6d0758b412be387be04aafe1c18f6422a53f72cebd2a29ce03c66d541fda7c3d
Opcode Fuzzy Hash: 05f0278565dd2335bcb527c31a0380878b5aa86fe6561ba982279acfb0809d4b
Instruction Fuzzy Hash: B3416B72504306AFC710DF65D884E2BBBE8FF48711F254AA9FA85D7250DB20EC44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AF4D Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 163COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B3AF5A

Strings

</p>, xrefs: 00B3B04A
<style>, xrefs: 00B3B091
<br>, xrefs: 00B3B062
>, xrefs: 00B3AFA8
</style>, xrefs: 00B3B0AE

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 23455ebe8d2c42ee6d361ee4cac9fd911e3cd1f39cff3c51fecde6cf2a5d5258
Instruction ID: 3735420b4ff08b28ab5860c90feaa065e6e9ac3c50a3b198b67a32318c8181c5
Opcode Fuzzy Hash: 23455ebe8d2c42ee6d361ee4cac9fd911e3cd1f39cff3c51fecde6cf2a5d5258
Instruction Fuzzy Hash: 1041596660430281CB38AF248892F7BB3F0EF61750F78449EEED197185F7A58D89C392

Uniqueness

Uniqueness Score: -1.00%

Function 00B4EF7D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00B4F6F2,00000000,00000000,00000000,00000000,00000000,00B45428), ref: 00B4EFBF
__fassign.LIBCMT ref: 00B4F03A
__fassign.LIBCMT ref: 00B4F055
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00B4F07B
WriteFile.KERNEL32(?,00000000,00000000,00B4F6F2,00000000,?,?,?,?,?,?,?,?,?,00B4F6F2,00000000), ref: 00B4F09A
WriteFile.KERNEL32(?,00000000,00000001,00B4F6F2,00000000,?,?,?,?,?,?,?,?,?,00B4F6F2,00000000), ref: 00B4F0D3

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f40ee0bcf6d2d12857701f37df3a3aa393c86c2eea89d26542b020cb27c71583
Instruction ID: 24e54b84a2405a8e6fb5f61d888cb7221b59777eacb3b714a9f9a964dc77d2f4
Opcode Fuzzy Hash: f40ee0bcf6d2d12857701f37df3a3aa393c86c2eea89d26542b020cb27c71583
Instruction Fuzzy Hash: 1551A5719002499FDB10CFA8DC85AFEBBF9EF49300F1445AAE955F7291DB309A40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B137 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00B3B150
GetWindowRect.USER32(?,?), ref: 00B3B175
ShowWindow.USER32(?,00000005,?), ref: 00B3B20C
SetWindowTextW.USER32(?,00000000), ref: 00B3B214
ShowWindow.USER32(00000000,00000005), ref: 00B3B22A

Strings

RarHtmlClassName, xrefs: 00B3B1D6

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 75269605f460bc65c3187418c037fd30fd2f061b39f8403001d41552aa24998c
Instruction ID: 26339a840ea72591e40399334a70f01850724815ec3ef5474eba6f1043130b76
Opcode Fuzzy Hash: 75269605f460bc65c3187418c037fd30fd2f061b39f8403001d41552aa24998c
Instruction Fuzzy Hash: 15317C32101314AFDB119F649D89F2BBFE8EF49712F104599FA49AA156CB30E900CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B4BD1B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4BCDF: _free.LIBCMT ref: 00B4BD08

_free.LIBCMT ref: 00B4BD69

Part of subcall function 00B48433: RtlFreeHeap.NTDLL(00000000,00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000), ref: 00B48449
Part of subcall function 00B48433: GetLastError.KERNEL32(00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000,00000000), ref: 00B4845B

_free.LIBCMT ref: 00B4BD74
_free.LIBCMT ref: 00B4BD7F
_free.LIBCMT ref: 00B4BDD3
_free.LIBCMT ref: 00B4BDDE
_free.LIBCMT ref: 00B4BDE9
_free.LIBCMT ref: 00B4BDF4

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 31c8cb2a68751e9ba9d5abfbd719d282f1c7ec6da7f78de6818c66f52ba2065d
Instruction ID: ba43fa071d7110157ae17cd9eef7ad01c0cee49fda27bb410d54440c93c4d681
Opcode Fuzzy Hash: 31c8cb2a68751e9ba9d5abfbd719d282f1c7ec6da7f78de6818c66f52ba2065d
Instruction Fuzzy Hash: AD111C71A40B04AAD620BBB4DC87FCB77DDAF04740F808895B399A6153EF65FB44A650

Uniqueness

Uniqueness Score: -1.00%

Function 00B43383 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B4337A,00B406C8), ref: 00B43391
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B4339F
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B433B8
SetLastError.KERNEL32(00000000,?,00B4337A,00B406C8), ref: 00B4340A

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ba2b0227745349dc8393b39462f5947c19ad5037edb46172f6c7429fd1498910
Instruction ID: 9ef6e30b865492a008b5036a255b50a2732e1ce920dfe7b7bacc8f21d6efff5e
Opcode Fuzzy Hash: ba2b0227745349dc8393b39462f5947c19ad5037edb46172f6c7429fd1498910
Instruction Fuzzy Hash: 56014C322197191FEF261B74BC9AB6A2AD4EB21B7632802EAF120521F0FF114F007144

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EF3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 00B3EF7E
KERNEL32.DLL, xrefs: 00B3EF59
AcquireSRWLockExclusive, xrefs: 00B3EF6E

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: c9186a7e9d9ebe3beeba53701efa01065263b996953c687763d3293bc85c2434
Instruction ID: a31104403879a7ccebc4c4feb5c7adc3c77f0e0d7c912007c5ee02a79e998782
Opcode Fuzzy Hash: c9186a7e9d9ebe3beeba53701efa01065263b996953c687763d3293bc85c2434
Instruction Fuzzy Hash: 7001D6726963226B6F201F646C8069632C4DA2275673401FBE421C32D0EF90C946D790

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AD88 Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B3ADAC
_memcmp.LIBVCRUNTIME ref: 00B3ADC3

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2ac5ff07dddfe22c008f0087ea436ea87b752b1d120e6db34095e1bd90d91fe1
Instruction ID: c2c6805173c24b42f8e8d62b3f31e410a04977f4b47211290cb7dbf2b92b7489
Opcode Fuzzy Hash: 2ac5ff07dddfe22c008f0087ea436ea87b752b1d120e6db34095e1bd90d91fe1
Instruction Fuzzy Hash: CA217F71640219BBD714AE15D881F7B37E8DE20B85F3484ECFC8ADB241E372DE45A662

Uniqueness

Uniqueness Score: -1.00%

Function 00B48D26 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B44E4E,?,00000000,?,00B449ED,00000200,00000000,?), ref: 00B48D2A
_free.LIBCMT ref: 00B48D5D
_free.LIBCMT ref: 00B48D85
SetLastError.KERNEL32(00000000,00000000,?), ref: 00B48D92
SetLastError.KERNEL32(00000000,00000000,?), ref: 00B48D9E
_abort.LIBCMT ref: 00B48DA4

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7310c25e4492324f0dd20db90f1013f798c53e17fa95b4c39b96100a743ddf20
Instruction ID: 0b2fc34ed7e849cd0b4ecc975a57b0a6ad40caa6a308d9f50a0772bc8cbfdfa8
Opcode Fuzzy Hash: 7310c25e4492324f0dd20db90f1013f798c53e17fa95b4c39b96100a743ddf20
Instruction Fuzzy Hash: ACF0A93658270126D61637386C05F2E25F5DFE27A2B3401F8F618E72E1FF208B01B155

Uniqueness

Uniqueness Score: -1.00%

Function 00B3936D Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 287COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B39429
_strncpy.LIBCMT ref: 00B394E6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B3952F
_strncpy.LIBCMT ref: 00B395EA

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, xrefs: 00B39382

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _strncpy$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
API String ID: 2527496121-3224907921
Opcode ID: 5d30315b76e8b9b6d2919bfbc9841002a4eec9e9f0997652db0a0291b2a2d411
Instruction ID: cbeaf9f94abb469d303635877a41bc2c59f35d95520c1ad608bd97f109919b50
Opcode Fuzzy Hash: 5d30315b76e8b9b6d2919bfbc9841002a4eec9e9f0997652db0a0291b2a2d411
Instruction Fuzzy Hash: 55A17BB1929319DBC711EF68EC81B267BE5FB88324F20456BF44DD3361DBB098848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B333EC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B33412

Strings

\\?\, xrefs: 00B3343F, 00B33476, 00B334EC, 00B33545
UNC, xrefs: 00B33484

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _wcslen
String ID: UNC$\\?\
API String ID: 176396367-253988292
Opcode ID: 8c8361db4b76c66f61170509aecb41e1ab7355486d36b525c5fead84adad100e
Instruction ID: be23324841d6738310ef6090505b23fb8124ed5a475c3ebc65ee2e829af65214
Opcode Fuzzy Hash: 8c8361db4b76c66f61170509aecb41e1ab7355486d36b525c5fead84adad100e
Instruction Fuzzy Hash: 2441E576900305B6CB30AB60CC46FEB73ECAF16B11F6144E6F91597142E774EB4597A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B33884 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00B3390A
_strlen.LIBCMT ref: 00B3393A
_swprintf.LIBCMT ref: 00B3395B
_wcsrchr.LIBVCRUNTIME ref: 00B339D0

Strings

%08x, xrefs: 00B3394F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _strlen$_swprintf_wcsrchr
String ID: %08x
API String ID: 2422602752-3682738293
Opcode ID: c255b1017cdfcaf434325e1d6d5d39a8b72905afb32fb368e6b365528075b8eb
Instruction ID: da6b93dd6dc29820834f9cc73341fc6f0b04fca68eb2fb71eebad44171797807
Opcode Fuzzy Hash: c255b1017cdfcaf434325e1d6d5d39a8b72905afb32fb368e6b365528075b8eb
Instruction Fuzzy Hash: 81410773908341AAD734A6248C49FBB73DCEB85B10F2406E9F985D7182EA75AE4482A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B47575 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe,00000104), ref: 00B475B5
_free.LIBCMT ref: 00B47680
_free.LIBCMT ref: 00B4768A

Strings

H&|, xrefs: 00B475BB
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, xrefs: 00B475AC, 00B475B3, 00B475E2, 00B4761A

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe$H&|
API String ID: 2506810119-1201444900
Opcode ID: aa4f7b7ff419dd15da764227ffd68b942ada7912c5cb0a909385f36e90146995
Instruction ID: 8d4089edd69530b0a53f02fbe9402654c1926482c1021a39bf3e447e89a57b6b
Opcode Fuzzy Hash: aa4f7b7ff419dd15da764227ffd68b942ada7912c5cb0a909385f36e90146995
Instruction Fuzzy Hash: 5E3184B1A44618AFDB21DF99D881D9EBBFDEB85750F5140E6F40497211EF704B40EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B42FB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B42FDB
__IsNonwritableInCurrentImage.LIBCMT ref: 00B43055

Part of subcall function 00B51950: __FindPESection.LIBCMT ref: 00B519A9

_ValidateLocalCookies.LIBCMT ref: 00B430C9
_ValidateLocalCookies.LIBCMT ref: 00B430F4

Strings

csm, xrefs: 00B4303F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
String ID: csm
API String ID: 1685366865-1018135373
Opcode ID: 1e5473e8cd4e1cee79f4333f3d0e04186c23a15ff031bfd0eb14aa5492f15338
Instruction ID: 1f1e48f79b34e38ab91d677fee080561a9f73285e80883330394e50c7a3b1992
Opcode Fuzzy Hash: 1e5473e8cd4e1cee79f4333f3d0e04186c23a15ff031bfd0eb14aa5492f15338
Instruction Fuzzy Hash: 8E41B334A00208ABCF10DF68C884BAEBBF5EF45724F1882D5E8149B392C7319F55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AC70 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B3AC79
_wcslen.LIBCMT ref: 00B3ACAE

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00B3ACA2
<br>, xrefs: 00B3ACFD
 , xrefs: 00B3AD45

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _wcslen
String ID:  $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-864536935
Opcode ID: da533fddff33c89c87c530f98187ef6528700bf47f86e8c4e070eeff7107a565
Instruction ID: 3768dd02f5f6ef7340f475d8095d9acb259ea927b3cb327823917d77c054c760
Opcode Fuzzy Hash: da533fddff33c89c87c530f98187ef6528700bf47f86e8c4e070eeff7107a565
Instruction Fuzzy Hash: 783129326443016AD634BB24AC42B7B73E4EB50721F7084AFF4D5575D0FBA0AA9583A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E04A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 00B3E095
GetDlgItemTextW.USER32(?,00000066,00000800), ref: 00B3E0AB
SetDlgItemTextW.USER32(?,00000065,?), ref: 00B3E0C5
SetDlgItemTextW.USER32(?,00000066), ref: 00B3E0D0

Strings

RENAMEDLG, xrefs: 00B3E062

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ItemText$Dialog
String ID: RENAMEDLG
API String ID: 1770891597-3299779563
Opcode ID: 992e0acf29160ebbff6ea7da1559a60a44247f880ce1714c278132518bb60458
Instruction ID: f28545557160b96c0a62a0147cf5714a1260015b7d89e6fd9298c143b800ccf8
Opcode Fuzzy Hash: 992e0acf29160ebbff6ea7da1559a60a44247f880ce1714c278132518bb60458
Instruction Fuzzy Hash: FF01F132A44314B6D2294E646D8AF377BECE749B41F20049BF310B70E0CAE2EC049762

Uniqueness

Uniqueness Score: -1.00%

Function 00B4747A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B4746F,?,?,00B4740F,?,00B598A8,0000000C,00B47522,?,00000002), ref: 00B4749A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B474AD
FreeLibrary.KERNEL32(00000000,?,?,?,00B4746F,?,?,00B4740F,?,00B598A8,0000000C,00B47522,?,00000002,00000000), ref: 00B474D0

Strings

CorExitProcess, xrefs: 00B474A5
mscoree.dll, xrefs: 00B47493

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e2fe5ff57c00961d5edfe6dcaecbe56a967ec65a6920bbdcf77f3a0cc7fd6c0a
Instruction ID: e5d64675544b3a7f78a111f69ce2e99d835e59858ce036d407c68a0bb10b5726
Opcode Fuzzy Hash: e2fe5ff57c00961d5edfe6dcaecbe56a967ec65a6920bbdcf77f3a0cc7fd6c0a
Instruction Fuzzy Hash: 5BF06931A41308BBDB119BA0DC09BAEBEA8EB05752F1441E4AD05A22A0CF705A85DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00B341A3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B347AA: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B347C5
Part of subcall function 00B347AA: LoadLibraryW.KERNELBASE(?,?,00B341B6,Crypt32.dll,?,00B34239,?,00B3421C,?,?,?,?), ref: 00B347E7

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B341C2
GetProcAddress.KERNEL32(00B5FA8C,CryptUnprotectMemory), ref: 00B341D2

Strings

CryptUnprotectMemory, xrefs: 00B341C8
Crypt32.dll, xrefs: 00B341AC
CryptProtectMemory, xrefs: 00B341BC

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 0cf5af9afdcb172858da93b7a181a6a3dee1c8e56775f736b888cab4fa6023df
Instruction ID: 2d68228d9aeea0eef19de3c70d913d8e43dda54e57412bfb377ccbebd638cec7
Opcode Fuzzy Hash: 0cf5af9afdcb172858da93b7a181a6a3dee1c8e56775f736b888cab4fa6023df
Instruction Fuzzy Hash: AEE086B0902B43AECB015B35A808715FFD5FF57701F1886D5E414936A0DBB8E4A9CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B47CAA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B47D1C
_free.LIBCMT ref: 00B47D3C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f1e3ea5446ed0a578cf80034effb80992bc215982bda2a15e3b33bb875ee09fe
Instruction ID: 7cb0dd1b24859f40fe7ccea52ecbe1de23084b907e9d634f53dbe3d8543925bd
Opcode Fuzzy Hash: f1e3ea5446ed0a578cf80034effb80992bc215982bda2a15e3b33bb875ee09fe
Instruction Fuzzy Hash: 6641AF72E50204AFCB24DF78C881A6AB7F5EF88314B1585E9E515EB391DB71AE01DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B4B3BB Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B4B3C4
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B4B3E7

