Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe
Analysis ID:	1446236
MD5:	98cc7dd8eeeaf079b8e8f650d847525f
SHA1:	2f8bdb79155ce50f7b02209cd28f996fc9e62915
SHA256:	5b9cb6ebd3779665272eb9303004faf88f121cbe8f7e63c00a547e6d9ae13998
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe (PID: 3076 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe" MD5: 98CC7DD8EEEAF079B8E8F650D847525F)

WerFault.exe (PID: 4456 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 488 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00425784 __ehhandler$?_Swap@?$_Func_class@X$$V@std@@IAEXAAV12@@Z,__EH_prolog3_GS,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_00425784
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00425835 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CloseHandle,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,ReadFile,CryptHashData,ReadFile,CryptDestroyHash,CryptReleaseContext,CloseHandle,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,	0_2_00425835
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00425B69 __EH_prolog3_GS,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00425B69

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426865 GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,

0_2_00426865

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00436131 __EH_prolog3,HttpOpenRequestW,GetLastError,HttpSendRequestW,GetLastError,InternetCloseHandle,InternetQueryOptionW,HttpQueryInfoA,WaitForSingleObject,HttpQueryInfoW,GetLastError,WriteFile,GetLastError,WaitForSingleObject,InternetReadFile,GetLastError,InternetCloseHandle,

0_2_00436131

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00418031	0_2_00418031
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004120E0	0_2_004120E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043C238	0_2_0043C238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004222C3	0_2_004222C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00420301	0_2_00420301
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00444440	0_2_00444440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043B409	0_2_0043B409
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00421481	0_2_00421481
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043259A	0_2_0043259A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0040F730	0_2_0040F730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042B78D	0_2_0042B78D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00420845	0_2_00420845
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00426865	0_2_00426865
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0041D86A	0_2_0041D86A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042EADB	0_2_0042EADB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042CD5C	0_2_0042CD5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00420D89	0_2_00420D89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00415E6E	0_2_00415E6E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00430E1A	0_2_00430E1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00437E3B	0_2_00437E3B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00401916 appears 96 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00410F30 appears 43 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 004126DD appears 87 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00412746 appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00415730 appears 45 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 004018B3 appears 58 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00403C93 appears 48 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 488

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Binary string: kernel32.dllIsWow64Process\device\mupShell32.dllSHGetKnownFolderPath\Downloads\User Pinned\TaskBar\Microsoft\Internet Explorer\Quick LaunchProgramFilesDirSOFTWARE\Microsoft\Windows\CurrentVersion\cmd.exeComSpec" exit" & if not exist " & for /l %x in (1,1,60) do ping 127.0.0.1 -n 2 -w 500 & del /q /f "" /c taskkill /f /pid 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789abcdef0123456789abcdefhlPxjHRu9UWCOtTORdZ51F7RYWUCWy731OtU3OaRC1xO5rErBozbP4G2hNm67mUHhghf659f453e18e0508fd502a51ca0138091b7e80eSELECT * FROM WQLtruefalse

Source: classification engine

Classification label: mal56.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00423319 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

0_2_00423319

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00438D35 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,

0_2_00438D35

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426FD8 CreateToolhelp32Snapshot,_memset,Process32FirstW,GetLastError,CloseHandle,OpenProcess,GetProcessTimes,GetProcessImageFileNameW,CharLowerW,CloseHandle,CharLowerW,Process32NextW,GetLastError,CloseHandle,

0_2_00426FD8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426181 CoInitializeEx,CoCreateInstance,CoSetProxyBlanket,VariantClear,

0_2_00426181

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3076

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\02a083e5-98b2-45c0-8703-1f8c164790f5

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Command line argument: :tmp		0_2_004351F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Command line argument: .tmp		0_2_004351F9

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

ReversingLabs: Detection: 68%

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_install?error=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_install?name=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_info
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_error?text=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: ,products=closed/close_install?checks2,unchecked=products2=unchecked2=/unchecked_install?products=/unchecked_install?products2=/launch_infoinstaller not founderror opening file installer file #error getting length of installer binary fileerror reading installer binary filereaded 0 bytes from installer binary file:Zone.Identifierwatchstartparent=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_error?text=&launch=&?launch=": url error in "torrentwhsciconSTATICIconopenBUTTON
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: $__HASHHASH$__MIXinstall=&hash=/touch_install?name=) (error=&md5=/launch_install?error=can't install success=/launch_install?name=&check=delay time=/delay?time=Wrong PE fileWrong PE signatureNot normal PE formaterror allocating virtual memoryerror creating executable heaperror allocating executable memoryunknown relocationcan't create thread

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 488

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: umpdc.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_004230F3 LoadLibraryW,GetProcAddress,

0_2_004230F3

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: real checksum: 0x60c79 should be: 0x60a47

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00415775 push ecx; ret		0_2_00415788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004127B5 push ecx; ret		0_2_004127C8

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: vmware qemu qemu

0_2_0043A8D8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: GetCommandLineW,ExitProcess,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,_memset,CreatePipe,WriteFile,WriteFile,WriteFile,GetStdHandle,GetStdHandle,GetStdHandle,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,_memset,GetStdHandle,GetStdHandle,GetStdHandle,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,

0_2_0043545F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-32588

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426865 GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,

0_2_00426865

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00438BF9 __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3,GetSystemInfo,CallNtPowerInformation,

0_2_00438BF9

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Binary or memory string: nsystemFSOSantivirusantispywarefirewallbrowsersvideoregistryregistryFilegetLineisFileisDirisRegistryfileTimeisInstalledmemoryharddiskprocessorisAdminis64bitVMmanufacturerbaseBoarddiskDrivesfileAssocdisplayvirtDisplayNET:.win;sp;suite:;product:AntivirusProductAntiSpywareProductFirewallProducthttpSoftware\Clients\StartMenuInternetSoftware\Clients\StartMenuInternet\\shell\open\command \|nameWin32_VideoControllerROOT\CIMv2\/*\1SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayName\modelvirtualboxvmwareparallelsqemuwinevirtualWin32_ComputerSystemproductWin32_BaseBoardcaptionWin32_DiskDriveopenxSOFTWARE\Microsoft\NET Framework Setup\NDPVersionSOFTWARE\Microsoft\NET Framework Setup\NDP\error getting versionInstallversion not installedSPsp\Full\Clientmap/set<T> too longvector<T> too longinvalid map/set<T> iterator
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00411360 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00411360

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_004230F3 LoadLibraryW,GetProcAddress,

0_2_004230F3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00428340 mov eax, dword ptr fs:[00000030h]	0_2_00428340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00428340 mov eax, dword ptr fs:[00000030h]	0_2_00428340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429751 mov eax, dword ptr fs:[00000030h]	0_2_00429751
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429751 mov eax, dword ptr fs:[00000030h]	0_2_00429751
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429751 mov eax, dword ptr fs:[00000030h]	0_2_00429751

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042C16E __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,SetErrorMode,SetUnhandledExceptionFilter,GetStdHandle,ReadFile,ReadFile,	0_2_0042C16E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00417277 SetUnhandledExceptionFilter,	0_2_00417277
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00411360 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00411360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043259A GetTickCount,SetErrorMode,SetUnhandledExceptionFilter,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,CoInitializeEx,CreateEventW,CreateEventW,CreateEventW,CreateEventW,GdiplusStartup,IsUserAnAdmin,GetModuleHandleW,EnumResourceNamesW,GetFileSizeEx,CreateThread,InitCommonControlsEx,GetTickCount,MessageBoxW,WaitForSingleObject,ResetEvent,CreateThread,WaitForSingleObject,CloseHandle,GdiplusShutdown,EnterCriticalSection,EnterCriticalSection,SetEvent,LeaveCriticalSection,CloseHandle,GetCurrentThreadId,CreateThread,EnterCriticalSection,CreateThread,LeaveCriticalSection,GetTickCount,EnterCriticalSection,LeaveCriticalSection,GetTickCount,EnterCriticalSection,CreateThread,LeaveCriticalSection,SetEvent,CloseHandle,CloseHandle,KillTimer,KillTimer,KillTimer,WaitForMultipleObjects,WaitForSingleObject,CloseHandle,GdiplusShutdown,	0_2_0043259A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429737 SetUnhandledExceptionFilter,ExitProcess,	0_2_00429737
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004127E7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004127E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00410F21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00410F21

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00422F0E cpuid

0_2_00422F0E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: GetLocaleInfoA,

0_2_00419F6E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_004177B1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004177B1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_0043902A __EH_prolog3_GS,_memset,GetVersionExW,

0_2_0043902A

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 Process Injection	1 Access Token Manipulation	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	68%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446236
Start date and time:	2024-05-23 01:30:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 133
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Simulations

Behavior and APIs

Time	Type	Description
19:31:43	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_ec24384a58645712a8216dd34a3884cb9132512_265dce86_e1f415c1-83d4-44dc-a094-cc48ee5b9763\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8728362306142596
Encrypted:	false
SSDEEP:	96:rvUFsM5fKs8huzFXefhQXIDcQvc6QcEVcw3cE/f+HbHgnoW6HeE7snL9tjo2fn2l:r8dRKqt0BU/4jnZrsMqzuiFIZ24IO8u
MD5:	E04350460002F9A95B05460D96F89396
SHA1:	EFDC24F9BA1984EF7E1AB78B147DCBBA9D24A7AC
SHA-256:	6014FD72A4B39B2CBD35B835B6D80D9EFDBEB2790790C3181BD0215F53B039A7
SHA-512:	0C52BBD557F72FD5F9F09EF9C69E57C35C60949D6EBA9E897DD237504EE3D221EEB3980E1038E45F3465D4B2CFEC96E7C5FCFA1A01849769E8B6BB62E405BFF9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.8.9.4.2.9.8.0.5.1.4.8.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.8.9.4.2.9.8.4.1.0.8.5.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.f.4.1.5.c.1.-.8.3.d.4.-.4.4.d.c.-.a.0.9.4.-.c.c.4.8.e.e.5.b.9.7.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.b.a.1.3.7.2.-.2.5.f.2.-.4.5.2.1.-.b.5.9.b.-.6.f.6.6.c.9.e.5.8.e.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...L.o.a.d.M.o.n.e.y...1.0.8.5...1.0.2.0.5...7.2.7.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.0.4.-.0.0.0.1.-.0.0.1.3.-.9.3.8.1.-.d.a.3.0.a.0.a.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.f.1.5.4.f.a.d.1.e.b.0.c.5.1.8.7.6.4.a.f.d.9.0.8.8.a.1.9.a.a.d.0.0.0.0.f.f.f.f.!.0.0.0.0.2.f.8.b.d.b.7.9.1.5.5.c.e.5.0.f.7.b.0.2.2.0.9.c.d.2.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAC8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 22 23:31:38 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	36800
Entropy (8bit):	2.007609435064957
Encrypted:	false
SSDEEP:	192:EdJrAMbZyB+mKOUOW77zmIwm/ggziWg8MvBFVq1XOqaOZn20:OJrrNMjXSzqMZM5FAOqa+
MD5:	FCDDA76E63952B0929B45B75074B2DC2
SHA1:	17A010C01258CD8C461201C399507A10A31E44DF
SHA-256:	AC9F7845F4CAD79E044D1DEBC0710F36CB272EC276A15E82FF81EE09CF8EFC08
SHA-512:	968293156F8B440C70DA463D77509B1426FB9D4AEBEC0B04B4AC066E2B30ACFE5D0907C1B1DFF5400BACD4F9F4FA283862A76FFC4F5F591D107667951A775735
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......Z.Nf.........................................%..........T.......8...........T........... ....\|..........H...........4...............................................................................eJ..............GenuineIntel............T...........Y.Nf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB46.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8464
Entropy (8bit):	3.7035225480837717
Encrypted:	false
SSDEEP:	192:R6l7wVeJCv6sr6YWfSU9Dfgmfk0SLprw89bDYsfjhm:R6lXJi6sr6YuSU9Dfgmfk0SLDLf4
MD5:	D61319F39A438E354A3D3B4E44B2FC43
SHA1:	F3D7C72BC894FBF23A3766A81A870E797D1C9340
SHA-256:	7E5C6C978A5C2F06332ADDFC919D10B3D49AB4500F3CA1BAAE501654A8307A68
SHA-512:	EADF0DCD9356F9F0B50EA8E5F655211E8E96B50D3E656093AD2B14CD7C5FC82481D7F655AAE18F725AF915F277A8AA4402247C0CEE080D0D846590D93FD6BECE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB95.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4790
Entropy (8bit):	4.561588191050228
Encrypted:	false
SSDEEP:	48:cvIwWl8zsoNJg77aI9mrVWpW8VY+Ym8M4JROA9FTL3P+q82P+5YDY2d:uIjfMI7oI7VSJzkSs2d
MD5:	75011462992D6AE1C8D921FE83EE0E30
SHA1:	0B065C2BD61E529861420FB5E27830B8BE5EBC2D
SHA-256:	937170E934E2A747D096998041DB7D48603822CB19EC350279B62104742F04DA
SHA-512:	A74D0283139C0947ABD3F525C2BBC02A76CFE9835BA1449DCEE160D29997CE8160812342C3623CCC7B15230BE3BB0F2EFA55180DEFDFF4063DD5147AAA2F9B96
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="334954" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.295922598257211
Encrypted:	false
SSDEEP:	6144:441fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+HGmBMZJh1VjF:11/YCW2AoQ0NiBGwMHrVZ
MD5:	65B443CF0677BB4FB47CC774C0322A74
SHA1:	A2F1A9D4DBE1BA80F19AFA2D16347410DCA54851
SHA-256:	723F052BED1ED0A8AA5A2AC120525470314FA59192EFAC70F64D3241098CCFEF
SHA-512:	EBA5A064A11816BDF26994CA63E26D2C240D395E0907BAF0A56F5155642E4A0F4579B0DB4FFC28BC0DDDA8FA39114FDDC90215E3BBA27DB1FBC19AE4AEE024A8
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.Q.1............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.425136010677569
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe
File size:	386'048 bytes
MD5:	98cc7dd8eeeaf079b8e8f650d847525f
SHA1:	2f8bdb79155ce50f7b02209cd28f996fc9e62915
SHA256:	5b9cb6ebd3779665272eb9303004faf88f121cbe8f7e63c00a547e6d9ae13998
SHA512:	24de92368cf508ac40db171f891075c67a90d71fa9febefc8cce4218c4d248870dcca240347e7bfc39b66a52477c3b0b9b9cd0fe478fafd226ce092147b2a92f
SSDEEP:	6144:4i4TBXZh3Am19Lk/8LS35qQkOLwfFGIMcPayeMlTDIeuhDF28VBUJpEzubg66:4isBXZh3Amr4/8YN9Lw4izIeuhDF28Vh
TLSH:	2D849E12B745F032C4130171BA19A3B6823DB9716B398187B3D85F6EEEF16D27939B42
File Content Preview:	MZ......................@...`r...................r......................!..L.!This program cannot be run in DOS mode....$.........L..u"..u"..u"......u"......u".....lu"...O..u"...Y..u"..u#..t"......u"......u"......u".Rich.u"...?.....PE..L...X..V...........

File Icon


Icon Hash:	03e1565848481a3e

Static PE Info

General

Entrypoint:	0x411b23
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x561CF058 [Tue Oct 13 11:51:52 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	8765057780dde950993dc56a99702829

Entrypoint Preview

Instruction
call 00007F4EF491F9CEh
jmp 00007F4EF4919BBEh
int3
int3
int3
cmp dword ptr [00458030h], 00000000h
je 00007F4EF491FA64h
sub esp, 08h
stmxcsr dword ptr [esp+04h]
mov eax, dword ptr [esp+04h]
and eax, 00001F80h
cmp eax, 00001F80h
jne 00007F4EF4919D51h
fstcw word ptr [esp]
mov ax, word ptr [esp]
and ax, 007Fh
cmp ax, 007Fh
lea esp, dword ptr [esp+08h]
jne 00007F4EF491FA33h
jmp 00007F4EF4919D42h
movq xmm0, qword ptr [esp+04h]
movapd xmm2, dqword ptr [004447C0h]
movapd xmm3, xmm0
movapd xmm1, xmm0
movapd xmm4, xmm0
movapd xmm6, xmm0
psllq xmm0, 01h
psrlq xmm0, 35h
psrlq xmm3, 34h
andpd xmm4, dqword ptr [004447D0h]
movd eax, xmm0
psubd xmm2, xmm0
mov ecx, dword ptr [esp+0Ch]
psrlq xmm1, xmm2
psllq xmm1, xmm2
movd edx, xmm3
cmp eax, 000003FFh
jl 00007F4EF4919D60h
cmp eax, 00000432h
jnle 00007F4EF4919D62h
movq qword ptr [ecx], xmm1
subsd xmm6, xmm1
orpd xmm6, xmm4
movq qword ptr [esp+04h], xmm6
fld qword ptr [esp+04h]
ret
movq qword ptr [ecx], xmm4
fld qword ptr [esp+04h]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x52e64	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x4028	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x44000	0x43c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4252b	0x42600	157e0f1d68cb70fce7efeadfb4906c21	False	0.530404013653484	data	6.582694661440288	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x44000	0x10660	0x10800	6f4e83ef0b02b76a70997b70cc098204	False	0.3940133759469697	data	4.903645653152718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x55000	0x4188	0x1c00	8b998369db83f67882398c0e74ebd57e	False	0.3588169642857143	data	3.767074441607386	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5a000	0x4028	0x4200	e4296c6bc6d208dca5934d7351c48b2d	False	0.5220170454545454	data	5.7759752035222185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5f000	0x5320	0x5400	85d3b064f6d049f7daa79e59a7dffe81	False	0.5010230654761905	data	5.313122944050481	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5a148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Russian	Russia	0.5283195020746888
RT_ICON	0x5c6f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Russian	Russia	0.6083489681050657
RT_ICON	0x5d798	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Russian	Russia	0.42021276595744683
RT_GROUP_ICON	0x5dc00	0x30	data	Russian	Russia	0.8541666666666666
RT_MANIFEST	0x5dc30	0x3f7	ASCII text, with very long lines (1015), with no line terminators	English	United States	0.4896551724137931

Imports

DLL	Import
KERNEL32.dll	CreatePipe, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, VirtualAlloc, HeapCreate, LoadLibraryA, GetProcAddress, HeapAlloc, ExitThread, LocalFree, lstrlenW, GetTempPathW, LoadLibraryW, GetCurrentProcess, QueryDosDeviceW, GetFullPathNameW, GetLongPathNameW, GetModuleFileNameW, GetEnvironmentVariableW, GetCurrentProcessId, MoveFileExW, ExpandEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetFileAttributesW, GetVersion, CreateSemaphoreW, ReleaseSemaphore, GetFileInformationByHandle, CopyFileW, DeleteFileW, IsBadWritePtr, CreateFileW, SetFilePointer, CreateToolhelp32Snapshot, Process32FirstW, OpenProcess, GetProcessTimes, Process32NextW, GetCommandLineW, GetExitCodeThread, InterlockedExchange, DeleteCriticalSection, GetFileSizeEx, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetProcessHeap, SetEndOfFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, SetStdHandle, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, IsValidCodePage, GetOEMCP, GetACP, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStartupInfoA, GetFileType, SetHandleCount, GetModuleFileNameA, HeapReAlloc, VirtualFree, GetFileSize, ReadFile, GetStdHandle, ExitProcess, WaitForMultipleObjects, GetCurrentThreadId, LeaveCriticalSection, SetEvent, EnterCriticalSection, ResetEvent, SetProcessShutdownParameters, CreateThread, HeapSize, SetLastError, TlsFree, TlsSetValue, TerminateProcess, TlsAlloc, TlsGetValue, GetCPInfo, LCMapStringW, LCMapStringA, RtlUnwind, RaiseException, GetStartupInfoW, HeapFree, IsDebuggerPresent, UnhandledExceptionFilter, GetModuleHandleW, EnumResourceNamesW, InitializeCriticalSection, CreateEventW, SetUnhandledExceptionFilter, SetErrorMode, GetTickCount, CreateProcessW, SetFileAttributesW, WriteFile, WaitForSingleObject, Sleep, GetLastError, GetSystemInfo, GetDiskFreeSpaceExW, GetDriveTypeW, GetLogicalDriveStringsW, GlobalMemoryStatusEx, GetSystemTimeAsFileTime, CloseHandle, GetFileTime, GetVersionExW, GetVolumeInformationW, GetVolumePathNameW, GetSystemDirectoryW, CreateFileA, InterlockedDecrement, InterlockedIncrement
USER32.dll	DrawIconEx, GetSysColorBrush, EndPaint, RedrawWindow, LoadImageW, BeginPaint, GetSysColor, SetTimer, EnableWindow, GetForegroundWindow, ShowWindow, DestroyWindow, FlashWindow, AttachThreadInput, SetCursor, CharLowerW, PostMessageW, GetCursorPos, KillTimer, MessageBoxW, LoadCursorW, GetSystemMetrics, ReleaseDC, GetDC, SetRect, SetFocus, DefWindowProcW, LoadStringW, SendMessageW, RegisterClassExW, CreateWindowExW, GetMessageW, DispatchMessageW, AdjustWindowRectEx, SetParent, IsDialogMessageW, TranslateMessage, SetWindowTextW, SetWindowPos, PostQuitMessage, SetWindowLongW, GetWindowLongW
GDI32.dll	SetDIBitsToDevice, StretchBlt, BitBlt, CreateFontIndirectW, GetStockObject, GetObjectW, SelectObject, CreateBitmap, CreateCompatibleDC, GetDeviceCaps, StretchDIBits
gdiplus.dll	GdipDeleteGraphics, GdipDeleteBrush, GdipDrawImageRectI, GdipFillRectangleI, GdipCreateSolidFill, GdipCreateFromHDC, GdipGetImageWidth, GdipLoadImageFromStream, GdiplusShutdown, GdiplusStartup, GdipDisposeImage, GdipGetImageHeight
SHLWAPI.dll	StrCpyW, AssocQueryStringW, PathCreateFromUrlW
COMCTL32.dll	InitCommonControlsEx
COMDLG32.dll	GetSaveFileNameW
ADVAPI32.dll	GetNamedSecurityInfoW, SetNamedSecurityInfoW, AdjustTokenPrivileges, LookupPrivilegeValueW, CopySid, GetLengthSid, GetTokenInformation, OpenProcessToken, RegEnumKeyExW, RegQueryInfoKeyW, RegSetValueExW, RegCreateKeyExW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, CryptGenRandom, CryptGetHashParam, CryptDestroyHash, CryptHashData, CryptReleaseContext, CryptCreateHash, CryptAcquireContextW, EqualSid
SHELL32.dll	ShellExecuteW, SHOpenFolderAndSelectItems, SHGetFolderPathW
ole32.dll	OleSetContainedObject, OleCreate, CoSetProxyBlanket, CoTaskMemFree, GetHGlobalFromStream, CreateStreamOnHGlobal, CoUninitialize, CoCreateInstance, CoInitializeEx, OleLockRunning
OLEAUT32.dll	VariantClear, VariantInit, SysFreeString, SysAllocString
WININET.dll	HttpOpenRequestW, HttpSendRequestW, InternetQueryOptionW, InternetCloseHandle, HttpQueryInfoW, InternetReadFile, InternetConnectW, InternetSetOptionW, InternetOpenW, HttpQueryInfoA
POWRPROF.dll	CallNtPowerInformation
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
PSAPI.DLL	GetProcessImageFileNameW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Target ID:	0
Start time:	19:31:37
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe"
Imagebase:	0x400000
File size:	386'048 bytes
MD5 hash:	98CC7DD8EEEAF079B8E8F650D847525F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:31:37
Start date:	22/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 488
Imagebase:	0x520000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1%
Total number of Nodes:	205
Total number of Limit Nodes:	7