Part of subcall function 00B4846D: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B44B84,?,0000015D,?,?,?,?,00B45703,000000FF,00000000,?,?), ref: 00B4849F

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B4B40D
_free.LIBCMT ref: 00B4B420
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B4B42F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 00135f355f07a6bc3231540024faf66860bf1e3fbef26895d9a70a30b17f4c3e
Instruction ID: 754323b3000592e2a98d8ecb549673845fd3766cc9797e87012b6fdef4b69729
Opcode Fuzzy Hash: 00135f355f07a6bc3231540024faf66860bf1e3fbef26895d9a70a30b17f4c3e
Instruction Fuzzy Hash: 7B019E626026117F63211B6A6C8DD7F7AADDAC6BA131441A9BB04D3241EF60CE02A1B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B48DAA Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00B4884B,00B48550,?,00B48D54,00000001,00000364,?,00B449ED,00000200,00000000,?), ref: 00B48DAF
_free.LIBCMT ref: 00B48DE4
_free.LIBCMT ref: 00B48E0B
SetLastError.KERNEL32(00000000,00000000,?), ref: 00B48E18
SetLastError.KERNEL32(00000000,00000000,?), ref: 00B48E21

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ada51a3fad25b88def2f673ee149abc0cbcb295b7c5134223030529dfaeab032
Instruction ID: d4d6a81cb55c9033ffaa8c251c1f92c2e05077bb6b3348fac535b78796c4844d
Opcode Fuzzy Hash: ada51a3fad25b88def2f673ee149abc0cbcb295b7c5134223030529dfaeab032
Instruction Fuzzy Hash: 8A01F932682B012B921737386C85E3F25EEDBD67A273400E8F514A72D2EF208F01B155

Uniqueness

Uniqueness Score: -1.00%

Function 00B4BC76 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B4BC8E

Part of subcall function 00B48433: RtlFreeHeap.NTDLL(00000000,00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000), ref: 00B48449
Part of subcall function 00B48433: GetLastError.KERNEL32(00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000,00000000), ref: 00B4845B

_free.LIBCMT ref: 00B4BCA0
_free.LIBCMT ref: 00B4BCB2
_free.LIBCMT ref: 00B4BCC4
_free.LIBCMT ref: 00B4BCD6

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1514a6796a3bd04bd45510e7a0f34acda7a579cc491aa71b66910b8bd64461c3
Instruction ID: cf750a20fad14d4259c86605cbd1aa8591d9122cf62a2ece88d12458d2c2b754
Opcode Fuzzy Hash: 1514a6796a3bd04bd45510e7a0f34acda7a579cc491aa71b66910b8bd64461c3
Instruction Fuzzy Hash: A5F03032605304AF8620EB5CF9C6D1E77FDEA44791BA448C5F118D7A02CF30FE80AAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B35666 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B3566E
_wcslen.LIBCMT ref: 00B3567F
_wcslen.LIBCMT ref: 00B3568F
_wcslen.LIBCMT ref: 00B3569D
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,?,00000000,?,00B32D53,__rar_,00000000,00000006,?,?,00000000), ref: 00B356B8

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: f097314d2bf4ae80ff8995bf88f94e6a6656161cabbc13f5efc95d072e39d52a
Instruction ID: 2b55dba9f7409c98bdecbb775b9732d66b896420c1e3d07e72dd8007d26430e8
Opcode Fuzzy Hash: f097314d2bf4ae80ff8995bf88f94e6a6656161cabbc13f5efc95d072e39d52a
Instruction Fuzzy Hash: D6F06D32004014BFCF621F51DC09DCE3F65EB41770B618045F9595A060CB329661A784

Uniqueness

Uniqueness Score: -1.00%

Function 00B47EF9 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B47F17

Part of subcall function 00B48433: RtlFreeHeap.NTDLL(00000000,00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000), ref: 00B48449
Part of subcall function 00B48433: GetLastError.KERNEL32(00000000,?,00B4BD0D,00000000,00000000,00000000,00000000,?,00B4BD34,00000000,00000007,00000000,?,00B4C131,00000000,00000000), ref: 00B4845B

_free.LIBCMT ref: 00B47F29
_free.LIBCMT ref: 00B47F3C
_free.LIBCMT ref: 00B47F4D
_free.LIBCMT ref: 00B47F5E

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 589a7f0d750813a151de47585319332f10672784c69a289b739332c818a77603
Instruction ID: 2303621b2493b9a929559365adb50b1dbbdb4c9df1bf7ab07d6af865e9634667
Opcode Fuzzy Hash: 589a7f0d750813a151de47585319332f10672784c69a289b739332c818a77603
Instruction Fuzzy Hash: 48F0B2B19582269B86416B28FC429083BE5FB19B6239501CAF4149B371CF714E41EFC9

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D104 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,00001000), ref: 00B3D15C
CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00B3D183

Strings

-, xrefs: 00B3D14A

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: CharUpper
String ID: -
API String ID: 9403516-2547889144
Opcode ID: fd41cf280816c63aa1ab7cd86f5f20a7f35da61aa45caa8b2c0fe10493e43293
Instruction ID: f5c1811761b80925f5cdf91d04f2868ccda1ab29755cb3098f55d86f6978e5be
Opcode Fuzzy Hash: fd41cf280816c63aa1ab7cd86f5f20a7f35da61aa45caa8b2c0fe10493e43293
Instruction Fuzzy Hash: 7021E27244820666D320AF68EC4DB7B76D8F789700FA148A9F4A5A2195DB78CC88C322

Uniqueness

Uniqueness Score: -1.00%

Function 00B3BF44 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 00B3BF92
GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 00B3BFAA
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B3BFD8

Strings

GETPASSWORD1, xrefs: 00B3BF5D

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1
API String ID: 1770891597-3292211884
Opcode ID: a7a03e828dea2f31120692051c6c35b06f5bb48af64481037e267b03da33b769
Instruction ID: 4c094e86eeba1bdc07b489ee35e3ae2e46ff2b4e19cd5757b7609c7dd129772a
Opcode Fuzzy Hash: a7a03e828dea2f31120692051c6c35b06f5bb48af64481037e267b03da33b769
Instruction Fuzzy Hash: 2411C8329042187ADB215A649C89FFB77ECEB09711F2000E5FB45F3088C7A5AE559BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E693 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00B3E6EE
REPLACEFILEDLG, xrefs: 00B3E6D8, 00B3E70A

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 4f4ab97b95b46df46c87c8a785396235181f5a4d16a16862c30d42accede9e6e
Instruction ID: 984f0dfc9971d6c8156223fc4aaeb1fafe7ba5b0594659c3f4e9281c21cd794c
Opcode Fuzzy Hash: 4f4ab97b95b46df46c87c8a785396235181f5a4d16a16862c30d42accede9e6e
Instruction Fuzzy Hash: CA01BC32240305AFC3519B28EC84F13BBE8E759B91F2408A7F855E36B0DA71DC46EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B33D9C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00B33DAB
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00B33DBA

Strings

LTR, xrefs: 00B33DCA, 00B33DD5, 00B33DDE
RTL, xrefs: 00B33DB3, 00B33DB8, 00B33DEC

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: 404374f2eb5c2e5540a7bdc06187d04f922396aa0ddea1259ae7fe0d23b77fc4
Instruction ID: 07c2e805b9ea7a70f64de78c57e88150b6fafabe87dbd7bdd9868915cea8bd1b
Opcode Fuzzy Hash: 404374f2eb5c2e5540a7bdc06187d04f922396aa0ddea1259ae7fe0d23b77fc4
Instruction Fuzzy Hash: 85F0243260531427E63467A56C0AFA73BECD786B01F1406EEBA05870C1CFA1A94D87A4

Uniqueness

Uniqueness Score: -1.00%

Function 00B48F59 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B48FE4
__alldvrm.LIBCMT ref: 00B491E5
__alldvrm.LIBCMT ref: 00B49207

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 81c2af9a51eac88d90566e98f63fd44f243beb22a756994565506ca33d5a461a
Instruction ID: 75069f608d0b8242c75729d56ac9953d5cb505c2986b1dd789bef76a63859a83
Opcode Fuzzy Hash: 81c2af9a51eac88d90566e98f63fd44f243beb22a756994565506ca33d5a461a
Instruction Fuzzy Hash: 83A13432E00286AFEB21CE28C8917AFBBE5EF55350F1841E9E595AB382C6748E41D750

Uniqueness

Uniqueness Score: -1.00%

Function 00B39E36 Relevance: 6.2, APIs: 4, Instructions: 191COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B39E51
_memcmp.LIBVCRUNTIME ref: 00B39EF5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B39F79
_memcmp.LIBVCRUNTIME ref: 00B3A014

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 3520290970-0
Opcode ID: b27616001a59e739db4513f138751f3b572cf48fa47b3820d9f6b92b53ae59ad
Instruction ID: ef718addd4d68c36404cf03adc846dfbae8136612b8149ea08f19d2ea60b01af
Opcode Fuzzy Hash: b27616001a59e739db4513f138751f3b572cf48fa47b3820d9f6b92b53ae59ad
Instruction Fuzzy Hash: F161AE71A20308CFC718EF28EC94B257BE5FB85324F20026AE54DC72B1DB75A984CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00B326B1 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00B32757
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800), ref: 00B3279B
SetFileTime.KERNEL32(?,?,?,00000000), ref: 00B3281C
CloseHandle.KERNEL32(?), ref: 00B32823

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 9afb5d0ef6476af500beeeffd57c8f956e59cdb0eeb2bb6684d89009c62cb1b9
Instruction ID: 924d2c686c8538f2118de1694d3bca6f3ca4d0b52c68f66b9f4d856e55bfd150
Opcode Fuzzy Hash: 9afb5d0ef6476af500beeeffd57c8f956e59cdb0eeb2bb6684d89009c62cb1b9
Instruction Fuzzy Hash: 2D41AC31248381AAE721DF24DC56FAABBE8AF85700F2409ADF5D097191C664AE4CDB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B4BDFF Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,00B44F6E,00000000,00000000,00B4579C,?,00B4579C,?,00000001,00B44F6E,23E85006,00000001,00B4579C,00B4579C), ref: 00B4BE4C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B4BED5
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B4BEE7
__freea.LIBCMT ref: 00B4BEF0

Part of subcall function 00B4846D: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B44B84,?,0000015D,?,?,?,?,00B45703,000000FF,00000000,?,?), ref: 00B4849F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: fbf1b42282d378749b27089472387ef067372f666abca890171e994bf8cfed75
Instruction ID: 3e324220c864686dfaa0064b8f28b2113b9ce08da432a2130020a8f2af225035
Opcode Fuzzy Hash: fbf1b42282d378749b27089472387ef067372f666abca890171e994bf8cfed75
Instruction Fuzzy Hash: 9C318F72A0021AABDB25DF64DC85EEE7BE5EB80710F1405A8FE0497250EB35DE54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B3678B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

Part of subcall function 00B374AD: __EH_prolog.LIBCMT ref: 00B374B2

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B3681E

Part of subcall function 00B374AD: new.LIBCMT ref: 00B3750B

Strings

Cyber.exe, xrefs: 00B367A2, 00B367CF, 00B367E2, 00B368E1, 00B36907, 00B36A81, 00B36ADA
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, xrefs: 00B367E7, 00B368E6, 00B36A86

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe$Cyber.exe
API String ID: 3007126557-2023509382
Opcode ID: 47e2f471f47dadb698a07bd95e45c4ff83d61bea6e73db3f683d22970db8dd3a
Instruction ID: d11a6a4a0956e6a7e99ab4ad2d80740f3b90a0b4c22a076ea9eec5b227037871
Opcode Fuzzy Hash: 47e2f471f47dadb698a07bd95e45c4ff83d61bea6e73db3f683d22970db8dd3a
Instruction Fuzzy Hash: 85810370555345EFD724BB28AC92B297BE5EB46320F34C1EAF599A76B2CE705C80C710

Uniqueness

Uniqueness Score: -1.00%

Function 00B32BEC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B32C2A
_wcslen.LIBCMT ref: 00B32D13

Strings

__rar_, xrefs: 00B32D49

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _wcslen
String ID: __rar_
API String ID: 176396367-2561138058
Opcode ID: 72d7848e1d550462780d4b24d921749dde7082c69e0010db549e3b402d86c624
Instruction ID: 37431044fa4df6183bbfc5757455cefbb39e98dfb712164874dfc2ce462fbcae
Opcode Fuzzy Hash: 72d7848e1d550462780d4b24d921749dde7082c69e0010db549e3b402d86c624
Instruction Fuzzy Hash: 3A41D67280835479D634AB688DC6DEFB7DCDB85700F6418AAF9C5D3112D634DD48D2B2

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C142 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B3C197
_wcslen.LIBCMT ref: 00B3C1B2

Strings

}, xrefs: 00B3C18A

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 71c34ee0812f02e60bfe61dd0406592a21763b2d8ed657f87f690bbebddcbe77
Instruction ID: fb01ae0cadc0d1a7fcef872619354e8aa244b94ee0ce77764a76731d60dca111
Opcode Fuzzy Hash: 71c34ee0812f02e60bfe61dd0406592a21763b2d8ed657f87f690bbebddcbe77
Instruction Fuzzy Hash: 0221D572504B166AD731EAA4CC45F6BB7DCDF41750F6004AAFA80E3142EB71DE48A3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B3ABAF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00B3ABBC

Strings

about:blank, xrefs: 00B3AC54
Shell.Explorer, xrefs: 00B3ABE8

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 8ceefbddee1fd9dc2aaa919cb90a4b7adc9912b3c638b8ef9368f9b8e81af3ba
Instruction ID: 58bf7ff77de07fcc236c6e52ccf4ceca96c0048871182b543094b89f43660d12
Opcode Fuzzy Hash: 8ceefbddee1fd9dc2aaa919cb90a4b7adc9912b3c638b8ef9368f9b8e81af3ba
Instruction Fuzzy Hash: 11217C71300716AFDB04DF60C991E66B7E9FF54711F3482A9B5458B291DB64EC04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B34222 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00B341A3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B341C2
Part of subcall function 00B341A3: GetProcAddress.KERNEL32(00B5FA8C,CryptUnprotectMemory), ref: 00B341D2

GetCurrentProcessId.KERNEL32(?,?,?,00B3421C), ref: 00B342AA

Strings

CryptUnprotectMemory failed, xrefs: 00B342A2
CryptProtectMemory failed, xrefs: 00B34269

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: d5735fed96add77b0051aece69eec62a2aad6f4952d92fa18cef1d299ee5cf31
Instruction ID: 22e377d96ffd242adbd98054266f0bf0efd47770086d337f25d8c0adac767c59
Opcode Fuzzy Hash: d5735fed96add77b0051aece69eec62a2aad6f4952d92fa18cef1d299ee5cf31
Instruction Fuzzy Hash: EB1104327122261BEB089A25DC11B7F77EADF85710F2485FDFC09AB152CF60AC458681

Uniqueness

Uniqueness Score: -1.00%

Function 00B33309 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B33330

Part of subcall function 00B337C1: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B337D4

Strings

%c:\, xrefs: 00B33326

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: dae7320c9897f371a3324758e32f6876298289fcb647d8286c3d02934a7a9e70
Instruction ID: 50f950374e28f7b60559375b6c304c273fc09d7dd8fda9f26de40b1a86119f8d
Opcode Fuzzy Hash: dae7320c9897f371a3324758e32f6876298289fcb647d8286c3d02934a7a9e70
Instruction Fuzzy Hash: 1501F563504311B98B30A7759C86E6BB7ECDF96B70F648496F884C7082FF30DA90C2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B374AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B374B2
new.LIBCMT ref: 00B3750B

Strings

Cyber.exe, xrefs: 00B374D5, 00B374DB, 00B374F1, 00B374F7, 00B3752F

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: Cyber.exe
API String ID: 3519838083-2714003122
Opcode ID: a3eae3fbb4b337f01c428e9ff2e808144e8b49242d4f5f78b89f53bb4db70f4a
Instruction ID: fd3e307cf21cf5ff91d2c508cdb47290f14debf4e3a32ebab702d8d2b3561535
Opcode Fuzzy Hash: a3eae3fbb4b337f01c428e9ff2e808144e8b49242d4f5f78b89f53bb4db70f4a
Instruction Fuzzy Hash: 0011C170A952069ADB24BB749802FFE73E4DF15314F3144E9F81AE7182DF749A848A50