Executed Functions

Function 0041978C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00419798

Part of subcall function 0041507C: __getptd_noexit.LIBCMT ref: 0041507F
Part of subcall function 0041507C: __amsg_exit.LIBCMT ref: 0041508C

__amsg_exit.LIBCMT ref: 004197B8
__lock.LIBCMT ref: 004197C8
InterlockedDecrement.KERNEL32(?), ref: 004197E5
KiUserExceptionDispatcher.NTDLL(00C53EA0), ref: 00419810

Strings

`LwLw, xrefs: 004197E5
hYE, xrefs: 004197EF

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __amsg_exit$DecrementDispatcherExceptionInterlockedUser__getptd__getptd_noexit__lock
String ID: `LwLw$hYE
API String ID: 1607223099-1868819802
Opcode ID: 070528f0bb00ac138bdd5e0bf12ef970a7a33f49a1080944dea97c492fadb815
Instruction ID: 1fd2ef9fae20f7455bb009a0fd053acc4008355b4f0f2574046f944a93da9631
Opcode Fuzzy Hash: 070528f0bb00ac138bdd5e0bf12ef970a7a33f49a1080944dea97c492fadb815
Instruction Fuzzy Hash: 68013C32A11A11EBC611AF66A9957DA7760AF44B19F04401BE824A7291C73CACC1CADD

Function 00415791 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004157A6

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 18ee4cbd4ec4915e17edf4517360bf1b6c3302f9700e1cd6665801720500a669
Instruction ID: 1ef63584ce5b18d6f33dc74bce39440e9b2c3b7ff28c8d1f1153e24744ebc019
Opcode Fuzzy Hash: 18ee4cbd4ec4915e17edf4517360bf1b6c3302f9700e1cd6665801720500a669
Instruction Fuzzy Hash: 28D05E365547849EDB105FB17C097633BDC93847A6F144436B91CC6290EA74C5908A08

Function 00419C2C Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__setmbcp.LIBCMT ref: 00419C36

Part of subcall function 00419A91: __getptd.LIBCMT ref: 00419AA1
Part of subcall function 00419A91: getSystemCP.LIBCMT ref: 00419AB6
Part of subcall function 00419A91: __malloc_crt.LIBCMT ref: 00419ACC
Part of subcall function 00419A91: __setmbcp_nolock.LIBCMT ref: 00419AEF
Part of subcall function 00419A91: InterlockedDecrement.KERNEL32(?), ref: 00419B07
Part of subcall function 00419A91: InterlockedIncrement.KERNEL32(00000000), ref: 00419B2C
Part of subcall function 00419A91: __lock.LIBCMT ref: 00419B47
Part of subcall function 00419A91: InterlockedDecrement.KERNEL32 ref: 00419BBE
Part of subcall function 00419A91: InterlockedIncrement.KERNEL32(00000000), ref: 00419BE2

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$System__getptd__lock__malloc_crt__setmbcp__setmbcp_nolock
String ID:
API String ID: 3661747109-0
Opcode ID: a4aa430a0ea485177669a63add735206edd6a790e3d81403519a5e546d19d03f
Instruction ID: 521b89c1af4047e1179b04207361814fa638b9e91ec7f8fdec4065d112188c48
Opcode Fuzzy Hash: a4aa430a0ea485177669a63add735206edd6a790e3d81403519a5e546d19d03f
Instruction Fuzzy Hash: F4C09B711186414DC7049B666C5574B36505702325F20465EF490D04D7DE68998DD74D

Non-executed Functions

Function 0043259A Relevance: 212.9, APIs: 48, Strings: 72, Instructions: 2861threadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004325E0
SetErrorMode.KERNEL32(00008003), ref: 004325EF
SetUnhandledExceptionFilter.KERNEL32(0042AFAE), ref: 004325FA

Part of subcall function 0042560F: EnterCriticalSection.KERNEL32(00457AA4), ref: 0042561F
Part of subcall function 0042560F: LeaveCriticalSection.KERNEL32(00457AA4,?), ref: 00425689
Part of subcall function 0042560F: ReleaseSemaphore.KERNEL32(00000001,00000000), ref: 00425699

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

InitializeCriticalSection.KERNEL32(00457A68,00000001,00000000), ref: 0043264A
InitializeCriticalSection.KERNEL32(00457A84), ref: 00432651
CoInitializeEx.OLE32(00000000,00000004), ref: 00432656
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00432666
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00432671
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0043267C

Part of subcall function 00425CFC: SetProcessShutdownParameters.KERNEL32(?,00000001), ref: 00425D06
Part of subcall function 00425CFC: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00425D19
Part of subcall function 00425CFC: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00425D26
Part of subcall function 00425CFC: CreateThread.KERNEL32(00000000,00000000,004254D1,00000000,00000000,00000000), ref: 00425D47

Part of subcall function 00422595: GetStockObject.GDI32(00000011), ref: 004225A7
Part of subcall function 00422595: GetObjectW.GDI32(00000000), ref: 004225AE
Part of subcall function 00422595: CreateFontIndirectW.GDI32(00457AD8), ref: 004225BB
Part of subcall function 00422595: CreateFontIndirectW.GDI32(00000000), ref: 004225E3
Part of subcall function 00422595: GetDC.USER32(00000000), ref: 004225F3
Part of subcall function 00422595: GetDeviceCaps.GDI32(00000000,00000058), ref: 00422604
Part of subcall function 00422595: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042260C
Part of subcall function 00422595: ReleaseDC.USER32(00000000,00000000), ref: 00422630

GdiplusStartup.GDIPLUS(00457A80,?,00000000), ref: 004326C5

Part of subcall function 0043902A: __EH_prolog3_GS.LIBCMT ref: 00439034
Part of subcall function 0043902A: _memset.LIBCMT ref: 00439058
Part of subcall function 0043902A: GetVersionExW.KERNEL32(?,00457A80,?,00000000), ref: 0043906D

Part of subcall function 004256CE: __EH_prolog3_GS.LIBCMT ref: 004256D5
Part of subcall function 004256CE: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000003,00000007,00000000,00000000,00000000,00000000,00000030,0043661A,?,00000000,00000048,00436944,?,?), ref: 0042570A

Part of subcall function 0040450F: __EH_prolog3.LIBCMT ref: 00404516

Part of subcall function 0043CC15: __EH_prolog3.LIBCMT ref: 0043CC1C

Part of subcall function 004256CE: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000007,?,?,00000000,00000000), ref: 0042574A

Part of subcall function 0043CBD5: __EH_prolog3.LIBCMT ref: 0043CBDC

Part of subcall function 0043CB95: __EH_prolog3.LIBCMT ref: 0043CB9C

Part of subcall function 00438FD4: _memset.LIBCMT ref: 00438FE9
Part of subcall function 00438FD4: GlobalMemoryStatusEx.KERNEL32(?,?,?,?), ref: 00438FF8

Part of subcall function 00438D35: GetLogicalDriveStringsW.KERNEL32(00001000,?,39FCDDF2,00000001,?,00000000,?,?,0043DCFB,000000FF,?,00432B00,?,?,00000001,00000000), ref: 00438D94

Part of subcall function 00438B75: __EH_prolog3.LIBCMT ref: 00438B7C
Part of subcall function 00438B75: GetSystemMetrics.USER32(00000001), ref: 00438B8E
Part of subcall function 00438B75: GetSystemMetrics.USER32(00000000), ref: 00438B9F

Part of subcall function 00438AF3: __EH_prolog3.LIBCMT ref: 00438AFA
Part of subcall function 00438AF3: GetSystemMetrics.USER32(0000004F), ref: 00438B0C
Part of subcall function 00438AF3: GetSystemMetrics.USER32(0000004E), ref: 00438B1D

Part of subcall function 00422E9E: GetSystemDirectoryW.KERNEL32(00000000,00002002), ref: 00422ECC
Part of subcall function 00422E9E: GetVolumePathNameW.KERNEL32(00000000,00000000,00000100), ref: 00422EDD
Part of subcall function 00422E9E: GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00422EF2

Part of subcall function 00424C75: __EH_prolog3.LIBCMT ref: 00424C7C

IsUserAnAdmin.SHELL32 ref: 00433016

Part of subcall function 00439409: __EH_prolog3_GS.LIBCMT ref: 00439413

Part of subcall function 00439612: __EH_prolog3_catch_GS.LIBCMT ref: 0043961C

Part of subcall function 00428340: __EH_prolog3_GS.LIBCMT ref: 00428347

GetModuleHandleW.KERNEL32(00000000,0000000E,Function_00029A7D,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000), ref: 0043333B
EnumResourceNamesW.KERNEL32(00000000), ref: 00433342

Part of subcall function 00428340: IsBadWritePtr.KERNEL32(?,?,00000040,00433331,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000), ref: 00428393

Part of subcall function 004293A0: __EH_prolog3_catch.LIBCMT ref: 004293AA

Part of subcall function 00410FD3: _malloc.LIBCMT ref: 00410FED

Part of subcall function 00435F29: __EH_prolog3.LIBCMT ref: 00435F30

Part of subcall function 0042AEF9: __EH_prolog3.LIBCMT ref: 0042AF00
Part of subcall function 0042AEF9: MessageBoxW.USER32(00000000,00449E60,00449A58,00000010), ref: 0042AF17
Part of subcall function 0042AEF9: ExitProcess.KERNEL32 ref: 0042AF38

Part of subcall function 00436036: __EH_prolog3.LIBCMT ref: 0043603D

Part of subcall function 0043599A: __EH_prolog3.LIBCMT ref: 004359A1

Part of subcall function 0040455A: __EH_prolog3.LIBCMT ref: 00404561

Part of subcall function 00425B69: __EH_prolog3_GS.LIBCMT ref: 00425B70
Part of subcall function 00425B69: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000040,00426693,?,?,?,?,00000001,00000000,00000001,00000000,00000001), ref: 00425B91
Part of subcall function 00425B69: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 00425BA1

Part of subcall function 004358F2: __EH_prolog3.LIBCMT ref: 004358F9

GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00000001,00000000,?,004569E0,000000FF,?,?,?,?,004569C4,000000FF), ref: 00433E5C
CreateThread.KERNEL32(00000000,00000000,Function_0002A8B7,00000000,00000000,00000000), ref: 00433FEA
InitCommonControlsEx.COMCTL32(?), ref: 0043400C
GetTickCount.KERNEL32 ref: 00434012

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 00403C48: __EH_prolog3.LIBCMT ref: 00403C4F

Part of subcall function 00437503: __EH_prolog3_GS.LIBCMT ref: 0043750A

Part of subcall function 00437176: __EH_prolog3_GS.LIBCMT ref: 00437180

Strings

S, xrefs: 004345A4
o, xrefs: 004338C2
launch=, xrefs: 00433F9A
baseBoard=, xrefs: 00432C79
fakefile, xrefs: 00433C2B
products2=, xrefs: 00434C1E
magnet=, xrefs: 0043321C
unchecked2=, xrefs: 00435063
PjE, xrefs: 0043350A
S, xrefs: 00433FD3
antivirus=, xrefs: 004327BE
rar=, xrefs: 004330C2
|, xrefs: 00433B83
firewall=, xrefs: 00432918
size, xrefs: 00433ABA
&name=, xrefs: 0043360E
{, xrefs: 00433B5B
manufacturer=, xrefs: 00432BCC
admin=true, xrefs: 00433027
hzE, xrefs: 004345F9
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion, xrefs: 00432EE2
post root is not object, xrefs: 00434242
os=, xrefs: 00432711
magnet:, xrefs: 00433CBD
antispyware=, xrefs: 0043286B
/unchecked_install?products=, xrefs: 0043512F
admin=false, xrefs: 0043303E
unchecked=, xrefs: 00434A4B
name, xrefs: 00433B4F
&delay=, xrefs: 0043405C
&rnd=, xrefs: 00433642
965e49065f683f77, xrefs: 004333C4
file.exe, xrefs: 00433B36
ETag, xrefs: 00433725
checks, xrefs: 00433EBB, 00433ED2, 00433EE9
torrent=, xrefs: 0043316F
<, xrefs: 0043492E
virtDisplay=, xrefs: 00432E80
hash=, xrefs: 00433831
checks2, xrefs: 00434621, 00434638
can't get form data: , xrefs: 00434157
disks=, xrefs: 00432D26
can't parse get json, xrefs: 004339DB
net=, xrefs: 004332C9
}, xrefs: 00433BA6
0x004000e0, xrefs: 004334FA
/close_install?, xrefs: 0043456A
doM0b9lsEfwTznkEcOLYrFjZ5rhX2bhk, xrefs: 00433785
products=, xrefs: 004344AF
memory=, xrefs: 00432A6E
can't get info: , xrefs: 00433712
started, xrefs: 00432600
empty download url, xrefs: 00433AB0
guid=, xrefs: 004338BC
file://, xrefs: 00433D76
bigben, xrefs: 0043424C, 00434251, 0043429F
.torrent, xrefs: 00433124
get root is not object, xrefs: 004339FD
067c98449203f5d6, xrefs: 004333D5
d, xrefs: 00433703
/unchecked_install?products2=, xrefs: 00435161
harddisk=, xrefs: 00432B1F
can't parse post json, xrefs: 00434225
magnet, xrefs: 004331D1
bios=, xrefs: 00432F2D
closed, xrefs: 00434523, 004351AB
video=, xrefs: 004329C5
.rar, xrefs: 00433077
hddId=, xrefs: 00432FC2
<, xrefs: 00434F5B
url, xrefs: 00433A15
display=, xrefs: 00432DD3

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$Create$H_prolog3_$EventSystem$CriticalMetricsSection$Initialize$AcquireByteCapsCharContextCountCryptDeviceFontIndirectMultiObjectProcessReleaseThreadTickVolumeWide_memset$AdminCommonControlsDirectoryDriveEnterEnumErrorExceptionExitFileFilterGdiplusGlobalH_prolog3_catchH_prolog3_catch_HandleInformationInitLeaveLogicalMemoryMessageModeModuleNameNamesParametersPathResourceSemaphoreShutdownSizeStartupStatusStockStringsUnhandledUserVersionWrite_mallocchar_traits
String ID: &delay=$&name=$&rnd=$.rar$.torrent$/close_install?$/unchecked_install?products2=$/unchecked_install?products=$067c98449203f5d6$0x004000e0$965e49065f683f77$<$<$ETag$HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion$PjE$S$S$admin=false$admin=true$antispyware=$antivirus=$baseBoard=$bigben$bios=$can't get form data: $can't get info: $can't parse get json$can't parse post json$checks$checks2$closed$d$disks=$display=$doM0b9lsEfwTznkEcOLYrFjZ5rhX2bhk$empty download url$fakefile$file.exe$file://$firewall=$get root is not object$guid=$harddisk=$hash=$hddId=$hzE$launch=$magnet$magnet:$magnet=$manufacturer=$memory=$name$net=$o$os=$post root is not object$products2=$products=$rar=$size$started$torrent=$unchecked2=$unchecked=$url$video=$virtDisplay=${$|$}
API String ID: 788250337-3935101873
Opcode ID: b527f6bf8120e83f0c9e35170ac207e4d7c65023489d219aab84df2421689fc9
Instruction ID: fd7b76a300167cbd82dc9d77ba2edb4830557efdf7ce028bbec8e0864ac944ce
Opcode Fuzzy Hash: b527f6bf8120e83f0c9e35170ac207e4d7c65023489d219aab84df2421689fc9
Instruction Fuzzy Hash: 6D33A3715083819ED320EB25DC46BDF77E8AF95358F00063EB599A32E2DA785904CB6B

Function 0042EADB Relevance: 86.3, APIs: 15, Strings: 33, Instructions: 2324
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0042EAE5
EnterCriticalSection.KERNEL32(00457A68,000003BC,0043432B), ref: 0042EB2F

Part of subcall function 00422821: GetSystemMetrics.USER32(00000000), ref: 00422823

Part of subcall function 00422811: GetSystemMetrics.USER32(00000001), ref: 00422813

Part of subcall function 0042C35F: __EH_prolog3.LIBCMT ref: 0042C366

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

Part of subcall function 00410FD3: _malloc.LIBCMT ref: 00410FED

Part of subcall function 00422B99: __EH_prolog3.LIBCMT ref: 00422BA0

Part of subcall function 0042B2FB: __EH_prolog3.LIBCMT ref: 0042B302

GetModuleHandleW.KERNEL32(00000000,00000001,00000000,?,?,Icon,?,STATIC,00000001,00000000,00000000,?,000000FF), ref: 0042EE55
LoadImageW.USER32(00000000,?,?,Icon,?,STATIC), ref: 0042EE5C
SetFocus.USER32(?,?,?,00449F54,?,BUTTON,00000001,00000000,?,?,open,?,?,Icon,?,STATIC), ref: 0042EF67
SetFocus.USER32(?,?,?,00449F70,?,0044668C,00000001,00000000,?,?,download,?,?,00449F54,?,BUTTON), ref: 0042F057

Part of subcall function 0042B2FB: CreateThread.KERNEL32(00000000,00000000,0042A64E,00000000,00000000,00000000), ref: 0042B642
Part of subcall function 0042B2FB: CloseHandle.KERNEL32(00000000), ref: 0042B649

Part of subcall function 00410FD3: std::bad_alloc::bad_alloc.LIBCMT ref: 00411010
Part of subcall function 00410FD3: std::bad_exception::bad_exception.LIBCMT ref: 00411024
Part of subcall function 00410FD3: __CxxThrowException@8.LIBCMT ref: 00411032

_memset.LIBCMT ref: 0042F830
GetSysColor.USER32(0000000F), ref: 0042F877
SendMessageW.USER32(0000002F,000000F1,00000001,00000000), ref: 0042FB75
SendMessageW.USER32(00000030,000000F1,00000001,00000000), ref: 0042FCD3
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0043014D

Part of subcall function 00404C4D: __EH_prolog3.LIBCMT ref: 00404C54

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,000000FF,00000001,00000000,00000001,000000FF,00000001,00000000,?), ref: 004308EC
EnterCriticalSection.KERNEL32(00457A84,?,?), ref: 00430D6C
LeaveCriticalSection.KERNEL32(00457A84,?,?), ref: 00430D84
LeaveCriticalSection.KERNEL32(00457A68,00000001,00000000,checks,00000001,00000000,00000000,00456970,000000FF,00000001,00000000,00456954,000000FF), ref: 00430DE9

Strings

checks, xrefs: 0042FF9D
nostd, xrefs: 0042F512
banner_height, xrefs: 0042FF5C
command, xrefs: 00430C28
clink, xrefs: 004307E0
normal, xrefs: 0042F99E
{, xrefs: 0042F4AE
filesize, xrefs: 0042F32A
9fe8oiOEygu, xrefs: 0043021D
type, xrefs: 00430B98
open, xrefs: 0042EE79
noshield, xrefs: 0042F749
icon, xrefs: 0042ED63
Icon, xrefs: 0042EDE0
banner_click, xrefs: 0042FEF0
cancel, xrefs: 0042F148
BUTTON, xrefs: 0042EED6, 0042F0BA, 0042F1A5, 0042FAAB, 0042FC05, 004300C9
.exe, xrefs: 00430767
elements, xrefs: 0042FD28
/, xrefs: 00430A4A
$|E, xrefs: 0042FB4C
filename, xrefs: 0042F239
save, xrefs: 0042F05D
expand, xrefs: 0042F8D5, 0042F9FC
filehost, xrefs: 0042F41D
download, xrefs: 0042EF6D
^, xrefs: 0042F4B8
name, xrefs: 00430B06
Shield, xrefs: 0042F81D
V, xrefs: 0042F1BC
=, xrefs: 00430DA7
banner_url, xrefs: 0042FE76
STATIC, xrefs: 0042EDC5, 0042F296, 0042F387, 0042F47F, 0042F5AA, 0042F601, 0042F64D, 0042F6B7, 0042F703, 0042F7E3, 0042FDBE

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalH_prolog3Section$MessageSend$CreateEnterFocusHandleLeaveMetricsSystem$CloseColorEventException@8H_prolog3_ImageLoadModuleThreadThrow_malloc_memsetchar_traitsstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: $|E$.exe$/$9fe8oiOEygu$=$BUTTON$Icon$STATIC$Shield$V$^$banner_click$banner_height$banner_url$cancel$checks$clink$command$download$elements$expand$filehost$filename$filesize$icon$name$normal$noshield$nostd$open$save$type${
API String ID: 3243703554-213567703
Opcode ID: 2b6c6b837279c7987b4734d3e22cdc00cf3baadbf0bfeeb0ed2795609564aac8
Instruction ID: c3ed4073191fa4c7b7d5c4cef43e427c415c7e4c54833df8752c744cc65efb42
Opcode Fuzzy Hash: 2b6c6b837279c7987b4734d3e22cdc00cf3baadbf0bfeeb0ed2795609564aac8
Instruction Fuzzy Hash: 3E239671D00268AADB11EBA1DD85BCEB778AF14308F4041EAE509B31D2DB785F48CF69

Function 0042CD5C Relevance: 63.3, APIs: 14, Strings: 21, Instructions: 2013windowtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042CD66

Part of subcall function 00422821: GetSystemMetrics.USER32(00000000), ref: 00422823

Part of subcall function 00422811: GetSystemMetrics.USER32(00000001), ref: 00422813

Part of subcall function 00410FD3: _malloc.LIBCMT ref: 00410FED

Part of subcall function 00422B99: __EH_prolog3.LIBCMT ref: 00422BA0

Part of subcall function 00428340: __EH_prolog3_GS.LIBCMT ref: 00428347

Part of subcall function 00410FD3: std::bad_alloc::bad_alloc.LIBCMT ref: 00411010
Part of subcall function 00410FD3: std::bad_exception::bad_exception.LIBCMT ref: 00411024
Part of subcall function 00410FD3: __CxxThrowException@8.LIBCMT ref: 00411032

PostMessageW.USER32(00000000,00000401,00000000,10000000), ref: 0042D012
_malloc.LIBCMT ref: 0042D07B
_memset.LIBCMT ref: 0042D08C
GetSysColor.USER32(0000000F), ref: 0042D0C3
_memset.LIBCMT ref: 0042D103
SetTimer.USER32(00000001,0000008C,00429B44), ref: 0042D19F
EnableWindow.USER32(00000000), ref: 0042D65D

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0042DAAF
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0042D950

Part of subcall function 0042B2FB: __EH_prolog3.LIBCMT ref: 0042B302

SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0042DE13

Part of subcall function 00404C4D: __EH_prolog3.LIBCMT ref: 00404C54

Part of subcall function 0042C35F: __EH_prolog3.LIBCMT ref: 0042C366

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000001,00000000,00000000,?,000000FF,00000001,00000000,?,000000FF,00000001,00000000,?), ref: 0042E5B2
EnterCriticalSection.KERNEL32(00457A84), ref: 0042EA2F
LeaveCriticalSection.KERNEL32(00457A84), ref: 0042EA47

Strings

elements2, xrefs: 0042DB04
checks2, xrefs: 0042CDF8
command, xrefs: 0042E8EE
T|E, xrefs: 0042D92D
clink, xrefs: 0042E4AC
expand, xrefs: 0042D7D7
normal, xrefs: 0042D77A
8jE, xrefs: 0042D4F8
9fe8oiOEygu, xrefs: 0042DEEC
type, xrefs: 0042E85E
rhE, xrefs: 0042D10B
name, xrefs: 0042E7CC
expand2, xrefs: 0042D6B0
/, xrefs: 0042E710
RiE, xrefs: 0042D16D
<|E, xrefs: 0042DA8C
(, xrefs: 0042EA6A
BUTTON, xrefs: 0042D1C2, 0042D22A, 0042D28D, 0042D3FD, 0042D885, 0042D9E0, 0042DD81
STATIC, xrefs: 0042D030, 0042D2F0, 0042D34C, 0042D3A6, 0042D46A, 0042D4BE, 0042D528, 0042D575, 0042D5C0, 0042DB9A, 0042DC6E
msctls_progress32, xrefs: 0042CFC5
.exe, xrefs: 0042E433

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3Message$Send$CriticalH_prolog3_MetricsSectionSystem_malloc_memset$ColorCreateEnableEnterEventException@8LeavePostThrowTimerWindowchar_traitsstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: ($.exe$/$8jE$9fe8oiOEygu$<|E$BUTTON$RiE$STATIC$T|E$checks2$clink$command$elements2$expand$expand2$msctls_progress32$name$normal$rhE$type
API String ID: 1119828951-3016321018
Opcode ID: e4003c8650c3e4869035d6131b8139dc70eef8652eb74b7869ae5205343fbd30
Instruction ID: 15ab7fcb8a76c4cc8dfe6c7e44d1dd5f53b6a71a9f0d7bc010a207aaa12cd909
Opcode Fuzzy Hash: e4003c8650c3e4869035d6131b8139dc70eef8652eb74b7869ae5205343fbd30
Instruction Fuzzy Hash: BB03C771D01268AADB10EBA5DD45BDE77B8AF04308F5041EAF508B31D2DBB85F84CB69

Function 00430E1A Relevance: 55.7, APIs: 5, Strings: 26, Instructions: 1459sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00424825: __EH_prolog3_GS.LIBCMT ref: 0042482C

Part of subcall function 00426718: __EH_prolog3.LIBCMT ref: 0042671F

Part of subcall function 00437A86: __EH_prolog3.LIBCMT ref: 00437A8D

Part of subcall function 00422C7E: WaitForSingleObject.KERNEL32(?), ref: 00422C8A

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

Sleep.KERNEL32(000493E0), ref: 00431862

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

Part of subcall function 0043599A: __EH_prolog3.LIBCMT ref: 004359A1

Part of subcall function 0040450F: __EH_prolog3.LIBCMT ref: 00404516

Part of subcall function 0042560F: EnterCriticalSection.KERNEL32(00457AA4), ref: 0042561F
Part of subcall function 0042560F: LeaveCriticalSection.KERNEL32(00457AA4,?), ref: 00425689
Part of subcall function 0042560F: ReleaseSemaphore.KERNEL32(00000001,00000000), ref: 00425699

SetEvent.KERNEL32(?), ref: 0043189A
SetEvent.KERNEL32(?), ref: 00432110

Part of subcall function 00435B8E: __EH_prolog3_catch_GS.LIBCMT ref: 00435B98

Strings

$__MIX, xrefs: 00430F44
3, xrefs: 00431C7D
hash=, xrefs: 0043214B
@, xrefs: 004324DC
&launch=, xrefs: 00432415
HASH, xrefs: 00430ED9
/launch_install?error=, xrefs: 00431A7F
O, xrefs: 0043243E
/touch_install?name=, xrefs: 0043176B
can't install , xrefs: 00431C52
=, xrefs: 00431E33
Q, xrefs: 00432523
&name=, xrefs: 00431A95
&check=, xrefs: 004323BD
>, xrefs: 00431E45
P, xrefs: 00432456
/launch_install?name=, xrefs: 00431DC2
&md5=, xrefs: 00431B28, 00431E28
&hash=, xrefs: 00431796, 00431AED, 00431DED
H, xrefs: 004324D1
$__HASH, xrefs: 00430E5F
|, xrefs: 00431F1A
success=, xrefs: 00431CDD
PjE, xrefs: 00432345
install=, xrefs: 004316B9
error=, xrefs: 004318EB

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$CriticalEventSection$EnterH_prolog3_H_prolog3_catch_LeaveObjectReleaseSemaphoreSingleSleepWaitchar_traits
String ID: $__HASH$$__MIX$&check=$&hash=$&launch=$&md5=$&name=$/launch_install?error=$/launch_install?name=$/touch_install?name=$3$=$>$@$H$HASH$O$P$PjE$Q$can't install $error=$hash=$install=$success=$|
API String ID: 2775165891-2421031922
Opcode ID: c16c660cb9a77eb71632fce79445cda187cdb4e3221daaab9be94b68e24045ce
Instruction ID: 316e6cf5cda1f7ca437387118d8e37e850847ae8e08c333ac08d3d370d8d0f94
Opcode Fuzzy Hash: c16c660cb9a77eb71632fce79445cda187cdb4e3221daaab9be94b68e24045ce
Instruction Fuzzy Hash: E9D2A2714083819FD735EB25C841BDFB7E8AF95308F00092EF599A7291DB786A09CB97

Function 0042B78D Relevance: 51.4, APIs: 19, Strings: 10, Instructions: 682
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0042BB04
StrCpyW.SHLWAPI(00000000,00000000), ref: 0042BB40
GetSaveFileNameW.COMDLG32 ref: 0042BB7D
EnterCriticalSection.KERNEL32(00457A68), ref: 0042BB90

Part of subcall function 00426F06: __EH_prolog3.LIBCMT ref: 00426F0D
Part of subcall function 00426F06: GetTempPathW.KERNEL32(00002000,00000000,0000003C,00427F7B,?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001), ref: 00426F72

Part of subcall function 00403C48: __EH_prolog3.LIBCMT ref: 00403C4F

Part of subcall function 00428420: __EH_prolog3_GS.LIBCMT ref: 0042842A

DestroyWindow.USER32(39FCDDF2), ref: 0042B983

Part of subcall function 00429CC5: EnterCriticalSection.KERNEL32(00457A84,00456A34,0042BD27,004569E0,00000000,00456A34,00000000), ref: 00429CCB
Part of subcall function 00429CC5: SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00429D00
Part of subcall function 00429CC5: LeaveCriticalSection.KERNEL32(00457A84), ref: 00429D35

DestroyWindow.USER32(004569E0,00000000,00456A34,00000000), ref: 0042BD37

Part of subcall function 004244F8: __EH_prolog3_GS.LIBCMT ref: 00424502

PostMessageW.USER32(00000010,00000000,00000000,39FCDDF2), ref: 0042BD61
SetEvent.KERNEL32(39FCDDF2), ref: 0042BD7F
EnterCriticalSection.KERNEL32(00457A84,39FCDDF2), ref: 0042BE34
ShowWindow.USER32(00000000,00000000), ref: 0042BE70
EnterCriticalSection.KERNEL32(00457A84,39FCDDF2), ref: 0042BE97
ShowWindow.USER32(00000000,00000005), ref: 0042BECD
LeaveCriticalSection.KERNEL32(00457A84), ref: 0042BEEA
EnterCriticalSection.KERNEL32(00457A84,39FCDDF2), ref: 0042C00C
ShowWindow.USER32(00000000,00000000), ref: 0042C044
LeaveCriticalSection.KERNEL32(00457A84), ref: 0042C061
EnterCriticalSection.KERNEL32(00457A84,39FCDDF2), ref: 0042C072
ShowWindow.USER32(00000000,00000005), ref: 0042C0AA
LeaveCriticalSection.KERNEL32(00457A84), ref: 0042C0C7

Strings

<|E, xrefs: 0042BDCF
$|E, xrefs: 0042C0E1
<|E, xrefs: 0042BF55
4jE, xrefs: 0042B9C7
$|E, xrefs: 0042BFE1
4jE, xrefs: 0042BB97
iE, xrefs: 0042BB39
4jE, xrefs: 0042B85A
T|E, xrefs: 0042BF04
T|E, xrefs: 0042BE09

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterWindow$LeaveShow$DestroyH_prolog3H_prolog3_Message$EventFileNamePathPostSaveSendTemp_memset
String ID: $|E$$|E$4jE$4jE$4jE$<|E$<|E$T|E$T|E$iE
API String ID: 569381029-4121810622
Opcode ID: ccc9b8df258f366140dabf8a19aeb5912fd8c9c0a535e1b2d5fc2155e67d2dd4
Instruction ID: a9684f043562327aef19fedb1c825cbc8cc689bc0f016a8f665734b3c54653fc
Opcode Fuzzy Hash: ccc9b8df258f366140dabf8a19aeb5912fd8c9c0a535e1b2d5fc2155e67d2dd4
Instruction Fuzzy Hash: 8332DE316083109ED720EB69FD86B5F77A4EB81325F40063EF555A72E2CF78A8448B5E

Function 00436131 Relevance: 45.9, APIs: 17, Strings: 9, Instructions: 373
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0043613B
HttpOpenRequestW.WININET(?,?,?,00000000,00000000,00000000,8401F000,00000000), ref: 0043616D
GetLastError.KERNEL32 ref: 0043617A
HttpSendRequestW.WININET(?,?,?,?,?), ref: 004361FB
GetLastError.KERNEL32(?,?), ref: 00436205
InternetCloseHandle.WININET(?), ref: 00436255
InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 00436280
HttpQueryInfoA.WININET(?,00000016,?,?,?), ref: 004362F1
WaitForSingleObject.KERNEL32(?,00000000,00000001,00000000,39FCDDF2,?,00000000), ref: 00436364
HttpQueryInfoW.WININET(?,20000013,?,?,00000000), ref: 0043639B
GetLastError.KERNEL32(?,?), ref: 004363A5
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000,?,?), ref: 0043648C
GetLastError.KERNEL32(?,?), ref: 004364A4
WaitForSingleObject.KERNEL32(?,00000000,?,?), ref: 00436526

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

InternetReadFile.WININET(?,00000000,00002000,00000000), ref: 00436542
GetLastError.KERNEL32(?,?), ref: 00436550
InternetCloseHandle.WININET(?), ref: 004365D4

Strings

User abort (processing event), xrefs: 004365AB
User abort (info event), xrefs: 00436342
Error HTTP status , xrefs: 004363FB
Error receiving data #, xrefs: 00436562
Error creating request #, xrefs: 0043618C
Error writing file #, xrefs: 004364B9
Error sending request #, xrefs: 00436217
User abort (cancel event), xrefs: 0043636E, 004365BE
Error getting HTTP status #, xrefs: 004363B7

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$HttpInternet$Query$CloseFileH_prolog3HandleInfoObjectRequestSingleWait$OpenOptionReadSendWrite
String ID: Error HTTP status $Error creating request #$Error getting HTTP status #$Error receiving data #$Error sending request #$Error writing file #$User abort (cancel event)$User abort (info event)$User abort (processing event)
API String ID: 1727858857-1016459219
Opcode ID: 1cd957d919c8612a13d9f18ba21566041b531b443fea5b2d9e353df978129ca9
Instruction ID: 4b7b48a5cc91dc7a0910eca757b372327e20cd8b9b5fdbd3b71de3d1043d8e5a
Opcode Fuzzy Hash: 1cd957d919c8612a13d9f18ba21566041b531b443fea5b2d9e353df978129ca9
Instruction Fuzzy Hash: 6ED17071900209BFEB00EFA0DC46BDE7B78AF18304F21812AF505B7191DB789E45DBA9

Function 0043545F Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(00000001,00000000,00000001,00000000), ref: 004354CE
ExitProcess.KERNEL32 ref: 00435532

Strings

start, xrefs: 004354F9, 004356C8
parent=, xrefs: 00435606
:Zone.Identifier, xrefs: 00435482
watch, xrefs: 004354DD, 0043577C

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CommandExitLineProcess
String ID: :Zone.Identifier$parent=$start$watch
API String ID: 3244267597-1100331691
Opcode ID: aec89578431a926b7a699dc7122402a80266f76b5bbce733d935af878e54135c
Instruction ID: 0d7122c6c2eb8cfa12636c180545561c5d9ffa87441a7c3eb0c9f26322d81ae7
Opcode Fuzzy Hash: aec89578431a926b7a699dc7122402a80266f76b5bbce733d935af878e54135c
Instruction Fuzzy Hash: 99913071900228EEEB20EBA5DC45FDEBBB8EF49304F1141AAF509B3191DA745E84CF65

Function 00429751 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 251
memorylibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008003), ref: 0042975F
__CxxThrowException@8.LIBCMT ref: 00429782
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 00429804
VirtualAlloc.KERNEL32(?,00000000,00003000,00000040), ref: 00429828
HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 004298B3
LoadLibraryA.KERNEL32(?), ref: 004298E7
CreateThread.KERNEL32(00000000,00000000,Function_00029737,?,00000000,00000000), ref: 00429A54

Strings

unknown relocation, xrefs: 00429A1C
Wrong PE signature, xrefs: 00429795
error allocating virtual memory, xrefs: 00429813, 00429832
can't create thread, xrefs: 00429A5E
PE, xrefs: 0042978D
error allocating executable memory, xrefs: 00429A08
Not normal PE format, xrefs: 004297B1
error creating executable heap, xrefs: 004298C0
Wrong PE file, xrefs: 00429772

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocCreateVirtual$ErrorException@8HeapLibraryLoadModeThreadThrow
String ID: Not normal PE format$PE$Wrong PE file$Wrong PE signature$can't create thread$error allocating executable memory$error allocating virtual memory$error creating executable heap$unknown relocation
API String ID: 2240408483-2104063785
Opcode ID: 97398cd2d12feaf67868aa5b4a4faeb871609d64f1c99db199b726c0798894ee
Instruction ID: b54677a59409a7631a4890d18f7b32f9ae8a4c8d5d3c7ef93aba61066c9dd9dd
Opcode Fuzzy Hash: 97398cd2d12feaf67868aa5b4a4faeb871609d64f1c99db199b726c0798894ee
Instruction Fuzzy Hash: 39A1BFB0E00225DFDB10CF54D885BAEBBB4FF85714F69806AE805AB341D3789E41CB99

Function 004351F9 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 180fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00435203

Part of subcall function 004280BA: GetModuleFileNameW.KERNEL32(00000000,?,00002000,39FCDDF2,?,?,?,?,0043FA29,000000FF), ref: 0042814A

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 004235EB: GetFileAttributesW.KERNEL32(?,00428438,0000010C,00428781), ref: 004235FA

GetLastError.KERNEL32 ref: 004352E3
__CxxThrowException@8.LIBCMT ref: 00435341
GetFileSize.KERNEL32(00000000,00000000), ref: 0043534A
CloseHandle.KERNEL32(00000000), ref: 00435359
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 0043539A
GetLastError.KERNEL32 ref: 004353A4
CloseHandle.KERNEL32(00000000), ref: 004353AB
CloseHandle.KERNEL32(00000000), ref: 004353D2
CloseHandle.KERNEL32(00000000), ref: 004353F8

Strings

error getting length of installer binary file, xrefs: 0043535F
error reading installer binary file, xrefs: 004353B1
readed 0 bytes from installer binary file, xrefs: 004353D8
.tmp, xrefs: 0043525F
installer not found, xrefs: 0043532B
:tmp, xrefs: 0043521D
error opening file installer file #, xrefs: 0043530C

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseFileHandle$ErrorLast$AttributesException@8H_prolog3H_prolog3_catch_ModuleNameReadSizeThrow
String ID: .tmp$:tmp$error getting length of installer binary file$error opening file installer file #$error reading installer binary file$installer not found$readed 0 bytes from installer binary file
API String ID: 615348424-1581479894
Opcode ID: 904b703371ca32a860d5893ecc0a00f43d66c24fd0814ab5fc0b99c3a076131c
Instruction ID: 3b3e26dca64477f62a9120ed8b4100f58ff862ed03814ac2963a769bc36513cc
Opcode Fuzzy Hash: 904b703371ca32a860d5893ecc0a00f43d66c24fd0814ab5fc0b99c3a076131c
Instruction Fuzzy Hash: 22614B70D04658EEEB20EBB0DC45BDE7B78AF19304F60419BF509B7182D7BC5A848B69

Function 00425835 Relevance: 28.7, APIs: 19, Instructions: 242encryptionfileCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 004258D1
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 004258E4
CloseHandle.KERNEL32(?), ref: 004258F0
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 0042590F
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00425920
CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,?,0043E52C,000000FF), ref: 00425946
CryptDestroyHash.ADVAPI32(?), ref: 00425956
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 0042598E
ReadFile.KERNEL32(?,?,00002000,?,00000000), ref: 00425A4D
CryptDestroyHash.ADVAPI32(?), ref: 00425A5D
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00425A6A
CloseHandle.KERNEL32(?), ref: 00425A76
CloseHandle.KERNEL32(?), ref: 00425ABE
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00425AF0
CryptDestroyHash.ADVAPI32(?), ref: 00425B00
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00425B0D
CryptDestroyHash.ADVAPI32(?), ref: 00425B18
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00425B25

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Hash$Context$DestroyRelease$CloseHandle$AcquireFileRead$CreateDataParam
String ID:
API String ID: 2833777535-0
Opcode ID: 749c067f7258aa6881c8257514f2968c2d099e5792a6e7dc08564e45d43b78d5
Instruction ID: 62a9c53d7b416ea82e01d91120d7e20a5a7d311e0fb15a58ac96514ce989fe3a
Opcode Fuzzy Hash: 749c067f7258aa6881c8257514f2968c2d099e5792a6e7dc08564e45d43b78d5
Instruction Fuzzy Hash: B691A4B1A00228EFDB25AB50DC89BAE777DEB04354F5080EBF605A7162D6785E84CF58

Function 00437E3B Relevance: 27.1, APIs: 1, Strings: 14, Instructions: 823COMMON

Download Yara Rule

APIs

Part of subcall function 00435F29: __EH_prolog3.LIBCMT ref: 00435F30

PathCreateFromUrlW.SHLWAPI(-00000004,?,00002000,00000000,00000001,00000000,?,00000001,00000001,00000000,?,000000FF,?,00000001), ref: 004381EB

Part of subcall function 00423A5B: CharLowerW.USER32(00000000), ref: 00423AB0

Part of subcall function 00426F06: __EH_prolog3.LIBCMT ref: 00426F0D
Part of subcall function 00426F06: GetTempPathW.KERNEL32(00002000,00000000,0000003C,00427F7B,?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001), ref: 00426F72

Part of subcall function 004278AA: __EH_prolog3_GS.LIBCMT ref: 004278B4

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 00403C48: __EH_prolog3.LIBCMT ref: 00403C4F

Part of subcall function 00437385: __EH_prolog3.LIBCMT ref: 0043738C

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

Part of subcall function 00428420: __EH_prolog3_GS.LIBCMT ref: 0042842A

Part of subcall function 00428420: SetFileAttributesW.KERNEL32(?,00000080,0000010C,00428781), ref: 00428462
Part of subcall function 00428420: DeleteFileW.KERNEL32(?), ref: 00428475
Part of subcall function 00428420: EqualSid.ADVAPI32(?,00000000), ref: 00428498
Part of subcall function 00428420: SetFileAttributesW.KERNEL32(?,00000080), ref: 004284E6
Part of subcall function 00428420: DeleteFileW.KERNEL32(?), ref: 004284F5

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

Strings

wsf, xrefs: 00438069
.wsf, xrefs: 004380D0
.tmp, xrefs: 0043872C
download error: , xrefs: 00438A28
?, xrefs: 00437EB9
0, xrefs: 00438A3D
wrong file url, xrefs: 004382E3
WSF, xrefs: 00438070
file not exists, xrefs: 004382C6
|, xrefs: 00437EAF
file, xrefs: 00438166
:tmp, xrefs: 004386A7
wrong file path, xrefs: 004382DC
.exe, xrefs: 00437FDD, 00438338, 004385D2, 004387CB

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$File$AttributesDeleteH_prolog3_Path$CharCreateEqualFromLowerTempchar_traits
String ID: .exe$.tmp$.wsf$0$:tmp$?$WSF$download error: $file$file not exists$wrong file path$wrong file url$wsf$|
API String ID: 523631333-489822373
Opcode ID: 918a9405122f7012968844ff79ad95de6e1eeb6c0c846190ffa797bb09cf43b1
Instruction ID: 6adf644fb4b5ea92389c51101888bdbaca163d7e081d06447c3e5e940b648ded
Opcode Fuzzy Hash: 918a9405122f7012968844ff79ad95de6e1eeb6c0c846190ffa797bb09cf43b1
Instruction Fuzzy Hash: EA7280B1904268A9EB24EB61DD45BDDB7B8AF14304F5001EAF709731D2CB781F89CB69

Function 00426FD8 Relevance: 21.2, APIs: 14, Instructions: 204processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00427036
_memset.LIBCMT ref: 0042705F
Process32FirstW.KERNEL32(?,?), ref: 0042707A
GetLastError.KERNEL32 ref: 00427083
CloseHandle.KERNEL32(?), ref: 00427091

Part of subcall function 00405232: __EH_prolog3.LIBCMT ref: 00405239

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateErrorFirstH_prolog3HandleLastProcess32SnapshotToolhelp32_memset
String ID:
API String ID: 2707144682-0
Opcode ID: 443611af71cdd47840dc23048ff41d7b0528b27a6badbb309de9d3261b12f720
Instruction ID: 9ac7801abe6b743a160ea4084e2c28b271d4e567d7e2c0d7215ed04be1841866
Opcode Fuzzy Hash: 443611af71cdd47840dc23048ff41d7b0528b27a6badbb309de9d3261b12f720
Instruction Fuzzy Hash: 2F815FF2A051289BDB20EBA1DC459DEB7BCAB44304F8101EAF709B3151DB385F858F69

Function 00425B69 Relevance: 15.1, APIs: 10, Instructions: 96encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00425B70
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000040,00426693,?,?,?,?,00000001,00000000,00000001,00000000,00000001), ref: 00425B91
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 00425BA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00425BC7
CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000), ref: 00425BD5
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00425BF6
CryptDestroyHash.ADVAPI32(?,?,?,00000000), ref: 00425C03
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?,00000000), ref: 00425C1C
CryptDestroyHash.ADVAPI32(?,?,?,00000000), ref: 00425C29
CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000), ref: 00425C33

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireDestroyRelease$CreateDataH_prolog3_Param
String ID:
API String ID: 277041088-0
Opcode ID: bf82822744feac790fa503f2b5207d65905533f3422dc639ffaf1cc3a11768cb
Instruction ID: 722c7356b26187e6e223083f3a9ca124ef0bb319af85fffe88d3548124a3fced
Opcode Fuzzy Hash: bf82822744feac790fa503f2b5207d65905533f3422dc639ffaf1cc3a11768cb
Instruction Fuzzy Hash: F1317075A00118EBDF219F91ED45EAF7F78EF85B04F40002AF601E6151D778AD12CB68

Function 00426865 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 449stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(00001000,00000000), ref: 00426A30
lstrlenW.KERNEL32(?), ref: 00426A5B

Strings

\device\mup, xrefs: 0042697B

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DriveLogicalStringslstrlen
String ID: \device\mup
API String ID: 488508356-3219234528
Opcode ID: 0db4c7fddc13477787548f23fda2e2f340d30e7058ea03a77fc1ef452a3ba0a4
Instruction ID: 136772589e172c8eecef4edaab94573e2ba3b1040a3709d37e2d367ea7e22c2f
Opcode Fuzzy Hash: 0db4c7fddc13477787548f23fda2e2f340d30e7058ea03a77fc1ef452a3ba0a4
Instruction Fuzzy Hash: 1502A031608390DED730EB25DC45B9BB7E4AF84304F41092EF689A72A1D7789985CB5B