Uniqueness

Uniqueness Score: -1.00%

Function 00B37438 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B3743D
new.LIBCMT ref: 00B37448

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, xrefs: 00B37470, 00B3747F, 00B37484, 00B3748C

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
API String ID: 3519838083-3224907921
Opcode ID: d5c59a2c8b640f94bcb02df14bb2142a69bcb2492fd3a286ac36a2a0ae06cb59
Instruction ID: 6a09f981ff0c1fb361b2d5926b207dfddcbd7c276e7ec42d35b2a8be0d37706c
Opcode Fuzzy Hash: d5c59a2c8b640f94bcb02df14bb2142a69bcb2492fd3a286ac36a2a0ae06cb59
Instruction Fuzzy Hash: D3F02872E245069FCB14EB7CAC01ABA7BF8DB0A310F2086FDE45AD3381EF3099004650

Uniqueness

Uniqueness Score: -1.00%

Function 00B3587A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B358C3

Strings

z%s%02d, xrefs: 00B358B8
z%s%d, xrefs: 00B358A3

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _swprintf
String ID: z%s%02d$z%s%d
API String ID: 589789837-468824935
Opcode ID: d088c815c0420346c2d9ca612d524296ccfe6ff9d07fd69ac6542a01e326ac00
Instruction ID: 039961a686db94eae46d8a57c85101bbfec161388f5a7b3d62f940ab4a30fc91
Opcode Fuzzy Hash: d088c815c0420346c2d9ca612d524296ccfe6ff9d07fd69ac6542a01e326ac00
Instruction Fuzzy Hash: 7AF090B6901108AA9F14AF40CC42EEAB7EEEB49700F5041E1FE005B161EB719D5947B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B4786F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B4B3BB: GetEnvironmentStringsW.KERNEL32 ref: 00B4B3C4
Part of subcall function 00B4B3BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B4B3E7
Part of subcall function 00B4B3BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B4B40D
Part of subcall function 00B4B3BB: _free.LIBCMT ref: 00B4B420
Part of subcall function 00B4B3BB: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B4B42F

_free.LIBCMT ref: 00B478B5
_free.LIBCMT ref: 00B478BC

Strings

`|, xrefs: 00B4786F, 00B478A2

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: `|
API String ID: 400815659-399934961
Opcode ID: 32e4dee226df781963f032b5fb8f01858130fcc6b7b14ed4cb9ae59488edf6cd
Instruction ID: a248c8e863d2ee6475e779150f16f67b7d7005074250345f6833909e3811fb14
Opcode Fuzzy Hash: 32e4dee226df781963f032b5fb8f01858130fcc6b7b14ed4cb9ae59488edf6cd
Instruction Fuzzy Hash: 30E0A032ACD81101A221323BBC49A5E17C98B82375B2002E5F830861D3DF60CB02F2E6

Uniqueness

Uniqueness Score: -1.00%

Function 00B4B36B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00B4B36B
GetCommandLineW.KERNEL32 ref: 00B4B376

Strings

H&|, xrefs: 00B4B371

Memory Dump Source

Source File: 00000000.00000002.1645583791.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.1645558633.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645607701.0000000000B52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645977825.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1646104006.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_SecuriteInfo.jbxd

Similarity

API ID: CommandLine
String ID: H&|
API String ID: 3253501508-463846233
Opcode ID: 843b124b47b00946b9b9b0e43f2be7ed7be58c5dc3f320284212459f44a61bea
Instruction ID: ade596e370deb68c2759cc46708bc5c105874b1fe7119ea3ca6d2cbcf3df68d8
Opcode Fuzzy Hash: 843b124b47b00946b9b9b0e43f2be7ed7be58c5dc3f320284212459f44a61bea
Instruction Fuzzy Hash: 6EB092788023018FD7008F30FC0C2043BA0BA0EA133C48096E806C7330DF340085CF08

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Cyber.exePID: 6992, Parent PID: 6876COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	69
Total number of Limit Nodes:	3

Executed Functions

Function 032D841B Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,032D6151,00000001), ref: 032D842C

Part of subcall function 032D82D3: GetVersionExA.KERNEL32 ref: 032D82F2

HeapDestroy.KERNEL32 ref: 032D846B

Part of subcall function 032D8520: HeapAlloc.KERNEL32(00000000,00000140,032D8454,000003F8), ref: 032D852D

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: ff0bea882abcf6a2267dd26b62b77729414d713be895d9ea65a447042062b6d5
Instruction ID: e06ef1e6ecdeb1b3f3ddf1434aea9d96a2fc20fac82078f65de4960b7e5a2067
Opcode Fuzzy Hash: ff0bea882abcf6a2267dd26b62b77729414d713be895d9ea65a447042062b6d5
Instruction Fuzzy Hash: 64F06D74A753129AEB20FB30BC0A77936A8DB40B52F14C866F540CC085FBA081C08652

Uniqueness

Uniqueness Score: -1.00%

Function 032D594F Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F), ref: 032D5A36

Part of subcall function 032D745B: InitializeCriticalSection.KERNEL32(00000000,?,00000010,?,032D59E8,00000009), ref: 032D7498
Part of subcall function 032D745B: EnterCriticalSection.KERNEL32(00000010,00000010,?,032D59E8,00000009), ref: 032D74B3

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: ad85d95606658c895f79851c0f7dde498165d690ca19585a6dbde7d1bf06c6bc
Instruction ID: d8d3e9c8c3fc70c982a01f477d0b45760d569d029aa90224dd18e758ecfad3e9
Opcode Fuzzy Hash: ad85d95606658c895f79851c0f7dde498165d690ca19585a6dbde7d1bf06c6bc
Instruction Fuzzy Hash: F321A931A60215ABDB10EF64EC82BDDB764EB01760F348116F415EF5C0D7F4A9C18694

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 032DB7E4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,032DA02B,?,Microsoft Visual C++ Runtime Library,00012010,?,032E03C8,?,032E0418,?,?,?,Runtime Error!Program: ), ref: 032DB7F6
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 032DB80E
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 032DB81F
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 032DB82C

Strings

GetActiveWindow, xrefs: 032DB819
MessageBoxA, xrefs: 032DB808
user32.dll, xrefs: 032DB7F1
GetLastActivePopup, xrefs: 032DB821

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 5f901437ba42ec008accc2cf16f18bedc726568a8cbf1487d743ab171439899d
Instruction ID: fd54543f0e9cef512bc08f4872f14712b027bf2bd3dd143f9a2a6ac9a9c1cfa2
Opcode Fuzzy Hash: 5f901437ba42ec008accc2cf16f18bedc726568a8cbf1487d743ab171439899d
Instruction Fuzzy Hash: 32017133B103469FC711EEF6BC8996ABAE9AA99990709843EE140C6115EB708481CB60

Uniqueness

Uniqueness Score: -1.00%

Function 032A63B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(032E88D8,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,032A6344,?,?,?,?,?,?,?), ref: 032A63D3
CryptAcquireContextA.ADVAPI32(032E88D8,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,032A6344,?,?,?,?,?,?,?), ref: 032A63ED

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 032A63E1
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 032A63C7

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: AcquireContextCrypt
String ID: Microsoft Enhanced Cryptographic Provider v1.0$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 3951991833-947817771
Opcode ID: 706704ffde56953b8ff370954ded3fb89e2dacc5f0d4e3e989ad9531a872cbe4
Instruction ID: 6b7ed05e81c65531a4f77b50ef2245ad5c2629d26c66424b8bd6474436761c25
Opcode Fuzzy Hash: 706704ffde56953b8ff370954ded3fb89e2dacc5f0d4e3e989ad9531a872cbe4
Instruction Fuzzy Hash: 81E086703F8B057BF630D51C7C0BF66354C9B80F0AF9884607656BD5C1E7E5A0C24605

Uniqueness

Uniqueness Score: -1.00%

Function 032A6322 Relevance: 6.1, APIs: 4, Instructions: 51encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 032A6361
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 032A6379
CryptDeriveKey.ADVAPI32(00000000,00006801,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 032A6399
CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,?,?,?), ref: 032A63A3

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: Crypt$Hash$CreateDataDeriveDestroy
String ID:
API String ID: 2363288294-0
Opcode ID: a6750447408327188dbea983cc48576ef6686c45e3f3c8c07fe3a98206c596fb
Instruction ID: 6d3e2f2b3cd24b1cac7c9c7634f7b5748167ed8be84600cc527b2ef5abb5a3dd
Opcode Fuzzy Hash: a6750447408327188dbea983cc48576ef6686c45e3f3c8c07fe3a98206c596fb
Instruction Fuzzy Hash: A1116175610608FBDB10DEA4EC49FAA77BCAF84B01F188548FA059A1C0D772D581CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032A64AB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

Cryptographic provider not available, xrefs: 032A64FB

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID: Cryptographic provider not available
API String ID: 0-2417475821
Opcode ID: 8f08f7bcd7728fabad6250519d22ed60424aa146762ad57360e14b59015b4cf5
Instruction ID: 4bfb03d4b13a98778ba43c741081e3befea766c2a9d32e24cc21eb6bf53c2b87
Opcode Fuzzy Hash: 8f08f7bcd7728fabad6250519d22ed60424aa146762ad57360e14b59015b4cf5
Instruction Fuzzy Hash: 98713DB5D10609EFDF00DFA8C880BAEB7B5AF48700F2885A9D5156B340D775EA85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 032D7BED Relevance: 4.7, APIs: 3, Instructions: 207timeCOMMON

Download Yara Rule

APIs

Part of subcall function 032D745B: InitializeCriticalSection.KERNEL32(00000000,?,00000010,?,032D59E8,00000009), ref: 032D7498
Part of subcall function 032D745B: EnterCriticalSection.KERNEL32(00000010,00000010,?,032D59E8,00000009), ref: 032D74B3

Part of subcall function 032D74BC: LeaveCriticalSection.KERNEL32(?,032D5B14,00000009,032D5B02,00000000,00000010,?,?,032D59E8,00000009), ref: 032D74C9

GetTimeZoneInformation.KERNEL32(0000000C,?,032A7B27,?,0000000B,0000000B,?,032D7BDE,032D55AA,032A70F1,?,032A7B27,00000001), ref: 032D7C3B
WideCharToMultiByte.KERNEL32(00000220,032E8B84,000000FF,0000003F,00000000,00000001,?,0000000B,0000000B,?,032D7BDE,032D55AA,032A70F1,?,032A7B27,00000001), ref: 032D7CD1
WideCharToMultiByte.KERNEL32(00000220,032E8BD8,000000FF,0000003F,00000000,00000001,?,0000000B,0000000B,?,032D7BDE,032D55AA,032A70F1,?,032A7B27,00000001), ref: 032D7D0A

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID:
API String ID: 3442286286-0
Opcode ID: 02f65554fc33396bcff91258718822a0ab1b540e1d4ce7c3e624b6ad7cda4aa9
Instruction ID: e629743ac7e83cbdd7d763c6a08378c5f280caa88763b42e0a4459d34d82bf46
Opcode Fuzzy Hash: 02f65554fc33396bcff91258718822a0ab1b540e1d4ce7c3e624b6ad7cda4aa9
Instruction Fuzzy Hash: 2061F7715243619ED725FF2CF84AB697FA9B703720F28802EE4958E1C8D7B849C1CB95

Uniqueness

Uniqueness Score: -1.00%

Function 032A5F15 Relevance: 4.7, APIs: 3, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3268f341b4e54d1107b4290509f0d3e8732e921709d863d6eed5a2be66bfcb3c
Instruction ID: ba68300ccec9dc073eb7898f4d5878f5573c53dc7e744f6f43443adcaa1cafcc
Opcode Fuzzy Hash: 3268f341b4e54d1107b4290509f0d3e8732e921709d863d6eed5a2be66bfcb3c
Instruction Fuzzy Hash: 1E718379A10508AFCB04DF88D890EAEF7B5FB89311F14C199E919AB345D771EA81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032A61D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

Cryptographic provider not available, xrefs: 032A6272

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID: Cryptographic provider not available
API String ID: 0-2417475821
Opcode ID: e903b09f80b6ca0c56179f7f1ad08415989598a1af43568597295fe7e91af830
Instruction ID: 73e995aadcd29322688113688c5fbb1acbc344726f13717ff0831398130e3adb
Opcode Fuzzy Hash: e903b09f80b6ca0c56179f7f1ad08415989598a1af43568597295fe7e91af830
Instruction Fuzzy Hash: 0C31A7B5E20605EFDF10DFA8C884B5EB7B8AB44300F18C569E8155B241D378DA90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 032A6419 Relevance: 3.0, APIs: 2, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?,?,032A66B1,00000000), ref: 032A642A
CryptDestroyKey.ADVAPI32(E58BF845,?,032A66B1,00000000), ref: 032A644D

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: CryptDestroy
String ID:
API String ID: 1712904745-0
Opcode ID: d20a2ea6a9f08d8656694415bce5a12ccf7fc2e47e66cafe2d10b162087305f5
Instruction ID: e4e92cf7c040902a4f6e1afabd83c4d150cfc7aee38b31af46b2d8c87a094fd9
Opcode Fuzzy Hash: d20a2ea6a9f08d8656694415bce5a12ccf7fc2e47e66cafe2d10b162087305f5
Instruction Fuzzy Hash: 6101F678610608ABC711EF18E488BAA7BA6AF88364F18C458E8094F340D775E9C2CF80

Uniqueness

Uniqueness Score: -1.00%

Function 032A610D Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,-00000010,?), ref: 032A61A5

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: CryptEncrypt
String ID:
API String ID: 1352496322-0
Opcode ID: f44fbe7a0a567c34e17f7bbe16abfe991869c609f4e3e071e372acc23098fc5e
Instruction ID: 88c09d5998c6f05ab4834a4acde5dea204303596102da1061ce55d8349843d71
Opcode Fuzzy Hash: f44fbe7a0a567c34e17f7bbe16abfe991869c609f4e3e071e372acc23098fc5e
Instruction Fuzzy Hash: B2212C78A10208EFDB04DF99C981F9DB7B5AF48700F24C598E9046B381D771EE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10481960 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 104819B7

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 11ea491bea3708f43ec7837491da446e31b8c36ddc91d57f4e692ea79bf1adbd
Instruction ID: d4c84a9c78c8cdcdf4c265c9d622215c9d3c311bbbac545824d8a051d426bb1b
Opcode Fuzzy Hash: 11ea491bea3708f43ec7837491da446e31b8c36ddc91d57f4e692ea79bf1adbd
Instruction Fuzzy Hash: 43115A71014304AFD300CFA4CCC1B8BB7E8EB89354F108A1EF9589B2A0E774E544CB96

Uniqueness

Uniqueness Score: -1.00%

Function 032CD203 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31121e9b5cca719626609ef20683aae72816b1b12963c85bba04056dce081806
Instruction ID: f0a6ae4afe25fda5bf631730b46c68acddf0fdd720c6b0f1e3afdc3503380870
Opcode Fuzzy Hash: 31121e9b5cca719626609ef20683aae72816b1b12963c85bba04056dce081806
Instruction Fuzzy Hash: 41211834E20149EFCB04CF98C590AADF772FB84304F5482ADE815AB346D771EA82CB81

Uniqueness

Uniqueness Score: -1.00%

Function 032CD185 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e2ef67033ba6d4d810dc0e4fec7f88bfc11f56aeb117674b0ea60149618a56
Instruction ID: f52f64a7d116ca69d2083888fc396a561adec8de1325da1a5f80f54940aad468
Opcode Fuzzy Hash: a9e2ef67033ba6d4d810dc0e4fec7f88bfc11f56aeb117674b0ea60149618a56
Instruction Fuzzy Hash: 5811D774E30288EFCB14DF98C980BADB7B5BB44704F1482ACD9059B340E6B6ABC4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032CCF89 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eacb9fd10725beadb66ff13f79996f58e4937929d65c185208171e0becf7cb6
Instruction ID: 34beb5df5489ef5a2e05423a7dd6d8446358f4d9fdb6cb31233acc05906c7145
Opcode Fuzzy Hash: 5eacb9fd10725beadb66ff13f79996f58e4937929d65c185208171e0becf7cb6
Instruction Fuzzy Hash: 8AF01975D1020CEFCB04DF98D980DAD77B5EB88314F148258F90957344D671DE55CB95