Function 00426181 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 330comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000004,39FCDDF2), ref: 004261E0
CoCreateInstance.OLE32(00444620,00000000,00000001,00444550,?), ref: 004261FC

Part of subcall function 00405232: __EH_prolog3.LIBCMT ref: 00405239

Strings

false, xrefs: 0042647D, 00426482
SELECT * FROM , xrefs: 004262AF
WQL, xrefs: 00426328
true, xrefs: 00426471

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateH_prolog3InitializeInstance
String ID: SELECT * FROM $WQL$false$true
API String ID: 2253557830-1835089314
Opcode ID: d068d01394db77217c394c4173f88ccc758118cc47a9cc3958f652b16a4f0aa3
Instruction ID: b0341a41e5de7f498bcc83a3879e37a18f74dd50389aa0e2ce0f2aa8708185c0
Opcode Fuzzy Hash: d068d01394db77217c394c4173f88ccc758118cc47a9cc3958f652b16a4f0aa3
Instruction Fuzzy Hash: A4C1BE71208350EFD720DF64D884B5BB7E9FF85318F404A2EF589A7290C778A845CB9A

Function 0043C238 Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 596COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0043C242

Part of subcall function 0042425D: __EH_prolog3_GS.LIBCMT ref: 00424264
Part of subcall function 0042425D: AssocQueryStringW.SHLWAPI(00000000,00000002,?,open,00000000,?), ref: 004242AF

Part of subcall function 00423A5B: CharLowerW.USER32(00000000), ref: 00423AB0

Strings

/, xrefs: 0043CB07
Software\Clients\StartMenuInternet\, xrefs: 0043C45B, 0043C534
Software\Clients\StartMenuInternet, xrefs: 0043C353, 0043C870, 0043C8FD
http, xrefs: 0043C24F
\shell\open\command, xrefs: 0043C546
., xrefs: 0043C9CB

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AssocCharH_prolog3_H_prolog3_catch_LowerQueryString
String ID: .$/$Software\Clients\StartMenuInternet$Software\Clients\StartMenuInternet\$\shell\open\command$http
API String ID: 1119234328-1412654641
Opcode ID: fd8297a871e217796c860c463b844c334d5ef12a58c28177baf2fe964d1fc8aa
Instruction ID: 1eb86aa033c9b12e98e92e54c4575993b1ed7fa9952751f478fe4d00b7e0e9cd
Opcode Fuzzy Hash: fd8297a871e217796c860c463b844c334d5ef12a58c28177baf2fe964d1fc8aa
Instruction Fuzzy Hash: 00325F71C00268EADF10EBA5DC45BDDB7B8AF05318F1041AAE509B7191DB782F89CB65

Function 0043A8D8 Relevance: 12.7, Strings: 10, Instructions: 176COMMON

Download Yara Rule

Strings

manufacturer, xrefs: 0043A92F
virtual, xrefs: 0043A9D0
qemu, xrefs: 0043A9C0
parallels, xrefs: 0043A9B8
virtualbox, xrefs: 0043A9A8
Win32_ComputerSystem, xrefs: 0043A99F
model, xrefs: 0043A96C
ROOT\CIMv2, xrefs: 0043A9DD
wine, xrefs: 0043A9C8
vmware, xrefs: 0043A9B0

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateH_prolog3InitializeInstance
String ID: ROOT\CIMv2$Win32_ComputerSystem$manufacturer$model$parallels$qemu$virtual$virtualbox$vmware$wine
API String ID: 2253557830-1039051433
Opcode ID: 8d67a11d0596b2c4d3af04924b06e87482c069017be62ddfce72ec3782c19ca6
Instruction ID: a4b91d119231cb88bf96448be7fc215d2d24d9dde2bde17f60e2b97eea420c52
Opcode Fuzzy Hash: 8d67a11d0596b2c4d3af04924b06e87482c069017be62ddfce72ec3782c19ca6
Instruction Fuzzy Hash: F46181715083819ED320EF25C801B9FBBE4AFD5714F01492EF599632A1CBB8A949CB97

Function 0043902A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00439034
_memset.LIBCMT ref: 00439058
GetVersionExW.KERNEL32(?,00457A80,?,00000000), ref: 0043906D

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 00403C48: __EH_prolog3.LIBCMT ref: 00403C4F

Part of subcall function 004028E7: std::_String_base::_Xlen.LIBCPMT ref: 00402920

Strings

;suite:, xrefs: 00439216
win, xrefs: 004390B2
;product:, xrefs: 00439270
;sp, xrefs: 00439170

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$H_prolog3_String_base::_VersionXlen_memsetstd::_
String ID: ;product:$;sp$;suite:$win
API String ID: 4250304953-281868712
Opcode ID: 01c14edb89127d304fb1365c45faa37f4d60ac96574300bb39d2b5740cb77128
Instruction ID: ab2b0322a524e2439dea9c6ab9990f47c670feaf4b2a85c31e4b37f9be0f07c2
Opcode Fuzzy Hash: 01c14edb89127d304fb1365c45faa37f4d60ac96574300bb39d2b5740cb77128
Instruction Fuzzy Hash: C56180B2800168EADF11FB55DD45BDEB7BCAF0A309F0042EAB64AB7191C6381F44CB64

Function 00410F21 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00414857
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041486C
UnhandledExceptionFilter.KERNEL32(8mE), ref: 00414877
GetCurrentProcess.KERNEL32(C0000409), ref: 00414893
TerminateProcess.KERNEL32(00000000), ref: 0041489A

Strings

8mE, xrefs: 00414872

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: 8mE
API String ID: 2579439406-64802255
Opcode ID: 0acd18575805a41008e4ec1ddd4a0e9de60e734d6635b25e07917fd3c968d44b
Instruction ID: 3e0c7eb9b6911ec400a73a65f5c5a9442d8ccca820bd004e77448947532fdf7f
Opcode Fuzzy Hash: 0acd18575805a41008e4ec1ddd4a0e9de60e734d6635b25e07917fd3c968d44b
Instruction Fuzzy Hash: AC21C379602304DFC751DF69F8866583BB1FB49717F92053AE80887262E7B5D9848F0D

Function 00425784 Relevance: 9.1, APIs: 6, Instructions: 68encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042578B
CryptAcquireContextW.ADVAPI32(00000001,00000000,00000000,00000001,00000000,00000028,004301FF,?,?,0044668C,?,BUTTON,00000001,00000000), ref: 004257A4
CryptAcquireContextW.ADVAPI32(00000001,00000000,00000000,00000001,00000008,?,?,0044668C,?,BUTTON,00000001,00000000,?,?,0044A128), ref: 004257B4
CryptGenRandom.ADVAPI32(00000001,00000010,00000000,?,?,0044668C,?,BUTTON,00000001,00000000,?,?,0044A128,?,?), ref: 004257DB
CryptReleaseContext.ADVAPI32(00000001,00000000,?,?,0044668C,?,BUTTON,00000001,00000000,?,?,0044A128,?,?), ref: 004257F0
CryptReleaseContext.ADVAPI32(00000001,00000000,?,?,0044668C,?,BUTTON,00000001,00000000,?,?,0044A128,?,?), ref: 00425813

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Context$AcquireRelease$H_prolog3_Random
String ID:
API String ID: 4230544423-0
Opcode ID: 90e3a332d0f44ea3a7c411b15e082429262e7e69f687be34c474dedb78dd9f2e
Instruction ID: 5308e311dfbab4923009fcb6e8bf334439d8e9638a49863c82996ffb7b6a7c69
Opcode Fuzzy Hash: 90e3a332d0f44ea3a7c411b15e082429262e7e69f687be34c474dedb78dd9f2e
Instruction Fuzzy Hash: 7311C435641224B6DB206B62ED46FDF2EB9EFC5B04F00402FF501F61D1DAB85851C66C

Function 00438BF9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00438C00
GetSystemInfo.KERNEL32(?,00000064), ref: 00438C4D
CallNtPowerInformation.POWRPROF(0000000B,00000000,00000000,00000000,?), ref: 00438C7C

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 004028E7: std::_String_base::_Xlen.LIBCPMT ref: 00402920

Strings

x~E, xrefs: 00438D16
x~E, xrefs: 00438CCC

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$CallInfoInformationPowerString_base::_SystemXlenstd::_
String ID: x~E$x~E
API String ID: 2350546440-560470620
Opcode ID: cf831d3ee502281583cc4df36d9f901577fa101954926870b1123bf9dbf4c2b8
Instruction ID: 574bf5f43bd349b58a52322ccff70d10b874ab0161a598cf5352ef13c78e8c8f
Opcode Fuzzy Hash: cf831d3ee502281583cc4df36d9f901577fa101954926870b1123bf9dbf4c2b8
Instruction Fuzzy Hash: BE31D2719003489ADB00EBA5EC42A9EB7B8EF54704F10416FF510BB2E6DBBC9D41CB69

Function 0042C16E Relevance: 7.6, APIs: 5, Instructions: 78fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042C175
SetErrorMode.KERNEL32(00000003,00000028), ref: 0042C17C
SetUnhandledExceptionFilter.KERNEL32(0042AFAE), ref: 0042C187

Part of subcall function 00425CFC: SetProcessShutdownParameters.KERNEL32(?,00000001), ref: 00425D06
Part of subcall function 00425CFC: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00425D19
Part of subcall function 00425CFC: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00425D26
Part of subcall function 00425CFC: CreateThread.KERNEL32(00000000,00000000,004254D1,00000000,00000000,00000000), ref: 00425D47

GetStdHandle.KERNEL32(000000F6), ref: 0042C1A4
ReadFile.KERNEL32(00002800,00000000,00002800,00000000,00000000), ref: 0042C20B

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create$Event$ErrorExceptionFileFilterH_prolog3HandleModeParametersProcessReadShutdownThreadUnhandled
String ID:
API String ID: 3891794355-0
Opcode ID: bd86557a0ed74266805c3657539739b991f94d7dd37d26b857bf3afa3ad5bbaa
Instruction ID: 8846ae277785d46b3337cffbe9707705f0a8aa01be9701fbae8a3b8e2bc95318
Opcode Fuzzy Hash: bd86557a0ed74266805c3657539739b991f94d7dd37d26b857bf3afa3ad5bbaa
Instruction Fuzzy Hash: B321A331900129ABCB10EBA1EC46EAF7B79EF45364F20412AB915771D1DB745A40CBA9

Function 004230F3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shell32.dll), ref: 0042310B
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0042311B

Strings

SHGetKnownFolderPath, xrefs: 00423115
Shell32.dll, xrefs: 004230FF

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$Shell32.dll
API String ID: 2574300362-677601484
Opcode ID: 8034a7f4e655071b12dc6d1c6146d7e877848fd331e7bd672af571b6cdb002b2
Instruction ID: 9c59a11bb608c45f5c912b4f09642cae9e6170e9d4d7c7e6b9a44a472645e801
Opcode Fuzzy Hash: 8034a7f4e655071b12dc6d1c6146d7e877848fd331e7bd672af571b6cdb002b2
Instruction Fuzzy Hash: 6EE012717483656BEB228FA4FC05B253BB8A744B46F404035FA0CD62E1DBBDD960879C

Function 00423319 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 00423328
OpenProcessToken.ADVAPI32(00000000), ref: 0042332F
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00423353
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?), ref: 00423382

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: 3a78965e001d3ee2950770e204fa09ccffc060e03e66ddb62bc50cb2723a8532
Instruction ID: 6d1cde34815f058760b6867a97504a6169b9edd93a7948029eafd4167bf6bdbb
Opcode Fuzzy Hash: 3a78965e001d3ee2950770e204fa09ccffc060e03e66ddb62bc50cb2723a8532
Instruction Fuzzy Hash: 68014C76900229EBDB10DFE5D808AEFBBBCAF06701F404166E901E2140D7789B048BE4

Function 00438D35 Relevance: 4.7, APIs: 3, Instructions: 168COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(00001000,?,39FCDDF2,00000001,?,00000000,?,?,0043DCFB,000000FF,?,00432B00,?,?,00000001,00000000), ref: 00438D94
GetDriveTypeW.KERNEL32(?), ref: 00438E48
GetDiskFreeSpaceExW.KERNEL32(?,00000000,00000000,?), ref: 00438E7F

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Drive$DiskFreeLogicalSpaceStringsType
String ID:
API String ID: 400115644-0
Opcode ID: eb6cfdd5d258c35b1cbc920093279356d5a7ea57bf3c6a6b2b3f77445b177c36
Instruction ID: 3cf13efdad4f1d2b442809ccf1cb84a8caa194b19d480cb0d2bc4547a643e96a
Opcode Fuzzy Hash: eb6cfdd5d258c35b1cbc920093279356d5a7ea57bf3c6a6b2b3f77445b177c36
Instruction Fuzzy Hash: E6616E715083849ED720DF64CC45B9BB7E8FB99308F004A2EF58DA7291DB789948CB67

Function 00428340 Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00428347
IsBadWritePtr.KERNEL32(?,?,00000040,00433331,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000), ref: 00428393

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_Write
String ID:
API String ID: 2657316581-0
Opcode ID: c087b852999587166c46a8a4236893e48d829c93f1dc4d25a417da905e2bf9af
Instruction ID: 567330286af23c6f8bc0b67e498089e91ebc585120acc4ec9674e2d7c5a3b4a5
Opcode Fuzzy Hash: c087b852999587166c46a8a4236893e48d829c93f1dc4d25a417da905e2bf9af
Instruction Fuzzy Hash: 5C21D331B011159FDF18DB28D851BBE73B0AF48B14FA4412EE902EB292DB79ED42C659

Function 00429737 Relevance: 3.0, APIs: 2, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002971D), ref: 0042973F
ExitProcess.KERNEL32 ref: 0042974A

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionExitFilterProcessUnhandled
String ID:
API String ID: 3348532846-0
Opcode ID: 24abb25775f5fec1219b7e538e4a702706e7778f2af124656529fca9ab045410
Instruction ID: ade9ea65ce32e02cadf791ee1ddca21d6396270c44cb8ee64c8b274f3ea8af1f
Opcode Fuzzy Hash: 24abb25775f5fec1219b7e538e4a702706e7778f2af124656529fca9ab045410
Instruction Fuzzy Hash: D7B09B34154204A7C6002FD1EC0E7483E54FF42742F404030F5054705199A158404E59

Function 0043B409 Relevance: 1.8, Strings: 1, Instructions: 506COMMON

Download Yara Rule

Strings

|, xrefs: 0043B460

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: f8447cf055629668ddc52d2fff55e4fa1f6f922df4fe10693531fd40a9f4c126
Instruction ID: b79a03227c7530e364f72badf1ec2b9e887904f8dd5e84781f1ecd57f7b17211
Opcode Fuzzy Hash: f8447cf055629668ddc52d2fff55e4fa1f6f922df4fe10693531fd40a9f4c126
Instruction Fuzzy Hash: 9C1271725083809ED730EB65C841BDFB7E8EF89318F000A2EF68967191DB786949CB57

Function 00417277 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00017235), ref: 0041727C

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 06ac20b8896c4c79988b721c16f753ed6c14d060aa817415abac264c95fec94a
Instruction ID: 88cf47850b43bfd876af0391cc12ae75842832ada03b14d0f9fadb38a0c67953
Opcode Fuzzy Hash: 06ac20b8896c4c79988b721c16f753ed6c14d060aa817415abac264c95fec94a
Instruction Fuzzy Hash: 2B90027425514046461017716D0E74525A4FB8E74676108E5B155C5055EAA44081555B

Function 0040F730 Relevance: .9, Instructions: 915COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46fba3fb5889573eefc4d888fa17b99230d7807b26c040d19d4b234ef011fa4
Instruction ID: 4761420ec8e5aef44b72d12d6ea3bc4efc4e911293f335b2d03100436b2d9809
Opcode Fuzzy Hash: e46fba3fb5889573eefc4d888fa17b99230d7807b26c040d19d4b234ef011fa4
Instruction Fuzzy Hash: 77728371A001158FDB38DF68C480A5E77B1BF84704F2141BAD916AB796DB34EC86CF99

Function 00444440 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce83530ecf9f629d5f29bd9a64fd24ef74a1485be62515c8988df02615564321
Instruction ID: 38c635e3b91ab457da0597f3e0c2f59a3ac6420ae1cf34bd1e585f6352f06dcd
Opcode Fuzzy Hash: ce83530ecf9f629d5f29bd9a64fd24ef74a1485be62515c8988df02615564321
Instruction Fuzzy Hash: BD31112145E7D08ED72BCB788566DA77FB0AE0322431B80EFC4C58F0B3DA19454AC75A

Function 004120E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 13894e8023581dbc7f90a609e0d06cfe84f7b44633e78d6a702d6051ea6d47fe
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 20113FB724008173D604C52DDBB45F7A396FAC5320B6C4367D341CB758E2AA99E19608

Function 00422F0E Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d2d65dc791780a79f8e72f24a319ba3357e29369ae810294a6d907adb4f602
Instruction ID: d38f242198b0d15023108e7877089702408a8e3f5184e2581cd78cd7fed4c894
Opcode Fuzzy Hash: 94d2d65dc791780a79f8e72f24a319ba3357e29369ae810294a6d907adb4f602
Instruction Fuzzy Hash: C0F037B2529108BFF714CA94AE85BBBB7ADE704378F314A5AF000D2280D2F95E445524

Function 00436A86 Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 435
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(Downloader 15.4,00000000,00000000,00000000,00000000), ref: 00436B16
GetLastError.KERNEL32(?,0044668C,?,0044668C,39FCDDF2,?,00000000), ref: 00436B24

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

InternetSetOptionW.WININET(00000000,00000002,?,00000004), ref: 00436BA0
InternetSetOptionW.WININET(0044668C,00000005,?,00000004), ref: 00436BAE
InternetSetOptionW.WININET(0044668C,00000006,?,00000004), ref: 00436BBC
InternetSetOptionW.WININET(0044668C,00000007,?,00000004), ref: 00436BCA
InternetSetOptionW.WININET(0044668C,00000008,?,00000004), ref: 00436BD8
InternetConnectW.WININET(00000003,?,?,?,?,00000003,00000000,00000000), ref: 00436C20
GetLastError.KERNEL32(?,0044668C,?,0044668C,39FCDDF2,?,00000000), ref: 00436C2E
InternetCloseHandle.WININET(?), ref: 00436C90

Strings

Downloader 15.4, xrefs: 00436B0B
Error creating file #, xrefs: 00436D19
Error initializing inet #, xrefs: 00436B38
Error connecting #, xrefs: 00436C42
Range: bytes=, xrefs: 00436DA7, 00436F0F

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Internet$Option$ErrorLast$CloseConnectH_prolog3HandleOpen
String ID: Range: bytes=$Downloader 15.4$Error connecting #$Error creating file #$Error initializing inet #
API String ID: 283768418-3403237240
Opcode ID: 8940827807958eb46fdf6d11d1992215e2fde2d20c1c77c64691ae027404e6fe
Instruction ID: e345acf3af09ae2a895abddd20cfd8ace589afe853ec11aa0212e47a79e5dc10
Opcode Fuzzy Hash: 8940827807958eb46fdf6d11d1992215e2fde2d20c1c77c64691ae027404e6fe
Instruction Fuzzy Hash: DB0270B1508345AFD724EF10CC46B9BBBE8FF88714F00492EF689A7291D7749944CB9A

Function 0042A64E Relevance: 33.2, APIs: 22, Instructions: 163
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0042A658

Part of subcall function 00435F29: __EH_prolog3.LIBCMT ref: 00435F30

Part of subcall function 00435B8E: __EH_prolog3_catch_GS.LIBCMT ref: 00435B98

Part of subcall function 00437385: __EH_prolog3.LIBCMT ref: 0043738C

GlobalAlloc.KERNEL32(00000002,?,?,?,0000EA60,00007530,00000198), ref: 0042A6A1
GlobalLock.KERNEL32(?,?,?), ref: 0042A6C3
CreateStreamOnHGlobal.OLE32(?,00000000,?), ref: 0042A6E6
GdipLoadImageFromStream.GDIPLUS(?,?), ref: 0042A6F9
GetSysColor.USER32(0000000F), ref: 0042A70E
GdipGetImageWidth.GDIPLUS(?,?), ref: 0042A728
GdipGetImageHeight.GDIPLUS(?,?), ref: 0042A73C
CreateCompatibleDC.GDI32(00000000), ref: 0042A743
CreateBitmap.GDI32(?,?,00000001,00000020,00000000), ref: 0042A759
SelectObject.GDI32(?,00000000), ref: 0042A766
GdipCreateFromHDC.GDIPLUS(?,?), ref: 0042A779
GdipCreateSolidFill.GDIPLUS(?,?,?,?), ref: 0042A7AD
GdipFillRectangleI.GDIPLUS(?,?,00000000,00000000,?,?,?,?,?,?), ref: 0042A7C6
GdipDrawImageRectI.GDIPLUS(?,?,00000000,00000000,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 0042A7DF
GdipDeleteBrush.GDIPLUS(?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,?,?,?,?,?), ref: 0042A7EA
GdipDeleteGraphics.GDIPLUS(?,?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,?,?,?,?), ref: 0042A7F5
GdipDisposeImage.GDIPLUS(?,?,?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,?,?), ref: 0042A800
GlobalUnlock.KERNEL32(?,?,?), ref: 0042A80B
GlobalFree.KERNEL32(?), ref: 0042A81D
GetHGlobalFromStream.OLE32(?,?), ref: 0042A82C
GlobalFree.KERNEL32(?), ref: 0042A838

Part of subcall function 00422518: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000006,0042C11A), ref: 00422544

Part of subcall function 00422703: __CxxThrowException@8.LIBCMT ref: 0042271D
Part of subcall function 00422703: ShowWindow.USER32(?,?), ref: 0042272F

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$Global$CreateImage$FromStream$DeleteFillFreeH_prolog3Window$AllocBitmapBrushColorCompatibleDisposeDrawException@8GraphicsH_prolog3_H_prolog3_catch_HeightLoadLockObjectRectRectangleSelectShowSolidThrowUnlockWidth
String ID:
API String ID: 428748234-0
Opcode ID: 0853a5bd0d2108b4774a89c3d77312c2403263c63ede5dd0f23471f490362cc5
Instruction ID: d8d8824b47724f80831bbcfc15507b68e664ad8ea08a0f0072cf7299f80ebf8e
Opcode Fuzzy Hash: 0853a5bd0d2108b4774a89c3d77312c2403263c63ede5dd0f23471f490362cc5
Instruction Fuzzy Hash: 8E614B71900128AFDF21AFA1DD46BDDBB75EF09304F4040AAF608B6161DBB4AAD4CF58

Function 004254D1 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 102windowregistrylibraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004254DB
LoadLibraryW.KERNEL32(wuapi.dll,00000088), ref: 004254E5
EnumResourceNamesW.KERNEL32(00000000,0000000E,Function_00022C97,00000000), ref: 004254F8
GetTickCount.KERNEL32 ref: 004254FE

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

GetModuleHandleW.KERNEL32 ref: 0042554A
LoadImageW.USER32(00000000,00000001,00000000,00000000,00008040), ref: 00425563
RegisterClassExW.USER32(00000030), ref: 0042558B
CreateWindowExW.USER32(00000080,FFFF8300,Windows Update,10000000,FFFF8300,FFFF8300,00000000,00000000,00000000,00000000,?,00000000), ref: 004255BD
SetTimer.USER32(00000000,000001BC,00000064,00000000), ref: 004255D0
DispatchMessageW.USER32(?), ref: 004255E7
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004255F4

Strings

0, xrefs: 00425533
Windows Update, xrefs: 004255B2
wuapi.dll, xrefs: 004254E0
Window #, xrefs: 00425513

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LoadMessage$ClassCountCreateDispatchEnumH_prolog3H_prolog3_HandleImageLibraryModuleNamesRegisterResourceTickTimerWindow
String ID: 0$Window #$Windows Update$wuapi.dll
API String ID: 2433587882-613691514
Opcode ID: 4a46c62a93c50d22449711e8a630047eb6c674d6a799535a8aad455cbd9f672d
Instruction ID: 5460e4a41303b39ece6203e3126ed181bc892b5ce7a8d4e1cd37aa09c422b44f
Opcode Fuzzy Hash: 4a46c62a93c50d22449711e8a630047eb6c674d6a799535a8aad455cbd9f672d
Instruction Fuzzy Hash: AD318E75A00654ABDB209FA5EC49EAFBFB9FBC6B01F50002AF511F6191C7B44945CB28

Function 004289FB Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 230processCOMMON

Download Yara Rule

APIs

Part of subcall function 004280BA: GetModuleFileNameW.KERNEL32(00000000,?,00002000,39FCDDF2,?,?,?,?,0043FA29,000000FF), ref: 0042814A

SetFileAttributesW.KERNEL32(-00000004,00000080,39FCDDF2,?,?,?,?,0043FFCA,000000FF), ref: 00428A4E
ExitProcess.KERNEL32 ref: 00428A92

Part of subcall function 00423C55: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00423CC5

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00002000,00000001,00000000,?,?,?,?,0043FFCA,000000FF), ref: 00428ADB
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,0043FFCA,000000FF), ref: 00428AF4
_memset.LIBCMT ref: 00428C91
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00428CF8
CloseHandle.KERNEL32(?), ref: 00428D0A
CloseHandle.KERNEL32(?), ref: 00428D12

Strings

\cmd.exe, xrefs: 00428AAE
" /c taskkill /f /pid , xrefs: 00428B58
" exit, xrefs: 00428BEC
ComSpec, xrefs: 00428AD6
" & if not exist ", xrefs: 00428BB9
& for /l %x in (1,1,60) do ping 127.0.0.1 -n 2 -w 500 & del /q /f ", xrefs: 00428B86

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Process$CloseFileHandle$AttributesCreateCurrentEnvironmentExitFolderModuleNamePathVariable_memset
String ID: & for /l %x in (1,1,60) do ping 127.0.0.1 -n 2 -w 500 & del /q /f "$" & if not exist "$" /c taskkill /f /pid $" exit$ComSpec$\cmd.exe
API String ID: 3954325587-4250694363
Opcode ID: 530aafe55c8316273a5be5f33609d016cbf573f62ece8c34274688bf958c961a
Instruction ID: bfa74545eadc1b3e2da160707e802f852e731fde79e3f73e950f5c187d9d6adb
Opcode Fuzzy Hash: 530aafe55c8316273a5be5f33609d016cbf573f62ece8c34274688bf958c961a
Instruction Fuzzy Hash: EC8173F2C04128EADB20EBA5EC45ACE77BCAF55305F0141EAF709B3151DA785F848B69

Function 00428420 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 245fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042842A

Part of subcall function 004235EB: GetFileAttributesW.KERNEL32(?,00428438,0000010C,00428781), ref: 004235FA

SetFileAttributesW.KERNEL32(?,00000080,0000010C,00428781), ref: 00428462
DeleteFileW.KERNEL32(?), ref: 00428475
EqualSid.ADVAPI32(?,00000000), ref: 00428498
SetFileAttributesW.KERNEL32(?,00000080), ref: 004284E6
DeleteFileW.KERNEL32(?), ref: 004284F5

Strings

.tmp, xrefs: 00428513
.deleted, xrefs: 00428621

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$Delete$EqualH_prolog3_
String ID: .deleted$.tmp
API String ID: 3777896678-1424427048
Opcode ID: e644fc855331ae772839b9e87ab9b0e74c0af5c700362eb8cc16c24ff1cd9df4
Instruction ID: 94486d4109dcde665c55cf9131262e63acee57fdcfd50bd7ff89a8f56c02b02b
Opcode Fuzzy Hash: e644fc855331ae772839b9e87ab9b0e74c0af5c700362eb8cc16c24ff1cd9df4
Instruction Fuzzy Hash: 7C91B271A01128EFDB10EBA4DC45BDEB778BF15305F90406AF101B7191DBB85E89CBA9

Function 00414F1C Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0044D218,0000000C,00415057,00000000,00000000,?,00401267,00000001,?,?,?,00401113,00000000), ref: 00414F2E
__crt_waiting_on_module_handle.LIBCMT ref: 00414F39

Part of subcall function 004153F5: Sleep.KERNEL32(000003E8,00000000,?,00414E7F,KERNEL32.DLL,?,00414ECB,?,00401267,00000001,?,?,?,00401113,00000000), ref: 00415401
Part of subcall function 004153F5: GetModuleHandleW.KERNEL32(00000000,?,00414E7F,KERNEL32.DLL,?,00414ECB,?,00401267,00000001,?,?,?,00401113,00000000), ref: 0041540A

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00414F62
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00414F72
__lock.LIBCMT ref: 00414F94
InterlockedIncrement.KERNEL32(?), ref: 00414FA1
__lock.LIBCMT ref: 00414FB5
___addlocaleref.LIBCMT ref: 00414FD3

Strings

DecodePointer, xrefs: 00414F6A
hYE, xrefs: 00414F8B
Lw, xrefs: 00414FA1
EncodePointer, xrefs: 00414F56
KERNEL32.DLL, xrefs: 00414F28, 00414F2D, 00414F38

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL$hYE$Lw
API String ID: 1028249917-3438387428
Opcode ID: 44293b2d78c92c397cf48cfd1c0b33f3d1f6aa59410f6948ce821dff737b64e2
Instruction ID: 82288082162e1c50b92b8a5e0cc7482902ccfe26943c861a3abad2a401921760
Opcode Fuzzy Hash: 44293b2d78c92c397cf48cfd1c0b33f3d1f6aa59410f6948ce821dff737b64e2
Instruction Fuzzy Hash: 0C116371900B01EFD7209F76D901BDABBE0AF84358F10451FE4A597391DBB89981CF59

Function 00439612 Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0043961C

Part of subcall function 00425FD5: RegOpenKeyExW.ADVAPI32(?,?,00000000,00000109,39FCDDF2,39FCDDF2), ref: 00426027

__CxxThrowException@8.LIBCMT ref: 00439947

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

Part of subcall function 004249B3: __EH_prolog3_GS.LIBCMT ref: 004249BA
Part of subcall function 004249B3: RegOpenKeyExW.ADVAPI32(?,?,00000000,00000101,?,0000006C,00424E09,?,?,00000080,00424ED6,?,0000003C,00427D3D,?,00000001), ref: 004249EC

Strings

B, xrefs: 0043A3CD
Install, xrefs: 004397FA, 0043983F
error getting version, xrefs: 00439A4F
hkD, xrefs: 00439940, 00439946
, xrefs: 004398B0
version not installed, xrefs: 00439931
@kD, xrefs: 00439A5E
Version, xrefs: 0043971A, 00439782
SOFTWARE\Microsoft\NET Framework Setup\NDP, xrefs: 0043962C
SOFTWARE\Microsoft\NET Framework Setup\NDP\, xrefs: 00439732, 0043973A, 0043979C, 00439811, 00439859, 00439963, 004399BE

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open$Exception@8H_prolog3H_prolog3_H_prolog3_catch_Throw
String ID: $@kD$B$Install$SOFTWARE\Microsoft\NET Framework Setup\NDP$SOFTWARE\Microsoft\NET Framework Setup\NDP\$Version$error getting version$hkD$version not installed
API String ID: 2274932691-4079712116
Opcode ID: a5b71483e2bb615e203d1ef9e5fcf7f6261c8949a475bc49ce7f38d7407bd22b
Instruction ID: 79d33f92d92982e5a20b6248d3e43f1b4e94bb9b59c6040d3bb8c364d792c493
Opcode Fuzzy Hash: a5b71483e2bb615e203d1ef9e5fcf7f6261c8949a475bc49ce7f38d7407bd22b
Instruction Fuzzy Hash: C2E19271D44268AEEF10EBA5CC06BCDB778AF05318F1141AAE505772D2C7B81F49CB59

Function 0042730A Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 436COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00427314
GetVersion.KERNEL32(000000AC,0043CC41,?,?,00000024,0043279F,?,?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000), ref: 0042733D

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 004028E7: std::_String_base::_Xlen.LIBCPMT ref: 00402920

Strings

ROOT\SecurityCenter, xrefs: 00427619
false, xrefs: 004276FF, 00427749
onAccessScanningEnabled, xrefs: 004275C3
productState, xrefs: 004273FC
ROOT\SecurityCenter2, xrefs: 00427427
true, xrefs: 004276DE, 0042772B
productUptoDate, xrefs: 004275EE
displayName, xrefs: 004273CB

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3H_prolog3_String_base::_VersionXlenstd::_
String ID: ROOT\SecurityCenter$ROOT\SecurityCenter2$displayName$false$onAccessScanningEnabled$productState$productUptoDate$true
API String ID: 290633416-770048900
Opcode ID: d41c7935fba98f4c6b230c3a5b239ac48feb07db88f682d74f65f250109ccb34
Instruction ID: 37fb866910444abc22e4376f24897a2dacf7335f726b8aefeea7b993e8257393
Opcode Fuzzy Hash: d41c7935fba98f4c6b230c3a5b239ac48feb07db88f682d74f65f250109ccb34
Instruction Fuzzy Hash: 39F1A371D04258EEDB00EBA5DD42BCDBBB8AF04308F50416BF504B7292DB786E49CB69

Function 004293A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004293AA
ReadFile.KERNEL32(000000FF,00000000,00002800,00000001,00000000,00000001,00000000,000000A8,0043868E,?,00000001,00000000,?,?,?,00000000), ref: 0042948B
CloseHandle.KERNEL32(000000FF,?,?,?,00000000,00000001,00000000), ref: 0042949D

Part of subcall function 00428420: __EH_prolog3_GS.LIBCMT ref: 0042842A

__CxxThrowException@8.LIBCMT ref: 004294D0
WriteFile.KERNEL32(00000000,?,00000000,00000000,000000A8,0043868E,?,00000001,00000000,?,?,?,00000000,00000001,00000000), ref: 00429534
CloseHandle.KERNEL32(00000000,?,?,?,00000000,00000001,00000000,?,?,?,00000000), ref: 00429549
CloseHandle.KERNEL32(00000000,?,?,?,00000000,00000001,00000000,?,?,?,00000000), ref: 00429557

Strings

error opening file for writing, xrefs: 00429500
contents is empty, xrefs: 004294C0
error writing file, xrefs: 0042955D

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$File$Exception@8H_prolog3_H_prolog3_catchReadThrowWrite
String ID: contents is empty$error opening file for writing$error writing file
API String ID: 3802985790-980197760
Opcode ID: c6785eb483391c74fd5098ca18a0bd07f21f9ec9958e1283337747fdd23df3ca
Instruction ID: c499336e5903cdbeda77786f90ce156a2c605bc3cf6368f1b586da11f95b3dac
Opcode Fuzzy Hash: c6785eb483391c74fd5098ca18a0bd07f21f9ec9958e1283337747fdd23df3ca
Instruction Fuzzy Hash: 2941E570A00215EBDF20AF90ED85AAE3774AB04319F51412FF50577191DB7C9E8A8BAD

Function 00422595 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 004225A7
GetObjectW.GDI32(00000000), ref: 004225AE
CreateFontIndirectW.GDI32(00457AD8), ref: 004225BB

Part of subcall function 00410FD3: _malloc.LIBCMT ref: 00410FED

CreateFontIndirectW.GDI32(00000000), ref: 004225E3
GetDC.USER32(00000000), ref: 004225F3
GetDeviceCaps.GDI32(00000000,00000058), ref: 00422604
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042260C
ReleaseDC.USER32(00000000,00000000), ref: 00422630

Strings

`, xrefs: 00422636
`, xrefs: 0042263F

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectObject$ReleaseStock_malloc
String ID: `$`
API String ID: 3131621926-197956300
Opcode ID: 8411d493171a9919d275dc0abc82d7d29780461aeed5843754097c37d7e27448
Instruction ID: 12cff05635d641eb86cb9a90f7d0b8ef8bbe484d6eb2b0aaeb93e7f5bf862572
Opcode Fuzzy Hash: 8411d493171a9919d275dc0abc82d7d29780461aeed5843754097c37d7e27448
Instruction Fuzzy Hash: 9211D531A04714BAE7105B61FC0AB9B7FB8EB42756F10407AF60097291DBF48D80CBA8

Function 004291A8 Relevance: 15.2, APIs: 10, Instructions: 178fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00423391: GetFileInformationByHandle.KERNEL32(00000000,?), ref: 004233C8
Part of subcall function 00423391: CloseHandle.KERNEL32(00000000), ref: 004233D3

Part of subcall function 00428420: __EH_prolog3_GS.LIBCMT ref: 0042842A

ReadFile.KERNEL32(00000000,?,00000001,?,00000000), ref: 00429215
WriteFile.KERNEL32(00000000,0044963C,00000002,?,00000000), ref: 0042926F
WriteFile.KERNEL32(?,00000000,00000001,00000002,00000000), ref: 0042930F
ReadFile.KERNEL32(?,00000000,00002800,00000001,00000000), ref: 0042932E
CloseHandle.KERNEL32(?), ref: 00429351
CloseHandle.KERNEL32(00000000), ref: 00429356
CloseHandle.KERNEL32(?), ref: 00429373
CloseHandle.KERNEL32(?), ref: 00429378
CloseHandle.KERNEL32(00000000), ref: 0042938D
CloseHandle.KERNEL32(00000000), ref: 00429393

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Handle$Close$File$ReadWrite$H_prolog3_Information
String ID:
API String ID: 1382214879-0
Opcode ID: e656f4156428187a173738d29ab683d422b60f0a622d144b15d6b0de2819b911
Instruction ID: 050427443aee3d82095ed406c55a72470e7cb8746b3ac540782cebb113b924b2
Opcode Fuzzy Hash: e656f4156428187a173738d29ab683d422b60f0a622d144b15d6b0de2819b911
Instruction Fuzzy Hash: 1B51C231E00129ABDF11DBA5EC45AEEBBB8AF49314F5040ABF410A7291D7785D45CBA8

Function 0042AB7E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 229COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042AB88

Part of subcall function 00435F29: __EH_prolog3.LIBCMT ref: 00435F30

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 00403C48: __EH_prolog3.LIBCMT ref: 00403C4F

Strings

url error in ", xrefs: 0042ADF5
": , xrefs: 0042AE07
?launch=, xrefs: 0042ACAA
PjE, xrefs: 0042ABD4
?, xrefs: 0042ABDD
&launch=, xrefs: 0042AC20
TjE, xrefs: 0042ACEB

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$H_prolog3_
String ID: ": $&launch=$?$?launch=$PjE$TjE$url error in "
API String ID: 4240126716-1053040137
Opcode ID: eba47c347315baddd24db417edff6d711efa8a1f48a577d12cd3f33d3691a648
Instruction ID: b0b2451c5177eac9f8d2dceeeb4dd1921bb835145c97ab9c96c0acf479e1851c
Opcode Fuzzy Hash: eba47c347315baddd24db417edff6d711efa8a1f48a577d12cd3f33d3691a648
Instruction Fuzzy Hash: 91916072D00198AADB11EBA5CD45FCFBB7CAF55308F1040EBA509B7182DA781F48CB65

Function 00437B48 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 130processCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00437B52
_memset.LIBCMT ref: 00437B61
StrCpyW.SHLWAPI(00000006,?), ref: 00437BF8
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 00437C4E
GetLastError.KERNEL32 ref: 00437C58
CloseHandle.KERNEL32(?), ref: 00437CB9

Strings

launch error #, xrefs: 00437C74
D, xrefs: 00437C16

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateErrorH_prolog3HandleLastProcess_memset
String ID: D$launch error #
API String ID: 3881325696-3841159381
Opcode ID: c9e0921abe146f78281791c5e0d2ac6145bbf0277634c0c3f7a49750d846131a
Instruction ID: e6b6a4e338da09818773bc92c7b710c1915182cf0bb27cc5a99d9f5e3e3845c2
Opcode Fuzzy Hash: c9e0921abe146f78281791c5e0d2ac6145bbf0277634c0c3f7a49750d846131a
Instruction Fuzzy Hash: 8441B171500704EBEB24DB68DD46BEAB7B4FF08304F10845EF686EB191EB78A944CB59

Function 0040C280 Relevance: 13.9, APIs: 9, Instructions: 404COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0040C2FC
std::_String_base::_Xlen.LIBCPMT ref: 0040C316

Part of subcall function 004014A5: char_traits.LIBCPMT ref: 004014F5

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String_base::_Xlenstd::_$char_traits
String ID:
API String ID: 2464655862-0
Opcode ID: ddffe54e627ffcae5f1f92ddaf923047b508ce389b70aa4c5bf4a9740ee26386
Instruction ID: abf77cf8a35d1bbb903483302f472247232789562c45f06b82104373d1a2b65c
Opcode Fuzzy Hash: ddffe54e627ffcae5f1f92ddaf923047b508ce389b70aa4c5bf4a9740ee26386
Instruction Fuzzy Hash: 00E1DE30604700CBD734CF29CAC066AB7E6AB52714F204B3FD456A7BD2C779A949C79A

Function 004249B3 Relevance: 13.7, APIs: 9, Instructions: 247registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004249BA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000101,?,0000006C,00424E09,?,?,00000080,00424ED6,?,0000003C,00427D3D,?,00000001), ref: 004249EC
RegQueryValueExW.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,00000000,00000101,?,0000006C,00424E09,?,?,00000080), ref: 00424A26
RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,0000006C,00424E09,?,?,00000080,00424ED6,?,0000003C,00427D3D,?), ref: 00424A33
RegQueryValueExW.ADVAPI32(?,00000002,00000000,00000000,?,?,?,?,00000000,00000101,?,0000006C,00424E09,?,?,00000080), ref: 00424A85

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 004028E7: std::_String_base::_Xlen.LIBCPMT ref: 00402920

RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,0000006C,00424E09,?,?,00000080,00424ED6,?,0000003C,00427D3D,?), ref: 00424AC1
RegQueryValueExW.ADVAPI32(?,00000002,00000000,00000000,00000000,?,?,?,00000000,00000101,?,0000006C,00424E09,?,?,00000080), ref: 00424B0F
RegQueryValueExW.ADVAPI32(?,00000002,00000000,00000000,00000000,?,?,?,00000000,00000101,?,0000006C,00424E09,?,?,00000080), ref: 00424BE1
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,00000101,?,0000006C,00424E09,?,?,00000080,00424ED6,?,0000003C), ref: 00424C4F

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$Close$H_prolog3H_prolog3_OpenString_base::_Xlenstd::_
String ID:
API String ID: 3853482186-0
Opcode ID: 15284a5198c7a7aa7c1ca405b53113921b39c28d63f12e51a4e204f1a52e2bcb
Instruction ID: 1f7b110a2c94fe0a0e1b5cd92eb58a35b8a593453837bf108f1d93ce0c802a44
Opcode Fuzzy Hash: 15284a5198c7a7aa7c1ca405b53113921b39c28d63f12e51a4e204f1a52e2bcb
Instruction Fuzzy Hash: 6391AF71A00158EFDF14DBE5DD85AEEBB78EF44304F50402AE101BB2A5D6786E45CB68

Function 00428713 Relevance: 13.7, APIs: 9, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000), ref: 00428762
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004287D9
CloseHandle.KERNEL32(00000000), ref: 004287EC

Part of subcall function 00423391: GetFileInformationByHandle.KERNEL32(00000000,?), ref: 004233C8
Part of subcall function 00423391: CloseHandle.KERNEL32(00000000), ref: 004233D3

WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00428850
ReadFile.KERNEL32(?,00000000,00002800,00000000,00000000), ref: 00428871
CloseHandle.KERNEL32(?), ref: 00428887
CloseHandle.KERNEL32(?), ref: 0042888C
CloseHandle.KERNEL32(?), ref: 004288A5
CloseHandle.KERNEL32(?), ref: 004288AA

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Handle$Close$File$Write$CopyInformationRead
String ID:
API String ID: 956385400-0
Opcode ID: 5f38c79efe69577a203c2a8ec649800071ba8a9a9e5ef5a5135e164d828be187
Instruction ID: f790a05e7773238940d0e59789fa7fe84bd38f94ec0b5889cdc0f2cf6087f2ed
Opcode Fuzzy Hash: 5f38c79efe69577a203c2a8ec649800071ba8a9a9e5ef5a5135e164d828be187
Instruction Fuzzy Hash: 6951C330701224EBDB10EF61EC85BAE77B8AB40345FA0416EF40197291DF78EE41CBA8

Function 00422D7C Relevance: 13.6, APIs: 9, Instructions: 82COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?), ref: 00422D97
OpenProcessToken.ADVAPI32(00000000), ref: 00422D9E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00422DC1
CloseHandle.KERNEL32(?), ref: 00422DCB
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 00422DF1
CloseHandle.KERNEL32(?), ref: 00422DFA

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Token$CloseHandleInformationProcess$CurrentOpen
String ID:
API String ID: 3748835715-0
Opcode ID: edb99d315137f7fa00bc1440a480e8676241f0c9aebf6afe2908221f6df246b7
Instruction ID: c5c2ac9318769611665d3196b53f46ca3038e29cf372df8f722734cc3cf763df
Opcode Fuzzy Hash: edb99d315137f7fa00bc1440a480e8676241f0c9aebf6afe2908221f6df246b7
Instruction Fuzzy Hash: 1721B271614205FFDF119FA1FD45E9E7B78EB48741B10407AF201E2120DBB58A92EB18

Function 00435B8E Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 289COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00435B98

Part of subcall function 00423A5B: CharLowerW.USER32(00000000), ref: 00423AB0

Strings

://, xrefs: 00435BA2
https, xrefs: 00435C15
/, xrefs: 00435C83
ftp, xrefs: 00435C2E
file, xrefs: 00435C47
:, xrefs: 00435E7E

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharH_prolog3_catch_Lower
String ID: /$:$://$file$ftp$https
API String ID: 2430393206-822448976
Opcode ID: 0cdd6edff95402b6c08ed9c6cd1fb8f5cc222fd273532b868b99ea5027ac26ef
Instruction ID: a85455edcd8c20c8b39de3779d66f067a2f91094578c5dd318cc09920a7048d4
Opcode Fuzzy Hash: 0cdd6edff95402b6c08ed9c6cd1fb8f5cc222fd273532b868b99ea5027ac26ef
Instruction Fuzzy Hash: A8B16471940258AADB00EBF5CD46BDEB778BF14318F20422BF215B71D2D7B86A09CB59

Function 004229BE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004229DC
AdjustWindowRectEx.USER32(?,?,00000000,?), ref: 00422A49
GetModuleHandleW.KERNEL32(00000000,00000000), ref: 00422A9D
CreateWindowExW.USER32(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00422ABD
SetWindowLongW.USER32(00000000,000000FC,Function_000228BC), ref: 00422AE6

Part of subcall function 0042256D: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0042258B