Uniqueness

Uniqueness Score: -1.00%

Function 032CCFF2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15945b8c9172f792626062542ffcbc6e90df6a2ab0c99ccea2ff2823afd6426
Instruction ID: ada62c0d8c1a7ee79db9a809ba78a23daf11f75048f5fd68ad7ae55d9701404a
Opcode Fuzzy Hash: c15945b8c9172f792626062542ffcbc6e90df6a2ab0c99ccea2ff2823afd6426
Instruction Fuzzy Hash: FFF01975D1020CEFCB04DF98D984DAD77B5EB88310F148268F90957344E631DE55CB95

Uniqueness

Uniqueness Score: -1.00%

Function 032CD0D3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c97f82a6cfdcd3ce8ba4f0bab76fd2aeb01f684ea59514e5315c29d8156cd2
Instruction ID: 7e3326d6d97ca0758232ec114fe77a1ae2e8fb84275d158b1660f04610e0adbd
Opcode Fuzzy Hash: 35c97f82a6cfdcd3ce8ba4f0bab76fd2aeb01f684ea59514e5315c29d8156cd2
Instruction Fuzzy Hash: 39F01C74A20248EBCB04DF9CC98489DB3B5EB48354F2082ACED098B300D772EF81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 032CD078 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eae5dfbcce140b27e1ed22a0f81fd1b398b1d8e738686f540406692dded399d
Instruction ID: 5c6bbfc0eefcd8ed8a4ab4216630100bf5192053964ed7a3cd7d4f2d1648e9f3
Opcode Fuzzy Hash: 2eae5dfbcce140b27e1ed22a0f81fd1b398b1d8e738686f540406692dded399d
Instruction Fuzzy Hash: ACE012B666414D6B8B44DFACEC81CAB77ED6B8C600B048208B90DC7241D534E9618BE0

Uniqueness

Uniqueness Score: -1.00%

Function 032CD055 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2300effe24524036945decbc6e6a949d47dcfda41849c340fa61c75d765fbec3
Instruction ID: 776081a20921d6b5cb273ec0bcb33e192594a4c8e755d2317afa9dbed4b1ec1d
Opcode Fuzzy Hash: 2300effe24524036945decbc6e6a949d47dcfda41849c340fa61c75d765fbec3
Instruction Fuzzy Hash: 64D09EB665020D7BCB44DF89DC41D9B37ADAB4C750F404108FE0D8B241D572E96187E1

Uniqueness

Uniqueness Score: -1.00%

Function 032CD0A8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985cb517f3b049a7a144ec09949d7f8b3cc2d11ca6444026d8e07fb7534048de
Instruction ID: 9a6a5e54e9fc94a7e6ab962406554b13ded7ce52fb5222e6f0314d099cb9fec9
Opcode Fuzzy Hash: 985cb517f3b049a7a144ec09949d7f8b3cc2d11ca6444026d8e07fb7534048de
Instruction Fuzzy Hash: C2E0EC3491020CEBCB00DF98C14469DBFB4EB44304F2085A8D8042B340D6725A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 032CCFD7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4ebf7a63e60fc22467c682cdab0241eaa7228eadbbfcbdc7f4c77f9a05a528
Instruction ID: 70037a5b5ea5737aba9f5076e80f894a2a564d582b7b9f7fe20ad094079d894c
Opcode Fuzzy Hash: fe4ebf7a63e60fc22467c682cdab0241eaa7228eadbbfcbdc7f4c77f9a05a528
Instruction Fuzzy Hash: E0C08CF612030CBF8B00EF8CCC40CAB33EDEB88610B008408B91CCB240D632F96087A0

Uniqueness

Uniqueness Score: -1.00%

Function 032CD040 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56942107f208eac211681176a3cb9138e4de494371c761b67b0e0cfbc9356bb7
Instruction ID: 80cf53429cfb7f19a57aa4f02a094b8643c1417c5e9a787389a970e8d6ad6d0e
Opcode Fuzzy Hash: 56942107f208eac211681176a3cb9138e4de494371c761b67b0e0cfbc9356bb7
Instruction Fuzzy Hash: 0CB09B7657031C678604DA98DC41C55339D5648510B404514BD0D4B200D571FA9047E5

Uniqueness

Uniqueness Score: -1.00%

Function 032A7CE6 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%02d, xrefs: 032A80F6
%02d, xrefs: 032A7F97
%03d, xrefs: 032A8072
R, xrefs: 032A7D98
%02d, xrefs: 032A80D0
%02d.%03d, xrefs: 032A7F63
%02d, xrefs: 032A7F0B
%02d, xrefs: 032A8172
R, xrefs: 032A7EE5
%.16g, xrefs: 032A809C
d, xrefs: 032A7E1E
%02d, xrefs: 032A8049
%04d, xrefs: 032A81C1

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID: %.16g$%02d$%02d$%02d$%02d$%02d$%02d$%02d.%03d$%03d$%04d$R$R$d
API String ID: 0-238620251
Opcode ID: eb3d0b47ab6eadee69d6ac8b6e84c7bd45b5d6aef31cff4ee45b3ffbebfd84b5
Instruction ID: 0c95279f5278467d49aeb917ff366b3ce3a66e4e34b85dd2f684456c2fe7311c
Opcode Fuzzy Hash: eb3d0b47ab6eadee69d6ac8b6e84c7bd45b5d6aef31cff4ee45b3ffbebfd84b5
Instruction Fuzzy Hash: DFF16BB1D20619EFCB18DF98EC91AAEB771FF85304F188198E1166B301DB70AD95CB84

Uniqueness

Uniqueness Score: -1.00%

Function 1047EEA0 Relevance: 19.7, APIs: 13, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047EECF
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047EEDC
FSDK_GetFacePosition_C.CLIENT(00000000,?,?,?,?,?), ref: 1047EF9C
FSDK_CopyRect.CLIENT(00000000,?,?,?,?,?), ref: 1047EFC5
FSDK_CreateEmptyImage.CLIENT(?,00000000,?,?,?,?,?), ref: 1047EFCF
FSDK_ResizeImage.CLIENT(?,?,?), ref: 1047F021

Part of subcall function 10479E50: EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479E7F
Part of subcall function 10479E50: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479E8C

FSDK_FreeImage.CLIENT(?), ref: 1047F030

Part of subcall function 1047A350: EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A37D
Part of subcall function 1047A350: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A38A
Part of subcall function 1047A350: Sleep.KERNEL32(0000000A), ref: 1047A396
Part of subcall function 1047A350: EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A3A6
Part of subcall function 1047A350: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A3B2
Part of subcall function 1047A350: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A428

FSDK_GetImageWidth.CLIENT(?,?), ref: 1047F047
FSDK_GetImageHeight.CLIENT(?,?,?,?), ref: 1047F052
FSDK_CopyRect.CLIENT(?,?,?,?,?,?,?,?,?,?), ref: 1047F0A8
FSDK_FreeImage.CLIENT(?), ref: 1047F0B3

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$Image$Leave$Enter$CopyFreeRect$CreateEmptyFaceHeightPosition_ResizeSleepWidth
String ID:
API String ID: 1955235071-0
Opcode ID: cb5adecf170d7331977cbe7f5d4d242eca5d8b7a2676b3211ba6ef52db4264b3
Instruction ID: dac6747f0e3ea5a3f76de1016672b5078cec85578f32568d878405da189028f2
Opcode Fuzzy Hash: cb5adecf170d7331977cbe7f5d4d242eca5d8b7a2676b3211ba6ef52db4264b3
Instruction Fuzzy Hash: C071DD76604254AFCB00DF68D8C49ABB7B8EF89254F498A5DFD48C3254EA35EC14C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 10482740 Relevance: 19.7, APIs: 13, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FSDK_GetCameraList.CLIENT(?,?), ref: 10482756

Part of subcall function 10481960: CoCreateInstance.OLE32 ref: 104819B7

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CameraCreateInstanceList
String ID:
API String ID: 3706761365-0
Opcode ID: bd1ed3d0f59112822debe1b7bcd5931fc437c6205249704635145c96a1a3eb26
Instruction ID: 1a15eb28baa3a5c01d9704aa0fdc7b0e2fc878f0827ea3cfb1498aff8da1f037
Opcode Fuzzy Hash: bd1ed3d0f59112822debe1b7bcd5931fc437c6205249704635145c96a1a3eb26
Instruction Fuzzy Hash: BD518DB1600612AFD300DFA9CCC1F5AB7A4FF48754F000A2AF959DB291E775E9058BE2

Uniqueness

Uniqueness Score: -1.00%

Function 1047AD50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047AD83
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047ADBF
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047ADCC

Strings

(, xrefs: 1047AEA1

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID: (
API String ID: 2801635615-3887548279
Opcode ID: ac119478c0b134ae366c77c70c98860ade39e0ac746c10ee45290c1cddc726d7
Instruction ID: c7359066373b7d06298698253afb210f378f16c2200cea3c3479800912c1b33b
Opcode Fuzzy Hash: ac119478c0b134ae366c77c70c98860ade39e0ac746c10ee45290c1cddc726d7
Instruction Fuzzy Hash: 1A515B755083908FC750DF69C4C4A9ABBE5FB89350F51892EF998D7351D735A804CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1047B050 Relevance: 13.7, APIs: 9, Instructions: 228COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 1047B0B0
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 1047B0C8
FSDK_CreateEmptyImage.CLIENT(?), ref: 1047B0E0
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047B0EF
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047B100
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047B11B
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047B12C
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 1047B181

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$BitsCreateEnterLeave$CompatibleEmptyImage
String ID:
API String ID: 920270848-0
Opcode ID: 2ea0a75bf63e110376244635f7973cd8fe6b9d6ed674ebc4d77f0409531f9743
Instruction ID: d6ccf82610254029b38548e579fc339457674982780c7e1757cb162a8d4f7628
Opcode Fuzzy Hash: 2ea0a75bf63e110376244635f7973cd8fe6b9d6ed674ebc4d77f0409531f9743
Instruction Fuzzy Hash: 718148B5604602AFD300CF68CCC5F5AB7E8FB88354F508A29F968D72A1E734E9158B91

Uniqueness

Uniqueness Score: -1.00%

Function 032DC96A Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,032DFFFC,00000001,032DFFFC,00000001,00000000,0332125C,032A70F1,?,032A7B27,?,0000000B,0000000B,?,032D7BDE), ref: 032DC9A8
CompareStringA.KERNEL32(00000000,00000000,032DFFF8,00000001,032DFFF8,00000001,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DC9C5
CompareStringA.KERNEL32(032A7B27,?,00000000,032D55AA,032D7BDE,?,00000000,0332125C,032A70F1,?,032A7B27,?,0000000B,0000000B,?,032D7BDE), ref: 032DCA23
GetCPInfo.KERNEL32(0000000B,00000000,00000000,0332125C,032A70F1,?,032A7B27,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCA74
MultiByteToWideChar.KERNEL32(0000000B,00000009,00000000,?,00000000,00000000,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCAF3
MultiByteToWideChar.KERNEL32(0000000B,00000001,00000000,?,0000000B,?,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCB54
MultiByteToWideChar.KERNEL32(0000000B,00000009,032D7BDE,?,00000000,00000000,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCB67
MultiByteToWideChar.KERNEL32(0000000B,00000001,032D7BDE,?,?,00000000,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCBB3
CompareStringW.KERNEL32(032A7B27,?,0000000B,?,?,00000000,?,00000000,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCBCB

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 37f3e6efa778ba772bb2e41537b7b805d6ef73a1afa677da4c0e8c2545e7354e
Instruction ID: 2ab46b61a89c1ca57ba3917b095bbf822433b5568096d86532fa6584abec895a
Opcode Fuzzy Hash: 37f3e6efa778ba772bb2e41537b7b805d6ef73a1afa677da4c0e8c2545e7354e
Instruction Fuzzy Hash: D571D27296026AEFCF21DF54DC459EFBFBAEF05610F08411AF851A6150D3758991CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032D7970 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,032DFFFC,00000001,00000000,00000000,74DEE860,032E9070,?,00000003,00000000,00000001,00000000,?,?,032D5800), ref: 032D79B2
LCMapStringA.KERNEL32(00000000,00000100,032DFFF8,00000001,00000000,00000000,?,?,032D5800,?), ref: 032D79CE
LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,74DEE860,032E9070,?,00000003,00000000,00000001,00000000,?,?,032D5800), ref: 032D7A17
MultiByteToWideChar.KERNEL32(?,032E9071,00000000,00000001,00000000,00000000,74DEE860,032E9070,?,00000003,00000000,00000001,00000000,?,?,032D5800), ref: 032D7A4F
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 032D7AA7
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 032D7ABD
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 032D7AF0
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 032D7B58

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 3981dff938cb68d3715fee6fe74ab492bc45be76db5cb9b1126bb178bf9d359b
Instruction ID: 2134879734187533e9ff97d90a4b542c17f107a3c0ff15cee792606d295066ad
Opcode Fuzzy Hash: 3981dff938cb68d3715fee6fe74ab492bc45be76db5cb9b1126bb178bf9d359b
Instruction Fuzzy Hash: 88519F3291020AEFCF21DFA8DD45DDEBF79FB49750F248119F811A5190D37689A1DB60

Uniqueness

Uniqueness Score: -1.00%

Function 032D9F07 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000010), ref: 032D9F74
GetStdHandle.KERNEL32(000000F4,032E03C8,00000000,?,00000000,00000010), ref: 032DA04A
WriteFile.KERNEL32(00000000), ref: 032DA051

Strings

..., xrefs: 032D9FC6
<program name unknown>, xrefs: 032D9F84
Microsoft Visual C++ Runtime Library, xrefs: 032DA020
Runtime Error!Program: , xrefs: 032D9FDA

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: cd072b2b5448607a5255cffe38449968b2b21002811569ed01f8f3fb63f84dd3
Instruction ID: 0e93567448ce9d353feafe9854504952e7fb60b3cf77af3ee88e934ba3c03bc5
Opcode Fuzzy Hash: cd072b2b5448607a5255cffe38449968b2b21002811569ed01f8f3fb63f84dd3
Instruction Fuzzy Hash: 0331E432A203196FDF20FAA0ED46FEE73ADEF45701F544496F584EA040DBB0A6C58A51

Uniqueness

Uniqueness Score: -1.00%

Function 10481B50 Relevance: 12.2, APIs: 8, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 10002820: EnterCriticalSection.KERNEL32(039F7B88,C92926B1), ref: 1000284B
Part of subcall function 10002820: LeaveCriticalSection.KERNEL32(039F7B88,?), ref: 10002886

EnterCriticalSection.KERNEL32(039F7B88), ref: 10481B7A
LeaveCriticalSection.KERNEL32(039F7B88,?), ref: 10481B8C

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f1f3e02d398dff614bbaba9015382fd1469d8e91afc6ffb1ca9e9e495f73e14c
Instruction ID: c35444a3e42f5744798cf6f7d4096402c245c55fa44bd7bc8b684b2c57adbb63
Opcode Fuzzy Hash: f1f3e02d398dff614bbaba9015382fd1469d8e91afc6ffb1ca9e9e495f73e14c
Instruction Fuzzy Hash: AA51BD726003419FD700CFA4D8C4B9B77A8EF85314F04896EFD59AB391D775E9058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 032D9D96 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,032D61A6), ref: 032D9DB1
GetEnvironmentStrings.KERNEL32(?,?,?,?,032D61A6), ref: 032D9DC5
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,032D61A6), ref: 032D9DF1
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,032D61A6), ref: 032D9E29
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,032D61A6), ref: 032D9E4B
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,032D61A6), ref: 032D9E64
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,032D61A6), ref: 032D9E77
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 032D9EB5

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 5b07b35ac52e4b9c3faeab9c5200a17a6263e92f6097e6905596eeb09ffe3259
Instruction ID: 3a2dce8f565e5aa714e75eb2dd7563a7149bdfad1216dc17703f869e352254e3
Opcode Fuzzy Hash: 5b07b35ac52e4b9c3faeab9c5200a17a6263e92f6097e6905596eeb09ffe3259
Instruction Fuzzy Hash: 6231D6729252666FDB20FEB4AC88C3BBADCEB85654719496BF581C3101EB618CC186E1

Uniqueness

Uniqueness Score: -1.00%

Function 10487CA0 Relevance: 12.1, APIs: 8, Instructions: 65COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,039F7B88,10481BA1,?), ref: 10487CB0
LeaveCriticalSection.KERNEL32(?,?,039F7B88,10481BA1,?), ref: 10487CBD
EnterCriticalSection.KERNEL32(?,?,039F7B88,10481BA1,?), ref: 10487CD1
FSDK_LoadImageFromJpegBuffer.CLIENT(10481BA1,?,?,?,039F7B88,10481BA1,?), ref: 10487CE4
LeaveCriticalSection.KERNEL32(?), ref: 10487CF9
LeaveCriticalSection.KERNEL32(?), ref: 10487D00
LeaveCriticalSection.KERNEL32(?,?,039F7B88,10481BA1,?), ref: 10487D14
LeaveCriticalSection.KERNEL32(?,?,039F7B88,10481BA1,?), ref: 10487D1B

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$BufferFromImageJpegLoad
String ID:
API String ID: 200253628-0
Opcode ID: eadc7dabae330b1e4ee7b01f00f74cf528976b24cda0229bc954e64f4b91a862
Instruction ID: 1cf7b8b2ecf15e425dc07e7959f2f36ad1c1937298f9fac8acba09b7154864bf
Opcode Fuzzy Hash: eadc7dabae330b1e4ee7b01f00f74cf528976b24cda0229bc954e64f4b91a862
Instruction Fuzzy Hash: 0201AD322007155BC2119AE9ACD0A3BB3ECEF825A17100A3FEA2593751CB29EC1496A0

Uniqueness

Uniqueness Score: -1.00%

Function 10482C40 Relevance: 10.6, APIs: 7, Instructions: 114COMMON

Download Yara Rule

APIs

FSDK_GrabFrame.CLIENT(?,?), ref: 10482C54
FSDK_GetImageWidth.CLIENT(?,?), ref: 10482C6C

Part of subcall function 104796D0: EnterCriticalSection.KERNEL32(039F7CC8), ref: 104796F6
Part of subcall function 104796D0: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479709
Part of subcall function 104796D0: EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479736
Part of subcall function 104796D0: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479743

FSDK_GetImageHeight.CLIENT(?,?,?,?), ref: 10482C79

Part of subcall function 10479610: EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479636
Part of subcall function 10479610: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479649
Part of subcall function 10479610: EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479676
Part of subcall function 10479610: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479683

FSDK_GetImageBufferSize.CLIENT(00000000,?,00000001,?,?,?,?), ref: 10482C88

Part of subcall function 1047A710: EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A737
Part of subcall function 1047A710: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A74A

FSDK_SaveImageToBuffer.CLIENT(?,00000000,00000001), ref: 10482CA9

Part of subcall function 1047A450: EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A47F

FSDK_FreeImage.CLIENT(00000000), ref: 10482D45
FSDK_LoadImageFromBuffer.CLIENT(?,00000000,?,?,?,00000001), ref: 10482D5B

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterImage$Leave$Buffer$FrameFreeFromGrabHeightLoadSaveSizeWidth
String ID:
API String ID: 323284270-0
Opcode ID: 90613e124439835aa11031671422e999170dbceeaaa703190c251c2283cc4866
Instruction ID: 6ade7c45e454cbfea0e34c06a52eda77a5351e9b1395a00308c621bd8a654651
Opcode Fuzzy Hash: 90613e124439835aa11031671422e999170dbceeaaa703190c251c2283cc4866
Instruction Fuzzy Hash: 5141A3755083819FC300CF69C89595BFBE9EFD5218F188A5EF8945B302E635F905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1047E9A0 Relevance: 9.2, APIs: 6, Instructions: 211COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E9D6
FSDK_DetectMultipleFaces_C.CLIENT(?,?,?,00003000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1047EA62

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalDetectEnterFaces_MultipleSection
String ID:
API String ID: 623008298-0
Opcode ID: 41c6101af63cd79ef33955c945b6eebce20aa35b985912cd2c46e87cf21bc57e
Instruction ID: 8cc9be78462358c1b1a7baa8c56757b58ebe57af6950fe65786c037b197b73e3
Opcode Fuzzy Hash: 41c6101af63cd79ef33955c945b6eebce20aa35b985912cd2c46e87cf21bc57e
Instruction Fuzzy Hash: 1671D2B5A08301AFC7519F15C4886CABBE4FF89390F61CA1DF985A22A5E735D854CFC2

Uniqueness

Uniqueness Score: -1.00%

Function 1047C150 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

bmp, xrefs: 1047C2FC
png, xrefs: 1047C35C

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID:
String ID: bmp$png
API String ID: 0-2683608082
Opcode ID: bc060b78bbb31b77f36a51ad82d551ab9f04157b473e5f33bd9deec93b35b80b
Instruction ID: 0da2a6797d044ff1c287b3e5e4f72ff9b021147778cb11d765677702518960ec
Opcode Fuzzy Hash: bc060b78bbb31b77f36a51ad82d551ab9f04157b473e5f33bd9deec93b35b80b
Instruction Fuzzy Hash: F441E03260421A8BC710DF6CC891A9B73A5EF852A0B45866DEC59DB3A4EB34ED05C7C5

Uniqueness

Uniqueness Score: -1.00%

Function 1047DC10 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

FSDK_DetectFace_C.CLIENT(?,?,00000000), ref: 1047DC3D

Part of subcall function 1047CF80: EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047CFAD

FSDK_CreateEmptyImage.CLIENT(?), ref: 1047DCE8
FSDK_CreateEmptyImage.CLIENT(?), ref: 1047DCF5
FSDK_CopyRect.CLIENT(?,00000000,?,00000000,?,?), ref: 1047DD18

Part of subcall function 104798A0: EnterCriticalSection.KERNEL32(039F7CC8), ref: 104798CD
Part of subcall function 104798A0: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 104798DA

FSDK_ResizeImage.CLIENT(?), ref: 1047DD3E

Part of subcall function 10479E50: EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479E7F
Part of subcall function 10479E50: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479E8C

FSDK_FreeImage.CLIENT(?,?), ref: 1047DD44

Part of subcall function 1047A350: EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A37D
Part of subcall function 1047A350: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A38A
Part of subcall function 1047A350: Sleep.KERNEL32(0000000A), ref: 1047A396
Part of subcall function 1047A350: EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A3A6
Part of subcall function 1047A350: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A3B2
Part of subcall function 1047A350: LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A428

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Image$CreateEmpty$CopyDetectFace_FreeRectResizeSleep
String ID:
API String ID: 1584239638-0
Opcode ID: 32431101161bc63eeae1f27b67cf31aae6b57cc9f77f2532ed59786fc8a646bc
Instruction ID: d697fbcce99cf64e182a66e467409d49829819faf6b08d2d2ca3542ec38e5218
Opcode Fuzzy Hash: 32431101161bc63eeae1f27b67cf31aae6b57cc9f77f2532ed59786fc8a646bc
Instruction Fuzzy Hash: 5E41E5B9A00215ABCB01EF79C89589A77B8EF49294F118A58FC4597368F731AD10CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 032D62DB Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,032DFFFC,00000001,?,?,?,?,00000001,00000000,?,032C0188,00000000,00000008), ref: 032D631A
GetStringTypeA.KERNEL32(00000000,00000001,032DFFF8,00000001,?,?,?,?,00000001,00000000,?,032C0188,00000000,00000008), ref: 032D6334
GetStringTypeA.KERNEL32(?,00000000,032C0188,?,00000000,?,?,?,00000001,00000000,?,032C0188,00000000,00000008), ref: 032D6368
MultiByteToWideChar.KERNEL32(00000001,?,032C0188,?,00000000,00000000,?,?,?,00000001,00000000,?,032C0188,00000000,00000008), ref: 032D63A0
MultiByteToWideChar.KERNEL32(00000001,00000001,032C0188,?,?,?,?,?,?,00000001,00000000,?,032C0188,00000000), ref: 032D63F6
GetStringTypeW.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,?,00000001,00000000,?,032C0188,00000000), ref: 032D6408

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 862246c862c2dacc319e6c0586e1500049c36059557999a6e2b03a8b75d51d81
Instruction ID: d28fb10d5cd59ab12e8009eac33d1e434cd2a990abfea37e4f4ffe5818edc0fb
Opcode Fuzzy Hash: 862246c862c2dacc319e6c0586e1500049c36059557999a6e2b03a8b75d51d81
Instruction Fuzzy Hash: 6F41A07291021AAFCF20EF94EC85EAE7F79FB05B50F548825F911E6140C3759995CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032D9067 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,?,?,?,032D9533,?,00000010,?,00000009,00000009,?,032D59FB,00000010), ref: 032D9088
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,032D9533,?,00000010,?,00000009,00000009,?,032D59FB,00000010), ref: 032D90AC
VirtualAlloc.KERNEL32(00000000,MZP,00001000,00000004,?,?,032D9533,?,00000010,?,00000009,00000009,?,032D59FB,00000010), ref: 032D90C6
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,032D9533,?,00000010,?,00000009,00000009,?,032D59FB,00000010), ref: 032D9187
HeapFree.KERNEL32(00000000,00000000,?,?,032D9533,?,00000010,?,00000009,00000009,?,032D59FB,00000010), ref: 032D919E

Strings

MZP, xrefs: 032D90BA, 032D90C4, 032D914B

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID: MZP
API String ID: 714016831-2889622443
Opcode ID: 8d85663e4f34678a4ce6d5c2437b29ad8148577d6528a89bd60d1a7a08bf4905
Instruction ID: d45abb28c357eafc4c36180edf772c890ed8139b7be591b323920fb184883951
Opcode Fuzzy Hash: 8d85663e4f34678a4ce6d5c2437b29ad8148577d6528a89bd60d1a7a08bf4905
Instruction Fuzzy Hash: 6931BE71650712ABD320EF24FC4AB61B7A8FB54B66F148229F156DB2C4E771A8C0CB54

Uniqueness

Uniqueness Score: -1.00%

Function 032A7809 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70451eef76624b0de39f03ee3b2fd22a378e1bf87b827dfa89bf301149391090
Instruction ID: a3bf85869d163ebc704c01e5e6f8ac566d93ceb0d17130f70dc169a92cb4dbdb
Opcode Fuzzy Hash: 70451eef76624b0de39f03ee3b2fd22a378e1bf87b827dfa89bf301149391090
Instruction Fuzzy Hash: 56413A74D04609DFCB04DFACD5989AEBBB1FF44310F24C299D809AB246D7B09A91CF80

Uniqueness

Uniqueness Score: -1.00%

Function 032D8478 Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00100000,00004000,?,?,?,?,032D61F7,032D624B,?,?,?), ref: 032D84B0
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,032D61F7,032D624B,?,?,?), ref: 032D84BB
HeapFree.KERNEL32(00000000,?,?,?,?,?,032D61F7,032D624B,?,?,?), ref: 032D84C8
HeapFree.KERNEL32(00000000,?,?,?,?,032D61F7,032D624B,?,?,?), ref: 032D84E4
VirtualFree.KERNEL32(?,00000000,00008000,?,?,032D61F7,032D624B,?,?,?), ref: 032D8505
HeapDestroy.KERNEL32(?,?,032D61F7,032D624B,?,?,?), ref: 032D8517

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: Free$HeapVirtual$Destroy
String ID:
API String ID: 716807051-0
Opcode ID: 38726e4868ce4e67177399faff5d5519dc13a83e66d0e9d6eee4cb859fb07fbc
Instruction ID: 10c13cdb872617fc4cd5299df1876103769d4cec9e5cd00dbd0ea4f7c6d1def7
Opcode Fuzzy Hash: 38726e4868ce4e67177399faff5d5519dc13a83e66d0e9d6eee4cb859fb07fbc
Instruction Fuzzy Hash: F511C436640625EBDB31EF10FC8BF55B369FB40B21F668055FA40AB198C771A890CB14

Uniqueness

Uniqueness Score: -1.00%

Function 032CC5F8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 032CC744
__ftol.LIBCMT ref: 032CC767
__ftol.LIBCMT ref: 032CC809
__ftol.LIBCMT ref: 032CC834

Part of subcall function 032B3491: GetSystemTimeAsFileTime.KERNEL32(032CC803,?,?,?,?,?,?,032CC803,?), ref: 032B349B

Strings

d, xrefs: 032CC7D7

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: __ftol$Time$FileSystem
String ID: d
API String ID: 1096039025-2564639436
Opcode ID: 761b166967b58485164e6a5308cbb9fc778a3f3862552ccd682fd11c040557bd
Instruction ID: 53f004d070216b4e07433c52c20873aa25f226fe808a7e1c0b8a0b410a2b8597
Opcode Fuzzy Hash: 761b166967b58485164e6a5308cbb9fc778a3f3862552ccd682fd11c040557bd
Instruction Fuzzy Hash: 02914E74E20249EBDB04DF98D554BAEB7B5FF48300F2882ACD409AB255D731EE86DB50

Uniqueness

Uniqueness Score: -1.00%

Function 032D82D3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 032D82F2
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 032D8327
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 032D8387

Strings

__MSVCRT_HEAP_SELECT, xrefs: 032D8322
__GLOBAL_HEAP_SELECTED, xrefs: 032D8361

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 22bd912b2044f4c6df43840c12d79c9beb8917d927b46a9a7e5d1e63a6b32b03
Instruction ID: 3895fbfb49d784c110070308c8a4300818134a903f1529dd496036b4790d07fb
Opcode Fuzzy Hash: 22bd912b2044f4c6df43840c12d79c9beb8917d927b46a9a7e5d1e63a6b32b03
Instruction Fuzzy Hash: 61316B76C35389ADEB71D770AC85BEE776C9B02604F2C44D9D18CE9441E6B0C6C6CB21

Uniqueness

Uniqueness Score: -1.00%

Function 10481D50 Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

APIs

FSDK_GetCameraList.CLIENT(?,?), ref: 10481D85

Part of subcall function 10481960: CoCreateInstance.OLE32 ref: 104819B7

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CameraCreateInstanceList
String ID:
API String ID: 3706761365-0
Opcode ID: bf3630b42cd6c2b12d14b035839e08ea209910557bbbcd82c8b5f620f1b369d8
Instruction ID: cfe046ef8d2bdf2338a9a3570ab9782f56e5a0fb8c595193d8bc30a95d8822ff
Opcode Fuzzy Hash: bf3630b42cd6c2b12d14b035839e08ea209910557bbbcd82c8b5f620f1b369d8
Instruction Fuzzy Hash: 7B7192756002129FC710CFA9C8D1B5BB7E4FF49254F408A2AF959CB394DB34E805CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1047A7F0 Relevance: 7.7, APIs: 5, Instructions: 157COMMON

Download Yara Rule

APIs

FSDK_CreateEmptyImage.CLIENT(?), ref: 1047A828
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A83D
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A84A
EnterCriticalSection.KERNEL32(039F7CC8,00000000), ref: 1047A861
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A873

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CreateEmptyImage
String ID:
API String ID: 2128245604-0
Opcode ID: ee6e57a2855c52ef6de848a25a65c998a76047f60ff0dd2702b002a5eecdcf98
Instruction ID: 509fefbf82381f469b0a8038c0471bc8e9d4f6a339a04478e3e4f17e61e1c60e
Opcode Fuzzy Hash: ee6e57a2855c52ef6de848a25a65c998a76047f60ff0dd2702b002a5eecdcf98
Instruction Fuzzy Hash: 7A513AB9600215AFD700DF99D8C1EAAB3A9FF88220B158259FA1897351D735FC21CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 032D6DA3 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 032D6E01
GetFileType.KERNEL32(00000480), ref: 032D6EAC
GetStdHandle.KERNEL32(-000000F6), ref: 032D6F0F
GetFileType.KERNEL32(00000000), ref: 032D6F1D
SetHandleCount.KERNEL32 ref: 032D6F54

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 0d1cf4907653dc2f9a493cbbf966bd40588ae4a3233b3a27ce22caf7cb0f9604
Instruction ID: e59b545e9ed1c8fd70b692231e2e120d1c1d6f2dcbd85c06aac92d1f0091d60d
Opcode Fuzzy Hash: 0d1cf4907653dc2f9a493cbbf966bd40588ae4a3233b3a27ce22caf7cb0f9604
Instruction Fuzzy Hash: AB5148719246028FDB20DB28E848B6577E4AF02324FA8866DC592CF2D1D7B5D9C5C790