Strings

Can't create window, xrefs: 00422ACC
Window already created, xrefs: 004229CC

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$AdjustCreateException@8HandleLongMessageModuleRectSendThrow
String ID: Can't create window$Window already created
API String ID: 622255427-1993262928
Opcode ID: 899ff7d354281c6c286764c2674dcbb1787b9291edd878a5f6f7d7861d18d68b
Instruction ID: 77ca372c1c9b3fe44e9830025362e791add2570699165d1b18934fa42ca2373d
Opcode Fuzzy Hash: 899ff7d354281c6c286764c2674dcbb1787b9291edd878a5f6f7d7861d18d68b
Instruction Fuzzy Hash: CD4107B5A0030AAFCF10DFA8DA45AAE7BB4FB48704F50452EF911A2250D7B4E960CF64

Function 00422B07 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00422B37
LoadCursorW.USER32(00000000,00007F00), ref: 00422B4C
RegisterClassExW.USER32(00000030), ref: 00422B6C
__CxxThrowException@8.LIBCMT ref: 00422B8F

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

Can't register window class, xrefs: 00422B88
WindowClass, xrefs: 00422B62
0, xrefs: 00422B20

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassCursorExceptionException@8HandleLoadModuleRaiseRegisterThrow
String ID: 0$Can't register window class$WindowClass
API String ID: 366208366-109779466
Opcode ID: d74077d215c52488cd5954fb8187811911165eb6663f0a13c90e0fc4c0100b41
Instruction ID: 1e88683638b6ad808ca634f3e9ea07c79d46cd4356ab9651d57651dc5e8b9b4d
Opcode Fuzzy Hash: d74077d215c52488cd5954fb8187811911165eb6663f0a13c90e0fc4c0100b41
Instruction Fuzzy Hash: D8111EB4D01319AFDB00DFA9E985ADEBBB4BB18304F50806EE815E7301D7B89544CF58

Function 00422CA9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wuapi.dll), ref: 00422CCD
LoadStringW.USER32(00000000,0000F815,?,00001000), ref: 00422CE1
LoadLibraryW.KERNEL32(user32.dll), ref: 00422CEE
GetProcAddress.KERNEL32(00000000,ShutdownBlockReasonCreate), ref: 00422CF6

Strings

user32.dll, xrefs: 00422CE7
ShutdownBlockReasonCreate, xrefs: 00422CF0
wuapi.dll, xrefs: 00422CC8

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Load$Library$AddressProcString
String ID: ShutdownBlockReasonCreate$user32.dll$wuapi.dll
API String ID: 1125239459-523537308
Opcode ID: a2bae14822e4ed2b2ab5b06ad7894077b4c432f01517652f4073b649f36549e2
Instruction ID: c85e93ba308b7d6e8e80a5bba46143728bd7f4e36338d6ba0a56aed618e5716e
Opcode Fuzzy Hash: a2bae14822e4ed2b2ab5b06ad7894077b4c432f01517652f4073b649f36549e2
Instruction Fuzzy Hash: 98F0C830711318BAE7149BA4AD8ABAA3768EB48B44B54006A7205D3182DEE89900CB5C

Function 0042A8B7 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 00435F29: __EH_prolog3.LIBCMT ref: 00435F30

Part of subcall function 00435B8E: __EH_prolog3_catch_GS.LIBCMT ref: 00435B98

SetEvent.KERNEL32(00000001,00000000,004569FC,000000FF), ref: 0042A99B
EnterCriticalSection.KERNEL32(00457A68,00000001,00000000,00000001,00000000,?,00000001,00000000,?), ref: 0042AA5E
LeaveCriticalSection.KERNEL32(00457A68,?,00000001), ref: 0042AB38

Strings

magnet, xrefs: 0042A97A
torrent, xrefs: 0042A98A
hzE, xrefs: 0042AA58

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterEventH_prolog3H_prolog3_catch_Leave
String ID: hzE$magnet$torrent
API String ID: 3599823906-2277201331
Opcode ID: 64fa015290da568950a3b0b298c622330ccd40277fc735f7ff2096bc74f10a49
Instruction ID: d63e5322370e08daa2024bf05242eb49d941c1a5a651088f5a839bf88753bffb
Opcode Fuzzy Hash: 64fa015290da568950a3b0b298c622330ccd40277fc735f7ff2096bc74f10a49
Instruction Fuzzy Hash: 3061C2711483819ED320EB21DC42BDBB7E8AF94318F50493EF99563192DB785948C79B

Function 0043674F Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 171COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00436759

Part of subcall function 00436036: __EH_prolog3.LIBCMT ref: 0043603D

Part of subcall function 00423A5B: CharLowerW.USER32(00000000), ref: 00423AB0

Strings

Content-Disposition, xrefs: 00436765
"';, xrefs: 0043681B
filename, xrefs: 004367C0
/, xrefs: 004368F8
=, xrefs: 004367E4

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharH_prolog3H_prolog3_Lower
String ID: "';$/$=$Content-Disposition$filename
API String ID: 2243128287-494049755
Opcode ID: bd39ee2b9ac27c8b32b444be46a667f711af01f0ab80cb5cd0fe6cc5649c4091
Instruction ID: 1aaf431a549395a0e453bd523683bc8aba19b3dde4240d14128bf6b44f2e0f05
Opcode Fuzzy Hash: bd39ee2b9ac27c8b32b444be46a667f711af01f0ab80cb5cd0fe6cc5649c4091
Instruction Fuzzy Hash: 8951B571C00249EADF15EBE5CC85ADEB7B8AF19318F20822FE115B71D1DA785A49CB24

Function 0042425D Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00424264
AssocQueryStringW.SHLWAPI(00000000,00000002,?,open,00000000,?), ref: 004242AF
AssocQueryStringW.SHLWAPI(00000000,00000002,?,open,?,?), ref: 004242FD

Strings

openwith.exe, xrefs: 004243B1
P6[wPO[w, xrefs: 0042429A
open, xrefs: 004242A5, 004242AA, 004242F6

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AssocQueryString$H_prolog3_
String ID: P6[wPO[w$open$openwith.exe
API String ID: 1923178052-3303953555
Opcode ID: 00274e83b94ca68080dce9821f2ac28c80ba471a6b412828fe76469c7b236dc2
Instruction ID: 6736dbcd582ec8e4ae5b9a2a578b3cb28a4551e7bafae1446478841ee3eb690c
Opcode Fuzzy Hash: 00274e83b94ca68080dce9821f2ac28c80ba471a6b412828fe76469c7b236dc2
Instruction Fuzzy Hash: 8F51AF71E00258DEDB10EBE5D842ADEBBB4EF44304F51812EF105BB191D7B85A45CB69

Function 00437176 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00437180

Part of subcall function 00425C6F: __EH_prolog3.LIBCMT ref: 00425C76

Part of subcall function 0040450F: __EH_prolog3.LIBCMT ref: 00404516

Part of subcall function 0040455A: __EH_prolog3.LIBCMT ref: 00404561

Part of subcall function 004045A0: __EH_prolog3.LIBCMT ref: 004045A7

Part of subcall function 004358F2: __EH_prolog3.LIBCMT ref: 004358F9

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 004370C2: __EH_prolog3.LIBCMT ref: 004370C9

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

Strings

POST, xrefs: 004371B3
Content-Type: multipart/form-data; boundary=, xrefs: 00437257
--, xrefs: 004371F7
Content-Disposition: form-data; name="data", xrefs: 004371C5
--, xrefs: 00437225

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$H_prolog3_char_traits
String ID: --$Content-Disposition: form-data; name="data"$--$Content-Type: multipart/form-data; boundary=$POST
API String ID: 3359205163-1235690780
Opcode ID: ad88e66aff44dce27a31cf96aae021ed0412891ec0555731e8ef406c525fb72a
Instruction ID: e7753f40369bbc4c240e8d2708e11ea4ecb790749250e56328578bbca1c7244b
Opcode Fuzzy Hash: ad88e66aff44dce27a31cf96aae021ed0412891ec0555731e8ef406c525fb72a
Instruction Fuzzy Hash: 6C4144B1C01158BBDB11EBA5DC86ECF7B7CAF54304F1081AAF146B3181EA781B08CB65

Function 0042B022 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 125sleepCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042B02C
Sleep.KERNEL32(0000EA60,00000190,?,?,?,?,?,?,?,?,?,00000070), ref: 0042B046

Part of subcall function 00437176: __EH_prolog3_GS.LIBCMT ref: 00437180

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

ExitProcess.KERNEL32 ref: 0042B1F7

Strings

PjE, xrefs: 0042B086
/launch_info, xrefs: 0042B173
0x004000e0, xrefs: 0042B073

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_$ExitProcessSleepchar_traits
String ID: /launch_info$0x004000e0$PjE
API String ID: 3576841262-23861177
Opcode ID: fb839f6436a7b063bccc6105032628822820b41e910f12458f124e8310ef531e
Instruction ID: 59c4de022c657c2c658c475c494945ca9cf309bd3d3e158606bb8eb7d533e7d8
Opcode Fuzzy Hash: fb839f6436a7b063bccc6105032628822820b41e910f12458f124e8310ef531e
Instruction Fuzzy Hash: 9A41F970904268BEDB21EB659C46BCE7B74AF16304F5081EAF119772D2CAB81F88CB55

Function 0042A523 Relevance: 10.6, APIs: 7, Instructions: 96windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00436964: __EH_prolog3_GS.LIBCMT ref: 0043696B

PostMessageW.USER32(00000402,00000000,00000000), ref: 0042A5C2
SetTimer.USER32(?,00000002,000003E8,Function_0002A1AA), ref: 0042A63E

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_MessagePostTimer
String ID:
API String ID: 3213910739-0
Opcode ID: fd128f7fbee9ce2204b2b77ad79c9484968371dadfd14c3e57681c4f780ccdc7
Instruction ID: 0b18581d3765697a9f55c95455699c8ad95f80b6eb321c80718b170a280a7112
Opcode Fuzzy Hash: fd128f7fbee9ce2204b2b77ad79c9484968371dadfd14c3e57681c4f780ccdc7
Instruction Fuzzy Hash: A0314DB0748330BBDB109F64FD45E2A3B69AB45B11B50423BF905C32E2CB3D88418B6E

Function 0043789C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76comCOMMON

Download Yara Rule

APIs

OleCreate.OLE32(00444710,00444700,00000001,00000000,0042D647,00000000,0042D65F), ref: 004378C6
__CxxThrowException@8.LIBCMT ref: 004378E6
OleSetContainedObject.OLE32(0042D65F,00000001), ref: 004378F9

Strings

QueryInterface(IWebBrowser) failed, xrefs: 00437944
OleCreate() failed, xrefs: 004378D0
DoVerb(OLEIVERB_INPLACEACTIVATE) failed, xrefs: 00437927

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ContainedCreateException@8ObjectThrow
String ID: DoVerb(OLEIVERB_INPLACEACTIVATE) failed$OleCreate() failed$QueryInterface(IWebBrowser) failed
API String ID: 3259990851-713879003
Opcode ID: 8db5b6c664b919d33b929c77047db62e55e34bc4b144ae35385a25aff6604017
Instruction ID: 99e76b4c292bceafdeb734a20d47ec22bcfeb251776d4d62147da273049fd577
Opcode Fuzzy Hash: 8db5b6c664b919d33b929c77047db62e55e34bc4b144ae35385a25aff6604017
Instruction Fuzzy Hash: B021C371604324ABEB20DF64CC89F973778EF4A720F104916F905AB2D0C7B5E801C769

Function 00424152 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042415C

Part of subcall function 00435F29: __EH_prolog3.LIBCMT ref: 00435F30

DefWindowProcW.USER32(?,?,?,?,?,0000EA60,00007530,00000150), ref: 00424206

Part of subcall function 004230E1: GetSystemMetrics.USER32(00002000), ref: 004230E6

SetEvent.KERNEL32(?,0000EA60,00007530,00000150), ref: 004241BA
ResetEvent.KERNEL32 ref: 004241C6
ResetEvent.KERNEL32(?,0000EA60,00007530,00000150), ref: 004241E4
SetEvent.KERNEL32 ref: 004241F0
SetEvent.KERNEL32(?,0000EA60,00007530,00000150), ref: 00424221

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Event$Reset$H_prolog3H_prolog3_MetricsProcSystemWindow
String ID:
API String ID: 3056946317-0
Opcode ID: 08f64fad535afbc3c73dce2e94f254fc3bec98ad2239babc29fde4783dd26284
Instruction ID: 2990bff95d7c41b356380f8b20639e4bb3bd6eca5ba16e7d6960f385ab0fd4b2
Opcode Fuzzy Hash: 08f64fad535afbc3c73dce2e94f254fc3bec98ad2239babc29fde4783dd26284
Instruction Fuzzy Hash: 6721F734A08360EFD7129BA1FC086AD3B60EB96706F444077F80186272C7B99AD1C76D

Function 00425FD5 Relevance: 9.1, APIs: 6, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000109,39FCDDF2,39FCDDF2), ref: 00426027
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042605D
RegCloseKey.ADVAPI32(?), ref: 0042606B
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004260C6
RegCloseKey.ADVAPI32(?,?,?), ref: 00426127
RegCloseKey.ADVAPI32(?), ref: 00426171

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$EnumInfoOpenQuery
String ID:
API String ID: 1383594502-0
Opcode ID: 4fd19bc15858fce6e64bfb942bb50020238f86e4dbc29ee7211a6158c35f2d3c
Instruction ID: 31be56774b01b39b4d2722298ac3367537a3d6aee57d6ad37a955b20885b5dd0
Opcode Fuzzy Hash: 4fd19bc15858fce6e64bfb942bb50020238f86e4dbc29ee7211a6158c35f2d3c
Instruction Fuzzy Hash: C3417872108304AFD701EF25EC41A6BBBE8FF88358F00092EF595A61A1DB34DD55DB5A

Function 00429621 Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 0042965A
SetFileAttributesW.KERNEL32(?,00000080), ref: 00429675
MoveFileExW.KERNEL32(?,?,00000003), ref: 0042969C
SetFileAttributesW.KERNEL32(?,?), ref: 004296C0
GetFileAttributesW.KERNEL32(?), ref: 004296DA
SetFileAttributesW.KERNEL32(?,?), ref: 00429705

Part of subcall function 00423391: GetFileInformationByHandle.KERNEL32(00000000,?), ref: 004233C8
Part of subcall function 00423391: CloseHandle.KERNEL32(00000000), ref: 004233D3

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$Handle$CloseInformationMove
String ID:
API String ID: 3710066108-0
Opcode ID: f62f06324d02b773c6e34212ff886f3ffc0e0fc6ae11a8594068b945bbad2b02
Instruction ID: 0ea27349206e9bca829748aed3258ba1ecc94854df4f87d48a800291172211f3
Opcode Fuzzy Hash: f62f06324d02b773c6e34212ff886f3ffc0e0fc6ae11a8594068b945bbad2b02
Instruction Fuzzy Hash: 20318030300220DBCF20DF59F988A5A77F9BB92305F90046AE4029B211D738EE85CBAD

Function 00423391 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(00000000,?), ref: 004233C8
CloseHandle.KERNEL32(00000000), ref: 004233D3
CloseHandle.KERNEL32(00000000), ref: 004233E5
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 00423411
CloseHandle.KERNEL32(00000000), ref: 0042341C
CloseHandle.KERNEL32(00000000), ref: 00423420

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Handle$Close$FileInformation
String ID:
API String ID: 2084189531-0
Opcode ID: d484912e99cb8c66730c485e435860303722414c74d627794c241e93365fe73f
Instruction ID: 1aaf1e24dcb7efe84bf624300739504c91def5e7e997f4d15dc4eb6941f933df
Opcode Fuzzy Hash: d484912e99cb8c66730c485e435860303722414c74d627794c241e93365fe73f
Instruction Fuzzy Hash: 9611DB31700128E7DB10DF95FC45F9E77B8AB41311F910152F901EB194DBBCEB4186A9

Function 0040B110 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 313COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0040B1A4

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

invalid map/set<T> iterator, xrefs: 0040B14A
vA@, xrefs: 0040B17A
0GD, xrefs: 0040B195, 0040B19C
@@, xrefs: 0040B19D

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0GD$@@$invalid map/set<T> iterator$vA@
API String ID: 3976011213-837081462
Opcode ID: 7b7bedf3d034100610b77fbaf6e5a71b7f5f74520af66ac9f2efc5d8a685af34
Instruction ID: 42e2fd45e14d52ad75f4b14b5571c91fd35f3f04d8e982606b6d4e3943e44748
Opcode Fuzzy Hash: 7b7bedf3d034100610b77fbaf6e5a71b7f5f74520af66ac9f2efc5d8a685af34
Instruction Fuzzy Hash: 41D1A170A046849FDB11DF64C080B6ABBA1FF55304F6881AED8456F792C339EC86CBD9

Function 0042379B Relevance: 9.1, APIs: 6, Instructions: 55filesynchronizationCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 004237C0
WaitForSingleObject.KERNEL32(000000FF), ref: 004237E0
EnterCriticalSection.KERNEL32(00457AA4), ref: 004237E7
LeaveCriticalSection.KERNEL32(00457AA4,00000000), ref: 00423801
WriteFile.KERNEL32(?,?,?,00000000), ref: 00423825
WriteFile.KERNEL32(00449CA4,00000001,?,00000000), ref: 0042383C

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalFileSectionWrite$EnterHandleLeaveObjectSingleWait
String ID:
API String ID: 1665657257-0
Opcode ID: 70006828fa002023adc9663fa3cac9c830c1046808398677bfe6eb02ddc7df11
Instruction ID: c5e775d9a81559d828baf0778ade2b87517e23c5f18d35a6ad0ec28a8ffa8dfa
Opcode Fuzzy Hash: 70006828fa002023adc9663fa3cac9c830c1046808398677bfe6eb02ddc7df11
Instruction Fuzzy Hash: F51182B5804218AFDB01EFA4EC85EEE7BB8FF45305B50413AF411721A1D7799E44CB68

Function 0042B2FB Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 302threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042B302

Part of subcall function 0040AA00: __CxxThrowException@8.LIBCMT ref: 0040AA6D

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

CreateThread.KERNEL32(00000000,00000000,0042A64E,00000000,00000000,00000000), ref: 0042B642
CloseHandle.KERNEL32(00000000), ref: 0042B649

Strings

IMAGE, xrefs: 0042B521
STATIC, xrefs: 0042B578

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateException@8H_prolog3HandleThreadThrowchar_traits
String ID: IMAGE$STATIC
API String ID: 2759594001-2604499632
Opcode ID: 8ea4d6ca0730c8c5d2c75ed0dc239637a79de546c6e0b8fbde128e7b9e80dbc7
Instruction ID: 273c8f871883c1ffd5c736ad4ee45186a8885ea9cc3bd8deae73063dfa61d6dd
Opcode Fuzzy Hash: 8ea4d6ca0730c8c5d2c75ed0dc239637a79de546c6e0b8fbde128e7b9e80dbc7
Instruction Fuzzy Hash: FAA1C370B00224ABCF04EF659951ABE37AAAF45308B44406FF905BB3D2CB7C9D51CB99

Function 00429DFB Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00429E02
ILCreateFromPath.SHELL32(?), ref: 00429E3D
ILCreateFromPath.SHELL32(00000000), ref: 00429E50
SHOpenFolderAndSelectItems.SHELL32(00000000,00000001,?,00000000), ref: 00429E5E
ILFree.SHELL32(00000000), ref: 00429E6D
ILFree.SHELL32(?), ref: 00429E72

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFreeFromPath$FolderH_prolog3_ItemsOpenSelect
String ID:
API String ID: 1876049870-0
Opcode ID: 6d514105c9c28b4a853b3bfc54a5fdbbbfaedf3c5f24d6aef2319209ef577373
Instruction ID: 6cfbc217f819dfe4b45686791afd9addd2468e763639b8d6c18cc5c09b1475e9
Opcode Fuzzy Hash: 6d514105c9c28b4a853b3bfc54a5fdbbbfaedf3c5f24d6aef2319209ef577373
Instruction Fuzzy Hash: 5501AD72E00124ABCF10A7B5EC45BAE7AB4AF45720F550126F100B72D0CB78AC418BA9

Function 00413B81 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 00413BA9

Part of subcall function 004125D8: __getptd.LIBCMT ref: 004125E6
Part of subcall function 004125D8: __getptd.LIBCMT ref: 004125F4

__getptd.LIBCMT ref: 00413BB3

Part of subcall function 0041507C: __getptd_noexit.LIBCMT ref: 0041507F
Part of subcall function 0041507C: __amsg_exit.LIBCMT ref: 0041508C

__getptd.LIBCMT ref: 00413BC1
__getptd.LIBCMT ref: 00413BCF
__getptd.LIBCMT ref: 00413BDA
_CallCatchBlock2.LIBCMT ref: 00413C00

Part of subcall function 0041267D: __CallSettingFrame@12.LIBCMT ref: 004126C9

Part of subcall function 00413CA7: __getptd.LIBCMT ref: 00413CB6
Part of subcall function 00413CA7: __getptd.LIBCMT ref: 00413CC4

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: dae30f5ed0dbb6fcde6fcfcb962a81357f7044e4e1c73fa55173d05fbf4ce565
Instruction ID: 3a3b829b0dfa3db68fc5949faf2e28c5805cfe67d1568e3c9abb9a7863e23b2f
Opcode Fuzzy Hash: dae30f5ed0dbb6fcde6fcfcb962a81357f7044e4e1c73fa55173d05fbf4ce565
Instruction Fuzzy Hash: 3C110771C00209EFDB00EFA5C546AEDBBB0FF48319F10806AF854A7251DB799A919F98

Function 0040DE90 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

_swscanf.LIBCMT ref: 0040DF4F
_swscanf.LIBCMT ref: 0040DF8F

Part of subcall function 00401820: char_traits.LIBCPMT ref: 00401878

Strings

' is not a number., xrefs: 0040DFF4
%lf, xrefs: 0040DF41, 0040DF44
Unable to parse token length, xrefs: 0040DEDE

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _swscanf$char_traits
String ID: %lf$' is not a number.$Unable to parse token length
API String ID: 1429961252-2790277816
Opcode ID: bffac76f3d59450d7b68950614dbc3a5fe5efa74c0019a4c26a84911f60c34b7
Instruction ID: e2ccc3ea299ffc997e11aa6cd8b2993e37f0c395781a76153f7b8af4da744336
Opcode Fuzzy Hash: bffac76f3d59450d7b68950614dbc3a5fe5efa74c0019a4c26a84911f60c34b7
Instruction Fuzzy Hash: 6571B1B1D002489FDB10DFE5D981ADEFBB8AF44304F10857EE409BB285D7786A49CB54

Function 00439409 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00439413

Part of subcall function 0042425D: __EH_prolog3_GS.LIBCMT ref: 00424264
Part of subcall function 0042425D: AssocQueryStringW.SHLWAPI(00000000,00000002,?,open,00000000,?), ref: 004242AF

AssocQueryStringW.SHLWAPI(00000000,00000004,00000001,open,00000000,?), ref: 0043949F

Strings

P6[wPO[w, xrefs: 0043948B
open, xrefs: 00439496, 004394E4

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AssocH_prolog3_QueryString
String ID: P6[wPO[w$open
API String ID: 4091812397-3062883049
Opcode ID: a01f625231ddec3b4512241f86440a41d1a5d85960c2963bba5b2392cbe9154d
Instruction ID: d032e99a6088a1a02ba2d9b19af0aa846b862b8890f4b744c66d1f4f06dfd0d8
Opcode Fuzzy Hash: a01f625231ddec3b4512241f86440a41d1a5d85960c2963bba5b2392cbe9154d
Instruction Fuzzy Hash: EA419071D00148EEDF10EBA5CC41ADEBBB4AF49704F10802FF115BB291D6B85E86CB69

Function 00407633 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040763A
std::bad_exception::bad_exception.LIBCMT ref: 0040766C
__CxxThrowException@8.LIBCMT ref: 0040767A