Uniqueness

Uniqueness Score: -1.00%

Function 032B2EEB Relevance: 7.6, APIs: 5, Instructions: 133filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 032B2F73
Sleep.KERNEL32(00000001), ref: 032B2F84
LockFile.KERNEL32(?,40000001,00000000,00000001,00000000), ref: 032B2FD8
LockFile.KERNEL32(?,40000002,00000000,000001FE,00000000), ref: 032B3038

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: FileLock$Sleep
String ID:
API String ID: 2837005644-0
Opcode ID: 973f42b78ead1c4897fa30b80ded556d43bc6ab2422a027e2ee083e9d8ef60b9
Instruction ID: badcfa2b078ceb724b442b241536324d998eefd3692c8850c14fdb352c51303a
Opcode Fuzzy Hash: 973f42b78ead1c4897fa30b80ded556d43bc6ab2422a027e2ee083e9d8ef60b9
Instruction Fuzzy Hash: F4512D74D1030AEBEF14CF94C948BEEBBB5BF44344F188958E6556B280C3B59A84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10478DA0 Relevance: 7.6, APIs: 5, Instructions: 123threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,C92926B1,?,00000000,?,?,?,?,?,?,?,00000000,10489818,000000FF,?,10478FD1), ref: 10478DD1
CreateThread.KERNEL32(00000000,00000000,10478AD0,00000000,00000000,00000000), ref: 10478E86
WaitForMultipleObjects.KERNEL32(00000004,?,00000001,000000FF,00000000,?,?,?,?,?,?,?,00000000,10489818,000000FF), ref: 10478EAF
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,10489818,000000FF,?,10478FD1,00000000), ref: 10478EC9
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,10489818,000000FF,?,10478FD1), ref: 10478EEC

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$CloseCreateDeleteHandleInitializeMultipleObjectsThreadWait
String ID:
API String ID: 4171279598-0
Opcode ID: 30d992d9edeb862ea7a1d2a1083661565f2be4fba392d6aa5fca7bd3b2624a6e
Instruction ID: 8eeee27565cf44a78993134131de2de62473d43dd4855e91b06e7a4b1805b21c
Opcode Fuzzy Hash: 30d992d9edeb862ea7a1d2a1083661565f2be4fba392d6aa5fca7bd3b2624a6e
Instruction Fuzzy Hash: EC41AB766443219FD314CF68C8C5A5BBBE8FB89314F118A2EF995DB390E735E8018B91

Uniqueness

Uniqueness Score: -1.00%

Function 104763E0 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,C92926B1,00000000,00000000,?,00000001,?,?,?,?,?,00000000,1048A073,000000FF,10476671,00000000), ref: 1047640C
CreateThread.KERNEL32(00000000,00000000,10476370,-00000010,00000000,00000000), ref: 104764BA
WaitForMultipleObjects.KERNEL32(00000004,00000000,00000001,000000FF,?,?,?,?,?,?,?,00000000,1048A073,000000FF,10476671,00000000), ref: 104764DC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,1048A073,000000FF,10476671,00000000), ref: 104764F7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,1048A073,000000FF,10476671,00000000), ref: 10476516

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$CloseCreateDeleteHandleInitializeMultipleObjectsThreadWait
String ID:
API String ID: 4171279598-0
Opcode ID: 9eb4e2544d6041cd6caf9e0fa860e510a110f01166273196f4e0c571664b3f92
Instruction ID: 560ea3d4e31c105de58531bb6d863fc09ab62694bab1b2b71b3af35b13a77570
Opcode Fuzzy Hash: 9eb4e2544d6041cd6caf9e0fa860e510a110f01166273196f4e0c571664b3f92
Instruction Fuzzy Hash: A541AEB66442119FD304CF68CCC5B5BB7E9EB89210F118A3EF95587380EB39E8018B95

Uniqueness

Uniqueness Score: -1.00%

Function 1047A350 Relevance: 7.6, APIs: 6, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A37D
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A38A
Sleep.KERNEL32(0000000A), ref: 1047A396
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A3A6
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A3B2
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A428

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Sleep
String ID:
API String ID: 950586405-0
Opcode ID: 9ca32be5b11babae6dcf91df8e73de1feb3847045585fb46c29e046e4abaec98
Instruction ID: 90dd1eae96cf8fa4f4cdec8bca8a950a19eef1d7d2e24308be06e4680f6674e0
Opcode Fuzzy Hash: 9ca32be5b11babae6dcf91df8e73de1feb3847045585fb46c29e046e4abaec98
Instruction Fuzzy Hash: C121BF352052209FD701CBE8C8C8FAA73A4EF8B395F558159F8089B3A1CB75AC41CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 1047AC90 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

FSDK_CreateEmptyImage.CLIENT(?), ref: 1047ACC6
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047ACDB
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047ACE8
EnterCriticalSection.KERNEL32(039F7CC8,00000000), ref: 1047ACFF
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047AD0C

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CreateEmptyImage
String ID:
API String ID: 2128245604-0
Opcode ID: cfc7296081174ad45ccdc0cae04a5483161d2e48bec5040934dfe8620b3d943b
Instruction ID: f19d35510496334d41cb43d60714776ab16cac3ba790b0b19f09912b87de54fd
Opcode Fuzzy Hash: cfc7296081174ad45ccdc0cae04a5483161d2e48bec5040934dfe8620b3d943b
Instruction Fuzzy Hash: A211B9766051289BC7118FACDCD4A9A7368FF86275B10835AFC2897390D739DD11C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 032B34E4 Relevance: 7.6, APIs: 5, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(7500F87D,?,032C5B77,00000000,?,0329489B,00000000,00000000,?,?,?,032A663C,?), ref: 032B34FF
TlsGetValue.KERNEL32(00000000,7500F87D,?,032C5B77,00000000,?,0329489B,00000000,00000000,?,?,?,032A663C,?), ref: 032B3534
new[].LIBCMTD ref: 032B354B
TlsSetValue.KERNEL32(00000000,00000000), ref: 032B3583
TlsSetValue.KERNEL32(00000000,00000000), ref: 032B35C3

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: Value$Allocnew[]
String ID:
API String ID: 2211819836-0
Opcode ID: 69e63d1e550f62e8c5be25563adb97fdd49251a5b33a7c244b61a2072bb80338
Instruction ID: 700584ebf693f9a93334e048c1eb6b5496f8acae642df4f2184de080e8431182
Opcode Fuzzy Hash: 69e63d1e550f62e8c5be25563adb97fdd49251a5b33a7c244b61a2072bb80338
Instruction Fuzzy Hash: A82171B8D21308EFDB11FFA4F909B9977B9AB08745F14C198E9044B244D7719AC0DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10479610 Relevance: 7.6, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479636
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479649
EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479676
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479683
EnterCriticalSection.KERNEL32(039F7CC8,?,?), ref: 104796A8
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 104796B5

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 76892d84bf91ee9d4300047281973d6314945a73898fbf01d4b74be405d6b4d5
Instruction ID: 87dc2047c837c36683ac67caabaa73f044e5c1324f9c7faf65b0b767b33fcc96
Opcode Fuzzy Hash: 76892d84bf91ee9d4300047281973d6314945a73898fbf01d4b74be405d6b4d5
Instruction Fuzzy Hash: 8411C83A60A5309FC711DB6CD8D0DDA73A4EF862A4716825AED0097364DB34AC01CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 104796D0 Relevance: 7.6, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 104796F6
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479709
EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479736
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479743
EnterCriticalSection.KERNEL32(039F7CC8,?,?), ref: 10479768
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479775

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 38dd3317922c336dccb9dfcc2842207fa7377758e717ac8e4b5e73a02c268c31
Instruction ID: 0b81767722b84b08464a3b61e42addaa0052c2e12ecb91a5496d681d8d12e96e
Opcode Fuzzy Hash: 38dd3317922c336dccb9dfcc2842207fa7377758e717ac8e4b5e73a02c268c31
Instruction Fuzzy Hash: 3E11C83A609530DFC711DF6CD8D4E9A73A4FF4A2A1745825AEC0097364D734AC01CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 10488F90 Relevance: 7.6, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7C28,?,?,?,?,1047C4E5,?,?), ref: 10488FB0
LeaveCriticalSection.KERNEL32(039F7C28,?,?,?,?,1047C4E5,?,?), ref: 10488FC3
EnterCriticalSection.KERNEL32(039F7B68,?,?,?,?,1047C4E5,?,?), ref: 10488FCC
LeaveCriticalSection.KERNEL32(039F7B68,?,?,?,?,1047C4E5,?,?), ref: 10488FDC
EnterCriticalSection.KERNEL32(039F7D88,?,?,?,?,1047C4E5,?,?), ref: 10488FE5
LeaveCriticalSection.KERNEL32(039F7D88,?,?,?,?,1047C4E5,?,?), ref: 10488FF2

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: c5aebfbb2ace6fd6b796bfea815704cceac95b22b98f630d030739a9a27a12f9
Instruction ID: 97f982028332aa2ca13a57828253376a2217caef491ac7d7a88a32da92e61417
Opcode Fuzzy Hash: c5aebfbb2ace6fd6b796bfea815704cceac95b22b98f630d030739a9a27a12f9
Instruction Fuzzy Hash: 2F01263240B7B84FD7029BA92CD045FFB99AD5751074A489FEA50A3311DB14DC00C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 032D9989 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,032DB8E5,032DA184,?,032D6514,00000000,?,00000001,00000800,032A1E33,?,?,032D6CFC,?,?), ref: 032D998B
TlsGetValue.KERNEL32(?,?,032D6CFC,?,?,?,032D672C,00000000,032B2B04,00000000), ref: 032D9999
SetLastError.KERNEL32(00000000,?,?,032D6CFC,?,?,?,032D672C,00000000,032B2B04,00000000), ref: 032D99E5

Part of subcall function 032D6FB3: HeapAlloc.KERNEL32(00000008,00000000,00000000,00000000,00000000,00000000,032B2B04,00000000), ref: 032D70A9

TlsSetValue.KERNEL32(00000000,?,?,032D6CFC,?,?,?,032D672C,00000000,032B2B04,00000000), ref: 032D99BD
GetCurrentThreadId.KERNEL32 ref: 032D99CE

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: fc9e34d854ab0635c548f7281946cc7ef1dd449bf041df8b5a527acaf7c0752e
Instruction ID: f95c1215dce265918fb450d5b4fb588ae1ba465b03dd61fdc2414f1eaa52c349
Opcode Fuzzy Hash: fc9e34d854ab0635c548f7281946cc7ef1dd449bf041df8b5a527acaf7c0752e
Instruction Fuzzy Hash: DAF0BB36956B129BD7317B34B80E75A3F64EF40BB27048215F582DA294DB6588C24A91

Uniqueness

Uniqueness Score: -1.00%

Function 032D73EF Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,?,?,032D995D,032D61F2,032D624B,?,?,?), ref: 032D7423

Part of subcall function 032D5A4B: HeapFree.KERNEL32(00000000,?,00000000,00000010,?,?,032D59E8,00000009), ref: 032D5B1F

DeleteCriticalSection.KERNEL32(?,?,032D995D,032D61F2,032D624B,?,?,?), ref: 032D743E
DeleteCriticalSection.KERNEL32 ref: 032D7446
DeleteCriticalSection.KERNEL32 ref: 032D744E
DeleteCriticalSection.KERNEL32 ref: 032D7456

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: CriticalDeleteSection$FreeHeap
String ID:
API String ID: 447823528-0
Opcode ID: 1e5c3475a6178a485b33bc87a3c41e6534b1b727dabb0413258814aec6d8f3e6
Instruction ID: ba440e7a59aa780c78f37884f7ab78a73a2769c2b74569f9ee312d9cfab84cb3
Opcode Fuzzy Hash: 1e5c3475a6178a485b33bc87a3c41e6534b1b727dabb0413258814aec6d8f3e6
Instruction Fuzzy Hash: 1CF05E37C35011568E36FA5DFC8E88AEE619ED665432E807AD888564248975CCE18DE4

Uniqueness

Uniqueness Score: -1.00%

Function 032B8FDC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 032B9235
__aulldiv.LIBCMT ref: 032B9271

Strings

0123456789ABCDEF0123456789abcdef, xrefs: 032B9201
-, xrefs: 032B90AF

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: -$0123456789ABCDEF0123456789abcdef
API String ID: 3839614884-3460398327
Opcode ID: 5e465dcf58afd6457e1525a7c3df8a9db25ac65dc0b1532d866f191fcbd8f776
Instruction ID: 6f736edd5777b93a7646ca545fe9187444cae95938ea4f312d99f9a42fbbb252
Opcode Fuzzy Hash: 5e465dcf58afd6457e1525a7c3df8a9db25ac65dc0b1532d866f191fcbd8f776
Instruction Fuzzy Hash: 02510670A5916A8FDB69CF28CD50BEEBBB1BB49344F1481E9D51DA7244D7319AC0CF80

Uniqueness

Uniqueness Score: -1.00%

Function 032D7521 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,032D53A9), ref: 032D7526
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 032D7536

Strings

IsProcessorFeaturePresent, xrefs: 032D7530
KERNEL32, xrefs: 032D7521

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 67f41b303c16c29c336b283b92b38126fa03fb5eb527e049f414147c127f89ea
Instruction ID: 82b3881b342461298e50215e77d4e6ad7094dcf3f36073b4578a3355ca4c92e3
Opcode Fuzzy Hash: 67f41b303c16c29c336b283b92b38126fa03fb5eb527e049f414147c127f89ea
Instruction Fuzzy Hash: 95C012207A16035DD960AF76AC0F729141C5F40A03F0480106916E10C4EA94C1814121

Uniqueness

Uniqueness Score: -1.00%

Function 032D5B34 Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f117e65a058188dbac0e90d0d7dce82d7058917e857ec2fc1cf94b61d57d2582
Instruction ID: db97f09f4c996652e9b329ffad8e7748f278faf82213819e491bea6264db8fc1
Opcode Fuzzy Hash: f117e65a058188dbac0e90d0d7dce82d7058917e857ec2fc1cf94b61d57d2582
Instruction Fuzzy Hash: 1D91F871D21615AECF11FB68DC449DEBBB8EB06760F384216F814BA184D7B18DC0CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 032C6EC8 Relevance: 6.3, APIs: 4, Instructions: 289COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 032C720E
__ftol.LIBCMT ref: 032C721F

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 704c651b27ea79fffe48b6bd6682a329a352f00c860418cdb98322812df47f85
Instruction ID: b01367a48216cf111fb50496b05c73e09cec27d45fc41bd80283f393a117c607
Opcode Fuzzy Hash: 704c651b27ea79fffe48b6bd6682a329a352f00c860418cdb98322812df47f85
Instruction Fuzzy Hash: 20D117B4E20659DFDB68DF58CD50BAAB7B1BF88200F1482D9D44AAB244D7319EC1DF42

Uniqueness

Uniqueness Score: -1.00%

Function 032DA197 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,00000000), ref: 032DA25E

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a658e733f238f0b3e42875bb00d94364eab8d934e6d06bf1072b7cc695fe7c4b
Instruction ID: cbde63e8a5895d58871c4f5af39567d6d4490c602922ec44ab447e0061d917a7
Opcode Fuzzy Hash: a658e733f238f0b3e42875bb00d94364eab8d934e6d06bf1072b7cc695fe7c4b
Instruction Fuzzy Hash: 1A518D35920249EFCB11DFA9D888E9DBBB4FF45340F1481A6E816DB251D7B1DAD0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 032B274A Relevance: 6.1, APIs: 4, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,10000080,00000000,?,?,032A1B3F,00000000,00000000), ref: 032B277F
CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000004,10000080,00000000), ref: 032B27A4
CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000004,10000080,00000000,?,?,032A1B3F,00000000,00000000), ref: 032B2801
CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000004,10000080,00000000), ref: 032B2826

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6490e658c1d4fadd26f575ec0532bcb91e00a5e08c528e0afe32544868ab10cb
Instruction ID: 43a2caba9a533cd2e800e758a5a6796733f7fa94db880851513b6e4d1017cc2d
Opcode Fuzzy Hash: 6490e658c1d4fadd26f575ec0532bcb91e00a5e08c528e0afe32544868ab10cb
Instruction Fuzzy Hash: 993140B4950305FBEB20DFA0ED15BDE7774AB08750F204A54F6117F2C0D6B5AA81CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 032B286A Relevance: 6.1, APIs: 4, Instructions: 86sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,10000000,00000000), ref: 032B28BA
Sleep.KERNEL32(00000064), ref: 032B28DC
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,10000000,00000000), ref: 032B2915
Sleep.KERNEL32(00000064), ref: 032B2937

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: CreateFileSleep
String ID:
API String ID: 2694422964-0
Opcode ID: 1d1f60459f60f42b237ba4e6443200c3b5b17bf11cd68d35a6a189929e276f0d
Instruction ID: 27208a3dbbb0f109362a6285194bb7ecfa24ddb7409bd643264e57ed01b067c0
Opcode Fuzzy Hash: 1d1f60459f60f42b237ba4e6443200c3b5b17bf11cd68d35a6a189929e276f0d
Instruction Fuzzy Hash: D5316FB4E1030AEBEB10DFA0ED49BEEB774AB48354F248519E6157B2C0D3749A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 032B32B2 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,032A1B6F), ref: 032B32D9
GetFullPathNameW.KERNEL32(00000000,?,00000000,?), ref: 032B3315
GetFullPathNameA.KERNEL32(032A1B6F,00000000,00000000,032A1B6F,?,?,?,?,?,032A1B6F), ref: 032B3350

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: FullNamePath
String ID:
API String ID: 608056474-0
Opcode ID: 89318c0b586d57c85c20398d48e257a75730bee49018f05ed9dd61098d71f2ed
Instruction ID: 5359e6200f0d2a628ce90cf4bf529d4b0e1e144561cd46f47fc59eadf05ade2f
Opcode Fuzzy Hash: 89318c0b586d57c85c20398d48e257a75730bee49018f05ed9dd61098d71f2ed
Instruction Fuzzy Hash: B73101B9D20209EFDB00EFE4DC45BEFB778AF48341F048558E605AB240E775A684CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 032DCB25 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000000B,00000001,00000000,?,0000000B,?,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCB54
MultiByteToWideChar.KERNEL32(0000000B,00000009,032D7BDE,?,00000000,00000000,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCB67
MultiByteToWideChar.KERNEL32(0000000B,00000001,032D7BDE,?,?,00000000,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCBB3
CompareStringW.KERNEL32(032A7B27,?,0000000B,?,?,00000000,?,00000000,?,0000000B,0000000B,?,032D7BDE,032D55AA), ref: 032DCBCB

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 7cd5335175a7f6e2fbdb09ff15b568954deec876eae11fc438264bdc0509a49e
Instruction ID: 28de9d59319381a0208b6dcde95d4cdaa755fc69bd295e1d3231d970bc1fc1ab
Opcode Fuzzy Hash: 7cd5335175a7f6e2fbdb09ff15b568954deec876eae11fc438264bdc0509a49e
Instruction Fuzzy Hash: 69213832D5021AEBCF219F94DC45ADEBFB6FF48760F144169FA1172160C3729A61DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032B256D Relevance: 6.1, APIs: 4, Instructions: 57sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 032B2593
Sleep.KERNEL32(00000064), ref: 032B25B5
DeleteFileA.KERNEL32(00000000), ref: 032B25D6
Sleep.KERNEL32(00000064), ref: 032B25F8

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: DeleteFileSleep
String ID:
API String ID: 3161721237-0
Opcode ID: 16278e0b1aa7cc29af4fca02c3eccd933995a9b4bd9c2a2cc556f77dfe13c7f1
Instruction ID: 87beb82343e2cf80705b50e28c6524ecb1725b74aff5902594f6df2b6f427d15
Opcode Fuzzy Hash: 16278e0b1aa7cc29af4fca02c3eccd933995a9b4bd9c2a2cc556f77dfe13c7f1
Instruction Fuzzy Hash: AD112B78E10309EBDF08EFA4D958BEDBBB4EF44349F1484A4E90697280D679A6D1DB40

Uniqueness

Uniqueness Score: -1.00%

Function 100020D0 Relevance: 6.0, APIs: 4, Instructions: 32synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 100020EC
ResetEvent.KERNEL32(?), ref: 100020F2
SetEvent.KERNEL32(?), ref: 1000210E
ExitThread.KERNEL32 ref: 1000211C

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: Event$ExitObjectResetSingleThreadWait
String ID:
API String ID: 3992486658-0
Opcode ID: 0d5c412468ae82bbd9e1cf0dccf03b004b927e548126a12a55d26bfefd11e042
Instruction ID: bd623185f113e5bb64da8050b67e750535d759db64136f92daf2ec19560da285
Opcode Fuzzy Hash: 0d5c412468ae82bbd9e1cf0dccf03b004b927e548126a12a55d26bfefd11e042
Instruction Fuzzy Hash: 57F0B771504710DFC631DFAACCC481BB3FCBB8A6503108E1EE2A693665D735F9448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 032DB643 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 032DB657

Strings

, xrefs: 032DB67C
, xrefs: 032DB6A0

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 7ce1851318201c88d4483f95fb14971e71bd546b55fb20886312e8d2c68141f3
Instruction ID: 59412a2832e2238fc6df2342511fb22350ec6a2739e2a61ea63a1405ee919942
Opcode Fuzzy Hash: 7ce1851318201c88d4483f95fb14971e71bd546b55fb20886312e8d2c68141f3
Instruction Fuzzy Hash: B4415B334242581BFB21D628DC6ABF77FA99B06B00F1D04E5E189CB252C2B545C4CBE3

Uniqueness

Uniqueness Score: -1.00%

Function 032B2A02 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000118,?), ref: 032B2A49

Strings

%s\sqlite_, xrefs: 032B2AF6

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: PathTemp
String ID: %s\sqlite_
API String ID: 2920410445-921541735
Opcode ID: beacd156b3fa0a9615c8e3d8f71f3044038c69e25d585973276ec43a7f0ad264
Instruction ID: da3bce5a95f8fab571d271be629b07b1ee99e40395549deeb9c2cc994e9887e2
Opcode Fuzzy Hash: beacd156b3fa0a9615c8e3d8f71f3044038c69e25d585973276ec43a7f0ad264
Instruction Fuzzy Hash: 3C41A175D20348EBCB25EB64DC45BED77B8AF49344F0484A4E6096B244E7B09B84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1047BDE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

bmp, xrefs: 1047BF1F
jpg, xrefs: 1047BF87

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID:
String ID: bmp$jpg
API String ID: 0-1510245739
Opcode ID: 7ca64423effc136d681f63f7e55a2ce00f8a71e7e8811cf4dbf04aa95efd3a52
Instruction ID: 73b3301b13cee14f46ffe5ab25f79dbb17a0f0cd1ab5a7258e37b45804d9b3c6
Opcode Fuzzy Hash: 7ca64423effc136d681f63f7e55a2ce00f8a71e7e8811cf4dbf04aa95efd3a52
Instruction Fuzzy Hash: 9F31CE356002469BC7049F3CCC82B9B73A5EF85694F448A68FA5ACB394EB35ED04C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 10479AD0 Relevance: 5.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479AFD
EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479B3F
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479B4C

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 6790f56543b1e76576b668c62222a4a9917cbd5316ab94b37fadc3e2c4a5dfeb
Instruction ID: 107012973b54b92222b946045c4fabc2edeb7ca9a369cdeb93c412b0909f817e
Opcode Fuzzy Hash: 6790f56543b1e76576b668c62222a4a9917cbd5316ab94b37fadc3e2c4a5dfeb
Instruction Fuzzy Hash: C641B776605120AFCB14CB59E8D4DAB77A8FF49260746829DFD098B351EB35EC40CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 1047E1D0 Relevance: 5.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E1FD
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E20A
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E2C4
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E2D1

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 613e98e9ad0844572ab4b3f1a748880e811d262642f590a13d11fc70483c516c
Instruction ID: bd883383cb906c35b3cfa82454994a2aed3cb22203392ace04cf15ebbea08c2a
Opcode Fuzzy Hash: 613e98e9ad0844572ab4b3f1a748880e811d262642f590a13d11fc70483c516c
Instruction Fuzzy Hash: 1131D475A046148FC720DF69D8C4A9673A8EF49364F15C29AEC18973A2DB34EC01CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 1047E090 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E0CD
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E0E0
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E186
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E193

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9ffc5ca7f20fa6ecc158f59b426f11db0a58120e01838d34663ff2162fde6c50
Instruction ID: 568f6f4d3b749344a23381cd50d6ad36a7f1c415d48dc37413d668ceb818ab5a
Opcode Fuzzy Hash: 9ffc5ca7f20fa6ecc158f59b426f11db0a58120e01838d34663ff2162fde6c50
Instruction Fuzzy Hash: 8C31E9766042249BD720DB69DCC2A9BB3A4EB49365F45835EFC1997390EB34EC00C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 104798A0 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 104798CD
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 104798DA
EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479985
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479992

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 15ca3077493405f05bef9e05f36e3d2a144daeb92ce1f1f5fd40e54387a1f3b6
Instruction ID: 3557f878aee3a32a1c86cca5e5322e467e0c3158bcf8b663bc7c7c28b9e6c153
Opcode Fuzzy Hash: 15ca3077493405f05bef9e05f36e3d2a144daeb92ce1f1f5fd40e54387a1f3b6
Instruction Fuzzy Hash: 8E318FBA6041249FDB10CFA8D8C4E9A73A8EF8A265F15825DFD18D73A0CB34AC41C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 10479790 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 104797BD
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 104797CA
EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479875
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479882

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7c030649d0e155455f318ce43d6d52c3a6ad763e02f7e2ed4f857c7961b812b2
Instruction ID: 98943d90449852eef73d6c3c909c521c1b789978ac40d1e80b83b8bb0e813617
Opcode Fuzzy Hash: 7c030649d0e155455f318ce43d6d52c3a6ad763e02f7e2ed4f857c7961b812b2
Instruction Fuzzy Hash: DA31927A7041249FCB10DF68D8C4E9A73A8EB4A265F15825AFC18DB3A1CB35AC41C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 104799B0 Relevance: 5.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 104799DF
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 104799EC
EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479A9C
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479AA9

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ebd775eba17f65582cd434d8283d8bf67745e1ef93449b07f169e9d1f907711b
Instruction ID: 0c170e3a6439466ff6dee443cc8ed890f9ad80ec06c387370bc8c808c7fffa14
Opcode Fuzzy Hash: ebd775eba17f65582cd434d8283d8bf67745e1ef93449b07f169e9d1f907711b
Instruction Fuzzy Hash: 0931047A2051648FCB00DFA8D8C4A9A77A4FF86264F41C28EEC5897364CB34AC11C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 10479C40 Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479C6F
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479C7C
EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479D1A
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479D27

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: a21f3b9ab9e061c2cf56a47291b24d50f869a7e58653f501f21c3068648cb6cc
Instruction ID: 1fa6a48007ad6c089c3b16b1bd2a6d7c37b83f5da078e440483b2327ec23081b
Opcode Fuzzy Hash: a21f3b9ab9e061c2cf56a47291b24d50f869a7e58653f501f21c3068648cb6cc
Instruction Fuzzy Hash: 6C31D43A6051248FCB21DF6CD8C4AAAB3A4EB46265F51825AEC18973A5CB34AD05C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 10479E50 Relevance: 5.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479E7F
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479E8C
EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479F28
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479F35

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: aa712440c99e400ad3112f1de180d7fa4fd214528e926804a7b6df31602a9f11
Instruction ID: d491cf1c08f48956e4a283d68a62844e5389d84de4d4890e3e2f6dc2f5bd9609
Opcode Fuzzy Hash: aa712440c99e400ad3112f1de180d7fa4fd214528e926804a7b6df31602a9f11
Instruction Fuzzy Hash: 1F31203A3041248FCB10DFA8D8C4AAA73A4EB46264F01829EFC08D73A4DF35AC00C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 1047A710 Relevance: 5.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A737
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A74A

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ed906801043ca26262507471c9b174c409a873030392a605cc3baf7467579bdc
Instruction ID: 554080404f83d58f7aa34330aea9f577859c33c192eb4b9f595a86daed75e37c
Opcode Fuzzy Hash: ed906801043ca26262507471c9b174c409a873030392a605cc3baf7467579bdc
Instruction Fuzzy Hash: DC21DC773092218FC710DFA8E8C0A9AB3B4EB822A6705C56AE94097760DB35FC15C791

Uniqueness

Uniqueness Score: -1.00%

Function 1047E640 Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E67B
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E688
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E711
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E71E

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3f104df546123c4e60e698cd3906a162194a411dc96353d5c193e85f096a4305
Instruction ID: c5e7aa70f8c39d927a1745e7d459c013e1c4e9e30a2420cc49babdc80fbd35c2
Opcode Fuzzy Hash: 3f104df546123c4e60e698cd3906a162194a411dc96353d5c193e85f096a4305
Instruction Fuzzy Hash: 2E212836A042248BCB208F69DCC4B9A7394FB49365F41872AFC1997390DB38EC40C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 10479F60 Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 10479F8D
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 10479F9A
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047A02C
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047A039

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 51fda1320c1a626f0836fc700b87a17c9e86cbc850ae645a548d5e08c98d220e
Instruction ID: 56f835e3c3d207220b0f45a479841072762504db607bb0a0bf1718554cc79a12
Opcode Fuzzy Hash: 51fda1320c1a626f0836fc700b87a17c9e86cbc850ae645a548d5e08c98d220e
Instruction Fuzzy Hash: B321E1366051648FCB10CFA8D8C8A9A73A4EB863A5F05825EEC18973A5DB39BC11C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 1047E520 Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E55B
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E568
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E5F1
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E5FE

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3f104df546123c4e60e698cd3906a162194a411dc96353d5c193e85f096a4305
Instruction ID: 9c73b168947f8ebe44f09ab4250b306ab9fccb73a3463212e55d094811d8480b
Opcode Fuzzy Hash: 3f104df546123c4e60e698cd3906a162194a411dc96353d5c193e85f096a4305
Instruction Fuzzy Hash: F921F7356042189BCB219FA9D8D4B967394EB49369F01871AFC1997390EB38AC40C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 1047E880 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E8BB
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E8CE
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E94A
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E957

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: caae8870396dd7038ebc4d604f8fa730eab077751d0c4c95ff28fa99ab750e6b
Instruction ID: 155539926ac79feffc2be0b4be7390359ae63d0c9355dd886bdbf9363914fa87
Opcode Fuzzy Hash: caae8870396dd7038ebc4d604f8fa730eab077751d0c4c95ff28fa99ab750e6b
Instruction Fuzzy Hash: 94212CB76041249BCB60DB69D8C0B9A7394EB4A3B5F05C35AED0897390DB38ED41C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 1047E760 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E79B
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E7AE
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E82A
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E837

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: caae8870396dd7038ebc4d604f8fa730eab077751d0c4c95ff28fa99ab750e6b
Instruction ID: 436bcf1321fa6c678e3bc4c4a8b22431534ea9be6b2f82be60a83ce3358d9710
Opcode Fuzzy Hash: caae8870396dd7038ebc4d604f8fa730eab077751d0c4c95ff28fa99ab750e6b
Instruction Fuzzy Hash: DD21FC36A041248BCB20AF69D8D5B9A7394EB4A375F46C35AEC0897391DB38AC41C7D3

Uniqueness

Uniqueness Score: -1.00%

Function 1047E430 Relevance: 5.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E45D
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E470
EnterCriticalSection.KERNEL32(039F7CC8), ref: 1047E4F0
LeaveCriticalSection.KERNEL32(039F7CC8), ref: 1047E4FD

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b05541ba58bd25aa1b6a6cb78b19275e84f15fc9cd921661f704788849efea7c
Instruction ID: 9bc50d6cf54b48f1cd08cce304b700ef407a0fcbb82ee27a10d9cbcea3a124c0
Opcode Fuzzy Hash: b05541ba58bd25aa1b6a6cb78b19275e84f15fc9cd921661f704788849efea7c
Instruction Fuzzy Hash: DA21C776A045249BCB209B7A9CC5B9A7394EB49364F05C35AFD1897390EB38EC01C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 032D8BC5 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,?,?,00000000,032D898D,?,00000000,?,032D599D,00000000), ref: 032D8BED
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,032D898D,?,00000000,?,032D599D,00000000), ref: 032D8C21
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,032D898D,?,00000000,?,032D599D,00000000), ref: 032D8C3B
HeapFree.KERNEL32(00000000,?,?,00000000,032D898D,?,00000000,?,032D599D,00000000), ref: 032D8C52