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

std::bad_exception::bad_exception.LIBCMT ref: 0040771D

Strings

deque<T> too long, xrefs: 00407654

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: std::bad_exception::bad_exception$ExceptionException@8H_prolog3RaiseThrow
String ID: deque<T> too long
API String ID: 2138009833-309773918
Opcode ID: befa1693a3cc2e3d9fca1ab189886dc96402aea32bd03fabb68e0c8b0cdc2358
Instruction ID: d64bdba2e7191ce0a0492fd8280bfbfea301ffe7162a6212e6420ec16004147f
Opcode Fuzzy Hash: befa1693a3cc2e3d9fca1ab189886dc96402aea32bd03fabb68e0c8b0cdc2358
Instruction Fuzzy Hash: 6041D431F142064BDB18EF74E8919AE73A5AB84355B20453FE016F72D2EE79F905874C

Function 0042AF3F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042AF46

Part of subcall function 00424C75: __EH_prolog3.LIBCMT ref: 00424C7C

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 00403C48: __EH_prolog3.LIBCMT ref: 00403C4F

Part of subcall function 0042AEF9: __EH_prolog3.LIBCMT ref: 0042AF00
Part of subcall function 0042AEF9: MessageBoxW.USER32(00000000,00449E60,00449A58,00000010), ref: 0042AF17
Part of subcall function 0042AEF9: ExitProcess.KERNEL32 ref: 0042AF38

__EH_prolog3.LIBCMT ref: 0042AFB5

Strings

exception #0x, xrefs: 0042AFE0
exception product #0x, xrefs: 0042AF6F
at 0x, xrefs: 0042AF7E, 0042AFF2

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$ExitMessageProcess
String ID: at 0x$exception #0x$exception product #0x
API String ID: 864195752-1590855480
Opcode ID: 847e560d89950c48f19b13ac732148a1183be1684ac371d83efb64b951d29b0b
Instruction ID: d349a130f5cf6efac17657e5b76d3106da8d90abcdbc249021c1838a19962230
Opcode Fuzzy Hash: 847e560d89950c48f19b13ac732148a1183be1684ac371d83efb64b951d29b0b
Instruction Fuzzy Hash: 1321B57290414CBFEB00EB95C80BBDE7BBC9F15308F24406EF449B7182DA796B4497A6

Function 00411F24 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00411F46
__calloc_crt.LIBCMT ref: 00411F5F

Strings

PSE, xrefs: 00411F8B
PE, xrefs: 00411F98
@QE, xrefs: 00411FC8

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __calloc_crt
String ID: @QE$PSE$PE
API String ID: 3494438863-1231418410
Opcode ID: fc9a26dd291835332caed6d4710fad62f8b0ace5d8a4c5d7b06643c271d4e0e3
Instruction ID: f25a63fb144e308bb057c5b1c28d18bec4ff2a2c9ea8c720e296ed17a7dae2c2
Opcode Fuzzy Hash: fc9a26dd291835332caed6d4710fad62f8b0ace5d8a4c5d7b06643c271d4e0e3
Instruction Fuzzy Hash: 39119431309A1197E7248F2DAC507E62381EB84729B64422FF605DA3F1EB38D8C3924C

Function 00423144 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll), ref: 0042315D
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0042316D
GetCurrentProcess.KERNEL32(?), ref: 00423180

Strings

kernel32.dll, xrefs: 00423151
IsWow64Process, xrefs: 00423167

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressCurrentLibraryLoadProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 353374858-3024904723
Opcode ID: 73de74fa010cbc681ba528b31037d50c12bc113bcd53c5172cbb66a2bcab5c0a
Instruction ID: c5671458b1754ca64eaf96e7c13ce7661937e62bfa1152c629f0d7930b6ee01b
Opcode Fuzzy Hash: 73de74fa010cbc681ba528b31037d50c12bc113bcd53c5172cbb66a2bcab5c0a
Instruction Fuzzy Hash: 6EF0DA64608355AADB138BB6FE0C7663BA86701B0AF4440B6A941922A6DA7CC654C77C

Function 004138D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004138EA

Part of subcall function 0041507C: __getptd_noexit.LIBCMT ref: 0041507F
Part of subcall function 0041507C: __amsg_exit.LIBCMT ref: 0041508C

__getptd.LIBCMT ref: 004138FB
__getptd.LIBCMT ref: 00413909

Strings

csm, xrefs: 004138E3
MOC, xrefs: 004138DC

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 265c42553eb0240ea898c57b48988016ddabf00f8bd868e4847a54b1a75392e0
Instruction ID: 18e93fd334ff6758956b677e528d108ad32da7af9b9e5847ed64331dae73f971
Opcode Fuzzy Hash: 265c42553eb0240ea898c57b48988016ddabf00f8bd868e4847a54b1a75392e0
Instruction Fuzzy Hash: A0E01A31120604DFCB10ABA9C046BE937A8BB8D319F1A00A6A548C7322D77CDEC0958A

Function 0042533E Relevance: 7.6, APIs: 5, Instructions: 138COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00425345
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004253EB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042540C
__allrem.LIBCMT ref: 0042541B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425431

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$H_prolog3___allrem
String ID:
API String ID: 107759809-0
Opcode ID: 3e817ae35f91ac8c6b860a7706b54718395cbb2face470a426a6b88e95c313d9
Instruction ID: 5f23d74009167d310c6846a9c70487cd95401c28822fac240f8d40b7e23ce461
Opcode Fuzzy Hash: 3e817ae35f91ac8c6b860a7706b54718395cbb2face470a426a6b88e95c313d9
Instruction Fuzzy Hash: 0D517DB1E00258AFDF00DFAAE8859DEBBB5FF44319F50842BF914A6251C7B88955CF48

Function 0042B658 Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0042B66F
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0042B6E0
LeaveCriticalSection.KERNEL32(00457A84), ref: 0042B730
MessageBoxW.USER32(00449D60,00449CC8,00000024), ref: 0042B758
DestroyWindow.USER32 ref: 0042B76E

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalMessageSection$DestroyEnterLeaveSendWindow
String ID:
API String ID: 581560771-0
Opcode ID: b5f2c44658108aaf79d6597a5bfe9eea0e7945b9345dadf514e29ff23ed24dc2
Instruction ID: 53d149bb2932181bc76626ae48f1751a4f992d1dd65d0d443cbcda858eb90e04
Opcode Fuzzy Hash: b5f2c44658108aaf79d6597a5bfe9eea0e7945b9345dadf514e29ff23ed24dc2
Instruction Fuzzy Hash: 003190316483119BD710EF21ED46B4B7BE0EF85709F50082EF985632A2CB78AD45CB9B

Function 00423206 Relevance: 7.6, APIs: 5, Instructions: 64threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00022C29,00000000,00000000,00000000), ref: 00423259
CloseHandle.KERNEL32(00000000), ref: 00423267
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00423274
GetExitCodeThread.KERNEL32(00000000,?), ref: 00423282
CloseHandle.KERNEL32(00000000), ref: 00423289

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleThread$CodeCreateExitObjectSingleWait
String ID:
API String ID: 4022936218-0
Opcode ID: 63c63f714d8cc9471f917328b222a4e9f6d58895bac130d7f07eb2b88a25fc2f
Instruction ID: 6494cfe2d9d537ea8efcf4e454e0493a762deb4ef32d6c94974ac2674d506e79
Opcode Fuzzy Hash: 63c63f714d8cc9471f917328b222a4e9f6d58895bac130d7f07eb2b88a25fc2f
Instruction Fuzzy Hash: D211297A501224FFDB209F65AC4DCAB77BCEA46395310417AF402D3150DB789E458BB5

Function 0042329B Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

GetNamedSecurityInfoW.ADVAPI32(?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 004232C6
GetLengthSid.ADVAPI32(?,?,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 004232D9
CopySid.ADVAPI32(00000000,00000000,?,?,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 004232EF
LocalFree.KERNEL32(?,?,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 004232FC
LocalFree.KERNEL32(?,?,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0042330D

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeLocal$CopyInfoLengthNamedSecurity
String ID:
API String ID: 2716119510-0
Opcode ID: 7ef5f90be3e212e9feb24df122f05a23a5d6bfd10f61f84ea8bb989af9959e68
Instruction ID: 2e34b4f653d33eaa867f22ab2ec4aceabe87e25795db9d4479b57639c323ec36
Opcode Fuzzy Hash: 7ef5f90be3e212e9feb24df122f05a23a5d6bfd10f61f84ea8bb989af9959e68
Instruction Fuzzy Hash: 7001B976714110FFDB189FA1ED09EAF7A79DB81706B10416EF502D2150EA74DF40D678

Function 0043CD9A Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0043CDA8
CloseHandle.KERNEL32(?), ref: 0043CDB0
__aulldiv.LIBCMT ref: 0043CDC5

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$__aulldiv
String ID:
API String ID: 3821018545-0
Opcode ID: 9d5563a1266ac02ea5484df537ebfb9f933b10e44cf8e2f5e1acc34509809c11
Instruction ID: 649576c46cd5477df217c65821f9922fabff492e179169527d59eecc04666f35
Opcode Fuzzy Hash: 9d5563a1266ac02ea5484df537ebfb9f933b10e44cf8e2f5e1acc34509809c11
Instruction Fuzzy Hash: 3A1182B1E00218EBDF14ABE1EC82BAD7778BF48384F15012AF511B7291C6B8AC51CB5D

Function 00425CFC Relevance: 7.5, APIs: 5, Instructions: 44threadCOMMON

Download Yara Rule

APIs

SetProcessShutdownParameters.KERNEL32(?,00000001), ref: 00425D06
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00425D19
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00425D26
CreateThread.KERNEL32(00000000,00000000,004254D1,00000000,00000000,00000000), ref: 00425D47
CloseHandle.KERNEL32(00000000), ref: 00425D58

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create$Event$CloseHandleParametersProcessShutdownThread
String ID:
API String ID: 2273671094-0
Opcode ID: 670c20bd93a877338eafb23a82b23ac2f4ee12c6ef6bbe727d1a9434b4180f29
Instruction ID: a2f0a1300e5ee6f6e1c51f08aa7d603b9f2799b8354623e6def3d6e44f958931
Opcode Fuzzy Hash: 670c20bd93a877338eafb23a82b23ac2f4ee12c6ef6bbe727d1a9434b4180f29
Instruction Fuzzy Hash: 5AF0EC35556324BBCB205BA6AC4DEC77FADEB8A7A1B104072F50C86151C6B19581CBA4

Function 00428DE6 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00428DF0

Part of subcall function 0040AA00: __CxxThrowException@8.LIBCMT ref: 0040AA6D

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

Strings

type, xrefs: 00428F14, 00428F2A, 00428F3C
name, xrefs: 00428EC7, 00428EDD, 00428EEF, 00428F9A
command, xrefs: 00428FA8

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8H_prolog3_Throwchar_traits
String ID: command$name$type
API String ID: 2440691708-3438439908
Opcode ID: f548fb1b8cc5b31627c20974d5d3cec9f01ce20533ea74914ee5b2e816c8e5f2
Instruction ID: 96bd81c36be532cfe1a2be10324c7758634b66bdad093782b62581a822fc4f99
Opcode Fuzzy Hash: f548fb1b8cc5b31627c20974d5d3cec9f01ce20533ea74914ee5b2e816c8e5f2
Instruction Fuzzy Hash: DFB1E370A002689EDF10EB25DC41BEEB778AF52308F5441EEE54A772D1CB781E85CB69

Function 00407D93 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00407D9A
std::bad_exception::bad_exception.LIBCMT ref: 00407DC0
__CxxThrowException@8.LIBCMT ref: 00407DCE

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

invalid map/set<T> iterator, xrefs: 00407DA8

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: invalid map/set<T> iterator
API String ID: 3715482749-152884079
Opcode ID: 184a4c580bc95bd4d25b7083490171944894c3158fe581ecf234c0144678c2cd
Instruction ID: 7779c8677bd1fd32596bcf7e96e045f90fd81b43fd5ae6e492f7226d03fc9b74
Opcode Fuzzy Hash: 184a4c580bc95bd4d25b7083490171944894c3158fe581ecf234c0144678c2cd
Instruction Fuzzy Hash: 23A140B09082819FDB15CF24C144B557BA1AF19318F1885EED4895F3D2C779FC86CB9A

Function 0040347D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00403484
std::bad_exception::bad_exception.LIBCMT ref: 004034AA
__CxxThrowException@8.LIBCMT ref: 004034B8

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

invalid map/set<T> iterator, xrefs: 00403492

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: invalid map/set<T> iterator
API String ID: 3715482749-152884079
Opcode ID: 7c18d5d4013d99806d4b0a65395efaddbd3a891359de8f2c9a88428aa82dcc16
Instruction ID: a8bfe9d6e5b53a345aba3f3fb771b499c553e174582fddd3d5438b598f7458d4
Opcode Fuzzy Hash: 7c18d5d4013d99806d4b0a65395efaddbd3a891359de8f2c9a88428aa82dcc16
Instruction Fuzzy Hash: 57A1A1B0504280AFD721CF25C580755BFE5AB19309F2885AED4895F3E2C37AE986CF59

Function 00403794 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040379B
std::bad_exception::bad_exception.LIBCMT ref: 004037C1
__CxxThrowException@8.LIBCMT ref: 004037CF

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

invalid map/set<T> iterator, xrefs: 004037A9

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: invalid map/set<T> iterator
API String ID: 3715482749-152884079
Opcode ID: ff7c8201a0a3897ebacb246438d327a093f4ef030574f121d0fcaa8569a99da6
Instruction ID: 1cd89a8a4b610f3de899a8e08ff6471e87b7f7b727e7267f2869fb2fb3fd5611
Opcode Fuzzy Hash: ff7c8201a0a3897ebacb246438d327a093f4ef030574f121d0fcaa8569a99da6
Instruction Fuzzy Hash: 7DA1BE706042809FDB21DF14C184B65BFE5AF15309F1880EEE5896F392D3BAED86CB85

Function 004093B9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 223COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004093C0
std::bad_exception::bad_exception.LIBCMT ref: 004093E6
__CxxThrowException@8.LIBCMT ref: 004093F4

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

invalid map/set<T> iterator, xrefs: 004093CE

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: invalid map/set<T> iterator
API String ID: 3715482749-152884079
Opcode ID: 791f02f1378ac69aba3d7642e871640fb31a6aa098a51275b674bce4d2bb6282
Instruction ID: c54bba6955d94d1b2b639d96088a2a20ab2ac2e627b0da61a9902bb31361a461
Opcode Fuzzy Hash: 791f02f1378ac69aba3d7642e871640fb31a6aa098a51275b674bce4d2bb6282
Instruction Fuzzy Hash: F3A18370509281AFDB1ACF14C144B667FA1AF55308F2880AED4855F3D3C77AED86CB96

Function 0040905C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409063
std::bad_exception::bad_exception.LIBCMT ref: 00409089
__CxxThrowException@8.LIBCMT ref: 00409097

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

invalid map/set<T> iterator, xrefs: 00409071

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: invalid map/set<T> iterator
API String ID: 3715482749-152884079
Opcode ID: 56af8353a16e4dc01ba1dcc63191f1e11c1d3336b9f257e4ae504dd82a06593e
Instruction ID: 484545f1e6b8f7b6b393576b822a186ba28221c8416bf2c5577c359f152dd2e2
Opcode Fuzzy Hash: 56af8353a16e4dc01ba1dcc63191f1e11c1d3336b9f257e4ae504dd82a06593e
Instruction Fuzzy Hash: 4F9180706082819FEB15CF24D188B667FA16B51308F2884EED4855F3D3C77AED86C7A6

Function 0040BA70 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0040BB02

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

vA@, xrefs: 0040BADA
0GD, xrefs: 0040BAF4, 0040BAFA
map/set<T> too long, xrefs: 0040BAAB

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0GD$map/set<T> too long$vA@
API String ID: 3976011213-3205554264
Opcode ID: 81674a34f8400bfe8d53fcb3fa69b1ec7c2c218f4012f7f0d9b0129fbead4c34
Instruction ID: 44e191cd355b1d6712e8c815fce3b968e0d1af5fe9ba3181d35140068a8afbc0
Opcode Fuzzy Hash: 81674a34f8400bfe8d53fcb3fa69b1ec7c2c218f4012f7f0d9b0129fbead4c34
Instruction Fuzzy Hash: B98134B09042469FC714DF18C180956FBB1FF59304B28C2AED859AB796D739EC82CBD8

Function 00429EDF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00429EE9
GetTickCount.KERNEL32 ref: 00429EFE

Part of subcall function 004028E7: std::_String_base::_Xlen.LIBCPMT ref: 00402920

PostMessageW.USER32(00000402,?,00000000,00000001), ref: 0042A105

Part of subcall function 00422891: SetWindowTextW.USER32(?,?), ref: 004228A5

Strings

% - , xrefs: 00429FA0

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountH_prolog3_MessagePostString_base::_TextTickWindowXlenstd::_
String ID: % -
API String ID: 3571351700-2510404823
Opcode ID: 15faf9c159cfe9f8b591e73d450f321cc6f1350a514c37fea0dc514f9fe8317a
Instruction ID: f8c1bcfd9c6be6a4beb287e46141c8d71d480bc51ec5a42aaacf6f3435dd69e7
Opcode Fuzzy Hash: 15faf9c159cfe9f8b591e73d450f321cc6f1350a514c37fea0dc514f9fe8317a
Instruction Fuzzy Hash: 5461C7B1D05258FFEB00EBA5ED46BCD7B7CAB04305F10417AF605B71A2CA785E448B69

Function 004128FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00412944
___free_lconv_num.LIBCMT ref: 00412965
___free_lc_time.LIBCMT ref: 004129EA

Strings

TSE, xrefs: 00412915

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ___free_lc_time___free_lconv_mon___free_lconv_num
String ID: TSE
API String ID: 1156122516-64283894
Opcode ID: 917b7b0f8a4b5ed4c0b32e494302f74a9eae6470214d3f0634c842df6012d6eb
Instruction ID: cb06fb2e2100732cca35d74974b99fb3f0f5f6426e5cb9b358c298795f7e5e47
Opcode Fuzzy Hash: 917b7b0f8a4b5ed4c0b32e494302f74a9eae6470214d3f0634c842df6012d6eb
Instruction Fuzzy Hash: 09319E712047019BDB30AB69DA85AE777A6EF40314F14492FF614E7221CB7CACE08A5D

Function 00402C72 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00402C79
std::bad_exception::bad_exception.LIBCMT ref: 00402CA1
__CxxThrowException@8.LIBCMT ref: 00402CAF

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

map/set<T> too long, xrefs: 00402C89

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 3715482749-1285458680
Opcode ID: 66b5440c4bf92ee1b234a56bf6e5a9df24462e34bdb05e24c2da6337965fb119
Instruction ID: c81d3db658e9e453b40083b55ec6ba1027f1ec409163a514d1e75f43dd340e9b
Opcode Fuzzy Hash: 66b5440c4bf92ee1b234a56bf6e5a9df24462e34bdb05e24c2da6337965fb119
Instruction Fuzzy Hash: BA414C702006409FD311CF29C288A59BBE1BF59304F1585AEE4496B7E2C7B9EC45CF98

Function 00408E62 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408E69
std::bad_exception::bad_exception.LIBCMT ref: 00408E8F
__CxxThrowException@8.LIBCMT ref: 00408E9D

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

map/set<T> too long, xrefs: 00408E77

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 3715482749-1285458680
Opcode ID: 22a955b3a42cc49131789c3319dc681e66160eaa358c426eb2872537a0822977
Instruction ID: e6a03e21a4a1bb93c73a446f8fd87beed2c01f0cdce6678eb7d90223a49b8012
Opcode Fuzzy Hash: 22a955b3a42cc49131789c3319dc681e66160eaa358c426eb2872537a0822977
Instruction Fuzzy Hash: 58414970600245DFC705DF15C284A56BBB1BF15308F1980AEE885AB792CB7AED81CB95

Function 00407992 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00407999
std::bad_exception::bad_exception.LIBCMT ref: 004079C1
__CxxThrowException@8.LIBCMT ref: 004079CF

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

map/set<T> too long, xrefs: 004079A9

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 3715482749-1285458680
Opcode ID: d344a747c3e8fb480567f6b3bcb95b62188cbe9040dbcd8a0b133a1784f8342f
Instruction ID: 1e68a7bedbe1080ba4c8f960abdfdba04c0512f3c3c0ed3d40f5c04ec0cc0f12
Opcode Fuzzy Hash: d344a747c3e8fb480567f6b3bcb95b62188cbe9040dbcd8a0b133a1784f8342f
Instruction Fuzzy Hash: 5F419CB06042409FD310CF29C184A5ABBF1BF59304F1585AED4495B7A2CB79FD85CF99

Function 00402F5E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00402F65
std::bad_exception::bad_exception.LIBCMT ref: 00402F8D
__CxxThrowException@8.LIBCMT ref: 00402F9B

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

map/set<T> too long, xrefs: 00402F75

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 3715482749-1285458680
Opcode ID: e2dd501d9aa75fe84021119255099a7b9921b3ee6ee05eea08892c4cd6ba77fa
Instruction ID: 919a1875158cb2201affd69b6c425493ebcfa631cda03999997d06b30c323c09
Opcode Fuzzy Hash: e2dd501d9aa75fe84021119255099a7b9921b3ee6ee05eea08892c4cd6ba77fa
Instruction Fuzzy Hash: DF416D702002419FC721DF19C284E5ABFF5BF19304F1981AAE449AB3A2C77AFD85CB94

Function 00408B0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408B11
std::bad_exception::bad_exception.LIBCMT ref: 00408B3A
__CxxThrowException@8.LIBCMT ref: 00408B48

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

map/set<T> too long, xrefs: 00408B22

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 3715482749-1285458680
Opcode ID: 37fab6679fe49a4160db1611396d7f18d815a6841f9d9c166bd245d7aada0b3d
Instruction ID: 6180966414397292128e710a0d43728aed8d35ee1e9914f91f9dc017429c214c
Opcode Fuzzy Hash: 37fab6679fe49a4160db1611396d7f18d815a6841f9d9c166bd245d7aada0b3d
Instruction Fuzzy Hash: FA412B705042408FD715DF18D684A56BBF0AF55304F5580EEE885AB3A3CB79FD41CBA9

Function 0042B1FE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042B208

Part of subcall function 0043599A: __EH_prolog3.LIBCMT ref: 004359A1

Part of subcall function 0040450F: __EH_prolog3.LIBCMT ref: 00404516

Part of subcall function 0042560F: EnterCriticalSection.KERNEL32(00457AA4), ref: 0042561F
Part of subcall function 0042560F: LeaveCriticalSection.KERNEL32(00457AA4,?), ref: 00425689
Part of subcall function 0042560F: ReleaseSemaphore.KERNEL32(00000001,00000000), ref: 00425699

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

Part of subcall function 00403C93: __EH_prolog3.LIBCMT ref: 00403C9A

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 00403C48: __EH_prolog3.LIBCMT ref: 00403C4F

Part of subcall function 0042AB7E: __EH_prolog3_GS.LIBCMT ref: 0042AB88

Strings

delay time=, xrefs: 0042B230
/delay?time=, xrefs: 0042B285
&launch=, xrefs: 0042B29A

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$CriticalSection$EnterH_prolog3_LeaveReleaseSemaphorechar_traits
String ID: &launch=$/delay?time=$delay time=
API String ID: 3186593112-2719618242
Opcode ID: a9af3abc7e75fb9e0b85fbb8fc03c27f7f141fc91657d702bca9583e71b5aa17
Instruction ID: 8714308669e0181508e0050dc2594495559a3aee36011b9c26e65c815b0a4b75
Opcode Fuzzy Hash: a9af3abc7e75fb9e0b85fbb8fc03c27f7f141fc91657d702bca9583e71b5aa17
Instruction Fuzzy Hash: 0121B4B2900148BADB10FBA5CC46ECF7B7C9F55309F10416FB60AB7192EA381F058729

Function 00424F1F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00424F26
CoTaskMemFree.OLE32(?,00457EF8,?,00000020,00427B01,?,00000001,00000000,00000001,00000000), ref: 00424FA7

Part of subcall function 00423EDA: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00423F4A

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00424FE4
\User Pinned\TaskBar, xrefs: 00424FB9

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FolderFreeH_prolog3PathTask
String ID: \Microsoft\Internet Explorer\Quick Launch$\User Pinned\TaskBar
API String ID: 647753649-732664054
Opcode ID: 6d24ee7f96ab94f22fe4cb5238dbd43b3649ce01e52e39f13fc4d0146047a7ec
Instruction ID: 736ca3d16753bda912fd6054a5caa3e85a17e77a2175e144d7f72e33dbcc564e
Opcode Fuzzy Hash: 6d24ee7f96ab94f22fe4cb5238dbd43b3649ce01e52e39f13fc4d0146047a7ec
Instruction Fuzzy Hash: A721F931B0831499EB00BFA2BD46AAE3670AF4131AF50413FF521A21E2CBBD8A44975D

Function 0042343E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,00000000), ref: 0042345A
GetFileVersionInfoW.VERSION(?,00000000,?,00000000,?,?,00000000), ref: 0042347F
VerQueryValueW.VERSION(00000000,00446970,?,00000000,?,00000000,?,00000000,?,?,00000000), ref: 0042349A

Strings

4, xrefs: 004234A3

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID: 4
API String ID: 2179348866-4088798008
Opcode ID: 0c5ba90ea324d42d21541c68f798855e70a42e98ff4e17d70419c7656e7f2e8d
Instruction ID: 086146fe2248e95e1f02d756e09c090bcdd0f4c29a11ca9f8f89814d909abaa3
Opcode Fuzzy Hash: 0c5ba90ea324d42d21541c68f798855e70a42e98ff4e17d70419c7656e7f2e8d
Instruction Fuzzy Hash: D501A971B00214BADB21BEA5AD41B9B73BC9F00755F500597F401E7141E6BCEA85C7B8

Function 00413F2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00413F41

Part of subcall function 00413E9C: ___BuildCatchObjectHelper.LIBCMT ref: 00413ED2

_UnwindNestedFrames.LIBCMT ref: 00413F58
___FrameUnwindToState.LIBCMT ref: 00413F66

Strings

csm, xrefs: 00413F3D, 00413F52, 00413F65, 00413F83, 00413F93

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 1017d1925290206c102a1b4b14bee173987c8610bdb2a29022d20a6a9d2a745e
Instruction ID: 22d06c462d937801c4c891afab4cd35a1c53e9eff8ec467b89849f972895c6d3
Opcode Fuzzy Hash: 1017d1925290206c102a1b4b14bee173987c8610bdb2a29022d20a6a9d2a745e
Instruction Fuzzy Hash: CB012831400109BBDF126E52CC49EEB7F6AEF04359F004016FD1855121D77ADAB2DBA8

Function 0041B35A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0041454A), ref: 0041B35F
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0041B36F

Strings

KERNEL32, xrefs: 0041B35A
IsProcessorFeaturePresent, xrefs: 0041B369

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: ca4a4aa48aa54b88de227b08e757c6c5720bbc4caaf8081c5b9c0bfa9e81082a
Instruction ID: 9ace4527e08476e381b24a6ee32f04ea33101610494f5af8d0e66459dc08fff1
Opcode Fuzzy Hash: ca4a4aa48aa54b88de227b08e757c6c5720bbc4caaf8081c5b9c0bfa9e81082a
Instruction Fuzzy Hash: F4F03030A00A0DD3DF001BE1BD4E7AF7A79FB81701F920591D592B00C5DF3480B1D29A

Function 00422D23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33sleepfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00422D37
Sleep.KERNEL32(00000064), ref: 00422D54
CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00422D6D

Strings

d, xrefs: 00422D4C

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: d
API String ID: 408151869-2564639436
Opcode ID: 84350466b7d808052e12ed85cd7ec8061862e959321b940b84d877abfa8b8e30
Instruction ID: 53e1cddba847d4bc6109e581123eac59b253c3c2417de718e10348f447958b3f
Opcode Fuzzy Hash: 84350466b7d808052e12ed85cd7ec8061862e959321b940b84d877abfa8b8e30
Instruction Fuzzy Hash: FFF05932610628BBCF214F94ED08B8D3B25BB0B330F600642F511911F0C3F989909B4A

Function 0042A4CB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25sleepwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042A4D2

Part of subcall function 0042560F: EnterCriticalSection.KERNEL32(00457AA4), ref: 0042561F
Part of subcall function 0042560F: LeaveCriticalSection.KERNEL32(00457AA4,?), ref: 00425689
Part of subcall function 0042560F: ReleaseSemaphore.KERNEL32(00000001,00000000), ref: 00425699

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

PostMessageW.USER32(00000010,00000000,00000000,00000001), ref: 0042A50A
Sleep.KERNEL32(00001388), ref: 0042A515

Strings

shutdown, xrefs: 0042A4D7

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3LeaveMessagePostReleaseSemaphoreSleepchar_traits
String ID: shutdown
API String ID: 135377891-2510479042
Opcode ID: b7ce464cd602f15415fd93a18c2af3c8f0bfed927ba53bf0d5a5eaaa4398e987
Instruction ID: 32136ce85528b2e3d784d4b1780335c78ccd3cce79bfb8a6427f12149fff906a
Opcode Fuzzy Hash: b7ce464cd602f15415fd93a18c2af3c8f0bfed927ba53bf0d5a5eaaa4398e987
Instruction Fuzzy Hash: EDE0ED32681308AAE700BBE2DD47FCC7664AB58B19F90542AB201BA0E2DAF95584961C

Function 00410C76 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00410C7D
std::bad_exception::bad_exception.LIBCMT ref: 00410C9A
__CxxThrowException@8.LIBCMT ref: 00410CA8

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

Strings

invalid string position, xrefs: 00410C82

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exception
String ID: invalid string position
API String ID: 3715482749-1799206989
Opcode ID: 4168c7e5fc2e44562bd1b812ff0f4f3241b6b9d4ab0c053e0c29892d77bb5c4d
Instruction ID: f421038905a6a7f4268d817e255f731584bc29c66ad6b651f323bdcc626ea2b0
Opcode Fuzzy Hash: 4168c7e5fc2e44562bd1b812ff0f4f3241b6b9d4ab0c053e0c29892d77bb5c4d
Instruction Fuzzy Hash: 70D017B295010CA7DB04F6D2C982FDD7338AB54718F10442BB201B64C2EBBC6688C62C

Function 0042511D Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00425124
__alldvrm.LIBCMT ref: 00425150
__alldvrm.LIBCMT ref: 00425161
__alldvrm.LIBCMT ref: 00425172

Part of subcall function 004239D1: __alldvrm.LIBCMT ref: 004239F3

Part of subcall function 00403C02: __EH_prolog3.LIBCMT ref: 00403C09

Part of subcall function 004028E7: std::_String_base::_Xlen.LIBCPMT ref: 00402920

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __alldvrm$H_prolog3$String_base::_Xlenstd::_
String ID:
API String ID: 4156925505-0
Opcode ID: 348168381f24d36baefad7cd82668dded2a55b871f283deb4504168d09f644a4
Instruction ID: 67367ec20441bef9e1115ca34384c6ff284c7ffdfc9b9877dd34ca9880769844
Opcode Fuzzy Hash: 348168381f24d36baefad7cd82668dded2a55b871f283deb4504168d09f644a4
Instruction Fuzzy Hash: 306150B1D00659EADF10EFD5DD829DEBBB8AF08314F60416FF610B3292C6785E448B69

Function 0040F210 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 0040F2A9
_memmove_s.LIBCMT ref: 0040F2DA

Part of subcall function 00410200: __CxxThrowException@8.LIBCMT ref: 00410289

_memmove_s.LIBCMT ref: 0040F318
_memmove_s.LIBCMT ref: 0040F342

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memmove_s$Exception@8Throw
String ID:
API String ID: 2992690706-0
Opcode ID: ae084066d7801d4f71f9142f44ef53186c07d50232a72a2bb5ec2b9814c92941
Instruction ID: a47f2da452b4b0d45736c2f16d12db6a40534c6698f50f03188f304e8965ba83
Opcode Fuzzy Hash: ae084066d7801d4f71f9142f44ef53186c07d50232a72a2bb5ec2b9814c92941
Instruction Fuzzy Hash: 8A419F71E001059BDB18DF68DC91ABF77B5EB80300F1805BEEC15A7345E639EE158798

Function 0040F380 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 0040F41B
_memmove_s.LIBCMT ref: 0040F44C

Part of subcall function 00410200: __CxxThrowException@8.LIBCMT ref: 00410289

_memmove_s.LIBCMT ref: 0040F48A
_memmove_s.LIBCMT ref: 0040F4B4

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memmove_s$Exception@8Throw
String ID:
API String ID: 2992690706-0
Opcode ID: b0793147b639263a1be474d9d4c9ed7991728636ad991472b06ea6b70036ea40
Instruction ID: 7fe11bf752918773269d14dd8cbdf0330f72627a1759ebba3d193157fff64eea
Opcode Fuzzy Hash: b0793147b639263a1be474d9d4c9ed7991728636ad991472b06ea6b70036ea40
Instruction Fuzzy Hash: B841AF71E002059BDB28DF68C891ABF73B5EB90300F044A7EED15A7385E678EE14CB94

Function 0041F341 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041F375
__isleadbyte_l.LIBCMT ref: 0041F3A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00417EC0,?,00000000,00000000,?,?,?,?,00417EC0,00000000,?), ref: 0041F3DA
MultiByteToWideChar.KERNEL32(00000080,00000009,00417EC0,00000001,00000000,00000000,?,?,?,?,00417EC0,00000000,?), ref: 0041F448

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3db43ec4385791b0d80f00dc709922dff0d7eb9c511754cb056a075c4db2dd5d
Instruction ID: f07aff31a9a4a47af0765d8ca4da7b1855cfcd43cc856976444468292dfea948
Opcode Fuzzy Hash: 3db43ec4385791b0d80f00dc709922dff0d7eb9c511754cb056a075c4db2dd5d
Instruction Fuzzy Hash: F431C031A04259EFCB20DF64C880AEF7BA5BF01321F18457AE8658B291D334DEC6DB59

Function 00437CD8 Relevance: 6.1, APIs: 4, Instructions: 95sleepsynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00437CE2
WaitForSingleObject.KERNEL32(00000000,000000FF,000000A4,0043210A), ref: 00437CFE
CloseHandle.KERNEL32(?), ref: 00437D06

Part of subcall function 00423A5B: CharLowerW.USER32(00000000), ref: 00423AB0

Part of subcall function 00426FD8: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00427036

Sleep.KERNEL32(00001388,00000001,00000000,00000001,00000000), ref: 00437DE7

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharCloseCreateH_prolog3_HandleLowerObjectSingleSleepSnapshotToolhelp32Wait
String ID:
API String ID: 4054888592-0
Opcode ID: a487ae1e29f44e04c12e79219ce5772dc8a9e5f7138b0988972a1b9e39390ac9
Instruction ID: 06ec0f4510304afe2df128076dec5f305a2d328849e2f2ba13c7950163399b4a
Opcode Fuzzy Hash: a487ae1e29f44e04c12e79219ce5772dc8a9e5f7138b0988972a1b9e39390ac9
Instruction Fuzzy Hash: E9419335D04219DBDF10EBA1DD427DDB774AF04308F1040AAE649B7292CB782E85CF59

Function 0040161B Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00401644
__CxxThrowException@8.LIBCMT ref: 00401652
__EH_prolog3_catch.LIBCMT ref: 0040165F
char_traits.LIBCPMT ref: 004016FA

Part of subcall function 00410FD3: _malloc.LIBCMT ref: 00410FED

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8H_prolog3_catchThrow_mallocchar_traitsstd::bad_exception::bad_exception
String ID:
API String ID: 1578287386-0
Opcode ID: a6516bc6bf96564a9d36ba33a453a2c5d210bed60cd50db9cbc9f114e3e4c60d
Instruction ID: a45f1639fd93f54a04312005fd3759d52eef518fd81d71c07d440c5f7791aced
Opcode Fuzzy Hash: a6516bc6bf96564a9d36ba33a453a2c5d210bed60cd50db9cbc9f114e3e4c60d
Instruction Fuzzy Hash: F711E771A00204BBDB04AB958842B9DB3A9BB44314F14853FF926B75D1DBBAEA50878D

Function 00423680 Relevance: 6.0, APIs: 4, Instructions: 50registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 004236A7
lstrlenW.KERNEL32(?,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 004236B9
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000002,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 004236DC
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 004236E9

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: b30ed5d0df35f720ad9fc89921eb91a4a1cebfaaadc5d5723fb4bac2633d3dd5
Instruction ID: 3cd77d9b5eb6881ecad91980499289b63bd7a12892a1d14b7b589648a2fb278b
Opcode Fuzzy Hash: b30ed5d0df35f720ad9fc89921eb91a4a1cebfaaadc5d5723fb4bac2633d3dd5
Instruction Fuzzy Hash: C501B174204218FFDB208F50EC89EA777BDFB013467504029F10296260D779EF14EA68

Function 0041B225 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0041B24B

Part of subcall function 0041B070: __fltout2.LIBCMT ref: 0041B09C

__cftog_l.LIBCMT ref: 0041B271
__cftoe_l.LIBCMT ref: 0041B2A3

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 0621c41d723495d0d27681da8aa887efaafaa75cb424d2a7eebf5ab3d428d66f
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 3411803204014EBBCF125E85DC05CEE3F26FF19355B18855AFE1858131D33AC9B5AB85

Function 00422831 Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32(?,?), ref: 00422851
TranslateMessage.USER32(?), ref: 0042285F
DispatchMessageW.USER32(?), ref: 00422869
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00422876

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$DialogDispatchTranslate
String ID:
API String ID: 3514118866-0
Opcode ID: 0a313478c5e86c62293e51e347fa9eb9c95d0a7b48623a2f52e6f87587fd611f
Instruction ID: e5cbeca6de5e79d8ee9a2bd6157bb3e8df46cbb451d3fee49b21c034be76bfef
Opcode Fuzzy Hash: 0a313478c5e86c62293e51e347fa9eb9c95d0a7b48623a2f52e6f87587fd611f
Instruction Fuzzy Hash: AAF0F636B04519B78B00BFE5BD49DABB7BCBAD67003404136F501D3011E668D4068B78

Function 00429B6D Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00429B86
GetSysColorBrush.USER32(0000000F), ref: 00429B90
DrawIconEx.USER32(?,00000000,00000000,00000000,00000000), ref: 00429BC0
EndPaint.USER32(?,?), ref: 00429BCB

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Paint$BeginBrushColorDrawIcon
String ID:
API String ID: 2285589323-0
Opcode ID: 8c8f7fcd1d2252c5c6bd5c8743971f99ea96f5eddb5e56eec3441359489c894e
Instruction ID: bc56cb05c79b63b011f1bd7ad89916b5bdfa5e2565d87f9d2312d5bf636005c8
Opcode Fuzzy Hash: 8c8f7fcd1d2252c5c6bd5c8743971f99ea96f5eddb5e56eec3441359489c894e
Instruction Fuzzy Hash: 07013135600209BFEB01AFA0ED06FAE7B6CFF05705F910035F901950A1DAE4AE419B6C

Function 00410FD3 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00410FED

Part of subcall function 0041159B: __FF_MSGBANNER.LIBCMT ref: 004115BE
Part of subcall function 0041159B: __NMSG_WRITE.LIBCMT ref: 004115C5
Part of subcall function 0041159B: HeapAlloc.KERNEL32(00000000,-0000000F,00000001,00000000,00000000,?,00413676,00000000,00000001,00000000,?,004158C7,00000018,0044D2A8,0000000C,00415958), ref: 00411612

std::bad_alloc::bad_alloc.LIBCMT ref: 00411010

Part of subcall function 00410FB8: std::exception::exception.LIBCMT ref: 00410FC4

std::bad_exception::bad_exception.LIBCMT ref: 00411024
__CxxThrowException@8.LIBCMT ref: 00411032

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 3622535130-0
Opcode ID: 4437c7b0b8eff3acb08e0fced23751d5c7f9890abfee5871e85ca763a3fe707b
Instruction ID: 222d8d9efd024288686ec8270555546e0d7cd60b842afc2bdb16ef98efd7f7fb
Opcode Fuzzy Hash: 4437c7b0b8eff3acb08e0fced23751d5c7f9890abfee5871e85ca763a3fe707b
Instruction Fuzzy Hash: 80F0E231A0420966DF14B721EC03EED3B645B4075DB21403BFC01964E2EEECDACA814C

Function 00412BAD Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00412BB9

Part of subcall function 0041507C: __getptd_noexit.LIBCMT ref: 0041507F
Part of subcall function 0041507C: __amsg_exit.LIBCMT ref: 0041508C

__getptd.LIBCMT ref: 00412BD0
__amsg_exit.LIBCMT ref: 00412BDE
__lock.LIBCMT ref: 00412BEE

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 659cbb970a542e52a38874b3136d09b649c7968a6051bd179fd8b6d0552e2bdd
Instruction ID: 9be1fa5523277f5f8634092f9ca3c349e99115718d25a180e0b875165d400f2a
Opcode Fuzzy Hash: 659cbb970a542e52a38874b3136d09b649c7968a6051bd179fd8b6d0552e2bdd
Instruction Fuzzy Hash: 8BF06D31A04B00DBD760BFA69A037DD73A0AB44729F10411FE550DB2D2CBBCA9D18B9E

Function 004238CE Relevance: 6.0, APIs: 4, Instructions: 24threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00457AA4,?,00425619), ref: 004238DE
CreateSemaphoreW.KERNEL32(00000000,00000000,00000400,00000000,?,00425619), ref: 004238EC
CreateThread.KERNEL32(00000000,00000000,Function_0002379B,00000000,00000000,00000000), ref: 00423901
CloseHandle.KERNEL32(00000000,?,00425619), ref: 00423908

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create$CloseCriticalHandleInitializeSectionSemaphoreThread
String ID:
API String ID: 4124923094-0
Opcode ID: 762eeeb0e2684ae292b46d33173239d84753ee2bcca6a7cc53c071972cc07cd5
Instruction ID: 81c970d8e8bb1f6cc6841748ae2ce6df8539f7fd31522c9dcf740251defa5409
Opcode Fuzzy Hash: 762eeeb0e2684ae292b46d33173239d84753ee2bcca6a7cc53c071972cc07cd5
Instruction Fuzzy Hash: 96E01A75546230BBC6215BA5BC0CFCB3E6CEF4B7A3B110136B51591061CBB84681C7EC

Function 00417FF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0041F261
__getbuf.LIBCMT ref: 0041F2F9

Strings

HWE, xrefs: 0041F267

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fileno__getbuf
String ID: HWE
API String ID: 2304796792-1921285094
Opcode ID: c9c5efb2e299aaaa4ead719114217179a93cb289d9bcb133eee6878c857515e2
Instruction ID: 15a553fb6b9a03c43930880872835f9a695bbaf8805efa77afec68214ac8708b
Opcode Fuzzy Hash: c9c5efb2e299aaaa4ead719114217179a93cb289d9bcb133eee6878c857515e2
Instruction Fuzzy Hash: 9D31E572100A044AC7358A79D8406A737D1AB92334728477BE8BA877D1D73DE8CB861D

Function 00425016 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?,00457F18,?), ref: 004250BA
SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 004250CE

Part of subcall function 004235C6: GetFileAttributesW.KERNEL32(00457F14,004250F7,00457F18,?), ref: 004235D5

Strings

\Downloads, xrefs: 004250E5

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFileFolderFreePathTask
String ID: \Downloads
API String ID: 261851141-1864973320
Opcode ID: a7f2b807e1d9f09bb53eb938fbe727ea3aedb13d2cdfee29d4aa79811b1ce012
Instruction ID: 5aa536f6aed99c08f93496cc440dacc4f7d3d554b188984fa61d818ac85dbe75
Opcode Fuzzy Hash: a7f2b807e1d9f09bb53eb938fbe727ea3aedb13d2cdfee29d4aa79811b1ce012
Instruction Fuzzy Hash: 6621F871A04328AAEB10FF65BD45B7E77B8AF41709F4040BFF604A2192DB7C8944975C

Function 00409890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004098DF
__CxxThrowException@8.LIBCMT ref: 00409922

Strings

in Json::Value::duplicateStringValue(): Failed to allocate string value buffer, xrefs: 004098EF

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw_malloc
String ID: in Json::Value::duplicateStringValue(): Failed to allocate string value buffer
API String ID: 3476970888-3522564335
Opcode ID: 33b16aa890f24b1cc070d9ef67e8bd3ecf577d643e2e755e67a63706b2bee2d6
Instruction ID: d8f305cca4d7728b87c8228cc328e3351109718ccfa62e297e2e00781f496c37
Opcode Fuzzy Hash: 33b16aa890f24b1cc070d9ef67e8bd3ecf577d643e2e755e67a63706b2bee2d6
Instruction Fuzzy Hash: FF11EB73D00608ABC701DFA88C41BEEB7F8DB45320F14466BE825B73C1EB7999048798

Function 00426718 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042671F

Strings

3e18e0508fd502a51ca0138091b7e80e, xrefs: 00426775
hghf659f45, xrefs: 00426768

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3
String ID: 3e18e0508fd502a51ca0138091b7e80e$hghf659f45
API String ID: 431132790-2769677135
Opcode ID: b0c21f7634065c18526fab40dab2d4861eb4cb62741ef8918be044a7c2d61b0e
Instruction ID: d159747a77e97965966388604d947ac8c3b32930c9fa0b33d657731362c52a1d
Opcode Fuzzy Hash: b0c21f7634065c18526fab40dab2d4861eb4cb62741ef8918be044a7c2d61b0e
Instruction Fuzzy Hash: 2621C5329042489ADB01EBA6EC82EDD77B4AF5430CF10817FE455771E2DB785A05CB1C

Function 00424D6D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00424D77

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00424DDD
ProgramFilesDir, xrefs: 00424DC6

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_catch_
String ID: ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1329019490-1909746267
Opcode ID: 9da1c509904a97c7909f4f00d50cc87264d80f35b42d219e504d5d8b64e974c0
Instruction ID: 3540de5a1fb99462d663c441778021bbb8494330bef7b2169a36bba358bc36dc
Opcode Fuzzy Hash: 9da1c509904a97c7909f4f00d50cc87264d80f35b42d219e504d5d8b64e974c0
Instruction Fuzzy Hash: 0B21F530A04394E9DB00EBA5AC06B8D7B70AB44308F6040BEE904B72E2C7B85E44CB58

Function 00410200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00410289

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

std::exception::exception.LIBCMT ref: 004102CA
__CxxThrowException@8.LIBCMT ref: 004102DF

Part of subcall function 00410FD3: _malloc.LIBCMT ref: 00410FED

Strings

vA@, xrefs: 0041025D, 00410281
deque<T> too long, xrefs: 0041022A

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise_mallocstd::