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 05e0082b7125a4a4765e24edc241868d1497735a31b72c1c716ffa97b40e8734
Instruction ID: 131fd2c5f6c362402fac26e35909a679b3ee925314ed66a104c0d93d46b43d95
Opcode Fuzzy Hash: 05e0082b7125a4a4765e24edc241868d1497735a31b72c1c716ffa97b40e8734
Instruction Fuzzy Hash: B9113A30201651EFCB30EF19FC4A9A27BF6FB85722790891AE656CA5A4D374949ACB10

Uniqueness

Uniqueness Score: -1.00%

Function 1047C440 Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7C48), ref: 1047C47A
LeaveCriticalSection.KERNEL32(039F7C48), ref: 1047C48D
EnterCriticalSection.KERNEL32(039F7CE8), ref: 1047C496
LeaveCriticalSection.KERNEL32(039F7CE8), ref: 1047C4A3

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3e376371abd5166c7eea11dc8ddfed0900551a8de4638c928736ea527068d253
Instruction ID: 327bee19ab48b278ebda28e0e0964641a3d967da4f2b049909037cf311fcf26f
Opcode Fuzzy Hash: 3e376371abd5166c7eea11dc8ddfed0900551a8de4638c928736ea527068d253
Instruction Fuzzy Hash: 4B01DB3350562C5BC7115E5D9CE06AFB398FF85670F45811EEC18E33A0D368EC018B95

Uniqueness

Uniqueness Score: -1.00%

Function 10488F10 Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(039F7C48,?,?,?,?,1047C429,?), ref: 10488F33
LeaveCriticalSection.KERNEL32(039F7C48,?,?,?,?,1047C429,?), ref: 10488F46
EnterCriticalSection.KERNEL32(039F7CE8,?,?,?,?,1047C429,?), ref: 10488F4F
LeaveCriticalSection.KERNEL32(039F7CE8,?,?,?,?,1047C429,?), ref: 10488F5C

Memory Dump Source

Source File: 00000001.00000002.2890132170.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2890095093.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.000000001048B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890437211.00000000106FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890614016.0000000010705000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890645204.0000000010708000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890676049.0000000010709000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890708810.0000000010717000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001071A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2890739006.000000001111A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891412730.00000000111AD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891446185.00000000111AE000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891495508.0000000011201000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891527910.0000000011212000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891559120.0000000011217000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011271000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.000000001128F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112C5000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.00000000112EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011331000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2891606679.0000000011352000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Cyber.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: de28ffc10ccad9e4be3fbfa213a9ec03ba4bf5872cf02a39dcc77bc269116690
Instruction ID: 87737142d0fbecfaef5a83c1bc02259385bf1d52ca6b57228c09347ebb7afc88
Opcode Fuzzy Hash: de28ffc10ccad9e4be3fbfa213a9ec03ba4bf5872cf02a39dcc77bc269116690
Instruction Fuzzy Hash: 14F0D6726063295FA7005FEA6CC051BF399EE45561745452FEB14E3320E738EC008B95

Uniqueness

Uniqueness Score: -1.00%

Function 032D73C6 Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,032D990A,?,032D6189), ref: 032D73D3
InitializeCriticalSection.KERNEL32 ref: 032D73DB
InitializeCriticalSection.KERNEL32 ref: 032D73E3
InitializeCriticalSection.KERNEL32 ref: 032D73EB

Memory Dump Source

Source File: 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000001.00000002.2887468224.00000000032E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2887468224.00000000032EB000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3290000_Cyber.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: d2b396a453d5ec4452960cdd056b561d7759646962ab484085b92e2fe1e91be6
Instruction ID: ab6f1a2ab544174c1c422d84239f4aa753b96b5e8a9d660f3b614bd4de280627
Opcode Fuzzy Hash: d2b396a453d5ec4452960cdd056b561d7759646962ab484085b92e2fe1e91be6
Instruction Fuzzy Hash: FBC00233C350349ACA113B65FC0D8463F25EF4626531DC062A5045503C8AB25CB2DFD4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mbrmqqboi.exePID: 2200, Parent PID: 6992COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Executed Functions

Function 004047D4 Relevance: 3.9, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Software\Borland\Delphi\Locales, xrefs: 00404822
Software\Borland\Locales, xrefs: 00404804
., xrefs: 00404902

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 0-3917250287
Opcode ID: 4bcc5c706d1272e94f95cbfdc0bcd9066c37139970266445e02fd176bb9571ac
Instruction ID: 8ee7359c03843291578febc131cf6da320277be5cd150c745c6a92bda8319ec8
Opcode Fuzzy Hash: 4bcc5c706d1272e94f95cbfdc0bcd9066c37139970266445e02fd176bb9571ac
Instruction Fuzzy Hash: 434191F590025C79EB25E6E48C46FEFB6AC9B09744F4001B7BB04F61C2D67C9E448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004048A6 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 00404902

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 244a34d743ee1956047c5136df9ee592a9f6b69cbd73a560dbec52d9bfa63f37
Instruction ID: c9c6129d32f584a08a610383b354ed68719691113bf190c796769d1b8a368ff2
Opcode Fuzzy Hash: 244a34d743ee1956047c5136df9ee592a9f6b69cbd73a560dbec52d9bfa63f37
Instruction Fuzzy Hash: 462160F5D0025D29EB35E6B88C46FDFB6AC4B09384F4401B7AB04F61D2D6788E448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403264 Relevance: 1.3, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Runtime error at 00000000, xrefs: 004032AA, 004032D0

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID: Runtime error at 00000000
API String ID: 0-1393363852
Opcode ID: 06d1f510ad044577468984ffb8653d9a507e3ec4b8d81ee312a7def9728a3627
Instruction ID: b8173a77a5bad1ae95b571b3a9d545ad3cb87312466f096001c29fe4b70ca49d
Opcode Fuzzy Hash: 06d1f510ad044577468984ffb8653d9a507e3ec4b8d81ee312a7def9728a3627
Instruction Fuzzy Hash: E321CE74A002009EEB34EF6684857567FD8AB45306F1884BFA944BB2C7C7BCDA85C76D

Uniqueness

Uniqueness Score: -1.00%

Function 004084C8 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36c9ad529f5ff00f7c712c3257e7e841f0cd609311788d4c8ed63435e4d796b
Instruction ID: 4b6a789ebdc2bd176f093f7c5b6d8e7bcd99c7396301b240a3ce67e9e18b710c
Opcode Fuzzy Hash: d36c9ad529f5ff00f7c712c3257e7e841f0cd609311788d4c8ed63435e4d796b
Instruction Fuzzy Hash: 70113402644B919AC720BBB55D015ABBBD4CF62318F49847ED8E9776C2EA38D901932E

Uniqueness

Uniqueness Score: -1.00%

Function 004019C0 Relevance: .1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928f47f8ce43dc4670c31bee31c99d223876c5d01dddbca36ced1165bff2fdbe
Instruction ID: 4f71748dd93b4c8135f45c19847e48d3f1721c7c037694c7cb852acc65c2bd9d
Opcode Fuzzy Hash: 928f47f8ce43dc4670c31bee31c99d223876c5d01dddbca36ced1165bff2fdbe
Instruction Fuzzy Hash: 6C119D747042405AD731ABA99D81B1B3794A759708F9041BFF900F7AF2C67CA8888B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004015A8 Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbaead09d6a5981287adf494f09ed7b05454a5203a1fd55f2f4bbcb3cfd9d975
Instruction ID: 973eabc71a431fb0b89221cb214eca5a63a481c1986ff9b06c5f9b86d821c4b2
Opcode Fuzzy Hash: cbaead09d6a5981287adf494f09ed7b05454a5203a1fd55f2f4bbcb3cfd9d975
Instruction Fuzzy Hash: EA11AC72A056019FC3109F29CC80A1BB7E5EBC4760F09C93EE598AB3A5E635AC408A49

Uniqueness

Uniqueness Score: -1.00%

Function 00401414 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb74b09a807319ff8b3dd674cd76027a937053602cd4c1cd00eed3db8fd1b4b
Instruction ID: 2e1672d6b05d08bbafa89bea8e66311dc2d0a34bf7ccc394fbc799d6d11a30d2
Opcode Fuzzy Hash: aeb74b09a807319ff8b3dd674cd76027a937053602cd4c1cd00eed3db8fd1b4b
Instruction Fuzzy Hash: 3FF0A772B0062017DB20696A5C81F5355C49F45B94F1581BBFE48FF3F9D6B54C0142ED

Uniqueness

Uniqueness Score: -1.00%

Function 004030B4 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d592683147a828d9f32c172ad6475afab4829e4eb4c87c64f814d01fcf8e05ca
Instruction ID: 7b0afac72c4539e31854512fb5d48fca0e7b207d17ea565b27ce5186b1ff571e
Opcode Fuzzy Hash: d592683147a828d9f32c172ad6475afab4829e4eb4c87c64f814d01fcf8e05ca
Instruction Fuzzy Hash: 6DF0BE31305A069EE3218F4B9981913FF9CFB88761364C43BE908D7A81CA79E9108968

Uniqueness

Uniqueness Score: -1.00%

Function 004055D4 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff55839efaebfb78defabf7ecdd1caf864ae9585cabe62fcd6fbc662081834ee
Instruction ID: e49ce88f8f04bfcedfde9c027bcace0f6dd6083d998d95bf7495aaac4cc71a12
Opcode Fuzzy Hash: ff55839efaebfb78defabf7ecdd1caf864ae9585cabe62fcd6fbc662081834ee
Instruction Fuzzy Hash: 8CE092B42445408EC7217BE668234173688D7A9714391883BFA08FAFD3CB3D5C09897D

Uniqueness

Uniqueness Score: -1.00%

Function 00408A82 Relevance: .0, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0db532f14b7c669ee94952d530721998bf070dee4de7344432574ea44cc60b
Instruction ID: d43e99c534185534e8c2246644ac03042b38202926ef66e9536dfe29eb935c5b
Opcode Fuzzy Hash: 6e0db532f14b7c669ee94952d530721998bf070dee4de7344432574ea44cc60b
Instruction Fuzzy Hash: A3E08652300D1017D110B27D0E8654F13888E44218314453FB540E72C2EF3CDD060B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004057F0 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1f174936159b30bef607abb00511943bf66f4d62f0ceb91916a96bda1e6e4d
Instruction ID: c54487bd5ef6b1886ef707e54dc280fd02bf5fc82bbe0b0199c8297bf02e4104
Opcode Fuzzy Hash: 0e1f174936159b30bef607abb00511943bf66f4d62f0ceb91916a96bda1e6e4d
Instruction Fuzzy Hash: 9FE086B56446059FC740EB9AEE8190732D89754310B00043BBA58E73D2E7BC99649B5F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00413D89 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1654686233.0000000000413000.00000040.00000001.01000000.00000008.sdmp, Offset: 00413000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_413000_mbrmqqboi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae5ee0b7847a85fc060d668c91e39ffc59add5f8e7598af4ce23f40306a4ad9
Instruction ID: 73747ab4c403159c09452b58b7bb99affedd2aba8d382fadceb797a8ea54da72
Opcode Fuzzy Hash: 1ae5ee0b7847a85fc060d668c91e39ffc59add5f8e7598af4ce23f40306a4ad9
Instruction Fuzzy Hash: 69F0FCBAA052116BC601D919D6906DB7FD3ABC4B60F46491CF48813640C639F81ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 004098B4 Relevance: 21.3, Strings: 17, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

kernel32.dll, xrefs: 004098C3
CreateToolhelp32Snapshot, xrefs: 004098D8
Process32FirstW, xrefs: 00409968
Process32Next, xrefs: 00409956
Process32NextW, xrefs: 0040997A
Heap32Next, xrefs: 00409920
Thread32Next, xrefs: 0040999E
Heap32First, xrefs: 0040990E
Module32NextW, xrefs: 004099E6
Heap32ListFirst, xrefs: 004098EA
Heap32ListNext, xrefs: 004098FC
Module32FirstW, xrefs: 004099D4
Toolhelp32ReadProcessMemory, xrefs: 00409932
Module32First, xrefs: 004099B0
Module32Next, xrefs: 004099C2
Process32First, xrefs: 00409944
Thread32First, xrefs: 0040998C

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 0-597814768
Opcode ID: cc44ef6fba07264e35a8a74204e93d72ea49b702e8ed37608d3f90d87460ec5d
Instruction ID: 32e3a3875a3605410609fb558c2e104f4610acd9f43f18ede30c37f298ca90a4
Opcode Fuzzy Hash: cc44ef6fba07264e35a8a74204e93d72ea49b702e8ed37608d3f90d87460ec5d
Instruction Fuzzy Hash: 963118B0600A10ABCB10AFB5999AB2737A8EB05310750097AB414FF2E6C67D9801CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 004098AC Relevance: 20.1, Strings: 16, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CreateToolhelp32Snapshot, xrefs: 004098D8
Process32FirstW, xrefs: 00409968
Process32Next, xrefs: 00409956
Process32NextW, xrefs: 0040997A
Heap32Next, xrefs: 00409920
Thread32Next, xrefs: 0040999E
Heap32First, xrefs: 0040990E
Module32NextW, xrefs: 004099E6
Heap32ListFirst, xrefs: 004098EA
Heap32ListNext, xrefs: 004098FC
Module32FirstW, xrefs: 004099D4
Toolhelp32ReadProcessMemory, xrefs: 00409932
Module32First, xrefs: 004099B0
Module32Next, xrefs: 004099C2
Process32First, xrefs: 00409944
Thread32First, xrefs: 0040998C

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory
API String ID: 0-1196749652
Opcode ID: 8fa40aaf15466d2418815703261a8d0845035e9b98c31f4f84cf7211e3d99aa9
Instruction ID: 5d97f3932ed94d2c02ad184d0b95a25d39f434b363a44d15128239ad360056f2
Opcode Fuzzy Hash: 8fa40aaf15466d2418815703261a8d0845035e9b98c31f4f84cf7211e3d99aa9
Instruction Fuzzy Hash: DB311AB0A00A51AFCB10EFB59D99B273BA4EB053147500A7BB454EF2E6C67D9805CF8D

Uniqueness

Uniqueness Score: -1.00%

Function 00408580 Relevance: 7.7, Strings: 6, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

AMPM , xrefs: 004087D9
mmmm d, yyyy, xrefs: 004086B2
:mm, xrefs: 004087E9
:mm:ss, xrefs: 00408806
AMPM, xrefs: 004087CA
m/d/yy, xrefs: 00408685

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 0-2493093252
Opcode ID: 7475f800ed58d34c0f8d59580c8f0e853b1df3fbdabd4e812a55162696020ed9
Instruction ID: 665d9c3758f610642cc40926cd21eaff6adae2593d1eea0fddfd92a5d86eda01
Opcode Fuzzy Hash: 7475f800ed58d34c0f8d59580c8f0e853b1df3fbdabd4e812a55162696020ed9
Instruction Fuzzy Hash: 4A616F31B041489BD700FBA5DD8169E76AA9B88304F50E43FB901BB7C6CA3CD909976D

Uniqueness

Uniqueness Score: -1.00%

Function 0040857E Relevance: 6.4, Strings: 5, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

mmmm d, yyyy, xrefs: 004086B2
:mm, xrefs: 004087E9
:mm:ss, xrefs: 00408806
AMPM, xrefs: 004087CA
m/d/yy, xrefs: 00408685

Memory Dump Source

Source File: 0000000A.00000002.1654210290.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_mbrmqqboi.jbxd

Similarity

API ID:
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 0-665933166
Opcode ID: 688114005dde5bc401cd357312efdba7c5ecee71436ec0aeef0803e71398446f
Instruction ID: aaf271c7bf524b3c3120822437d12d8d60587f600a90f4dde97c621cf19cd574
Opcode Fuzzy Hash: 688114005dde5bc401cd357312efdba7c5ecee71436ec0aeef0803e71398446f
Instruction Fuzzy Hash: 1C616F31B041089BD700FBA5DD81A9E76AA9B88304F50E43FF901BB7C6CA3CD909976D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\mbrmqqboi.exe

C:\tcls\Client.dll

C:\tcls\Cyber.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Function 00B3E8DE Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 180
filecomwindowCOMMON

Function 00B329F7 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Function 00B347F4 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre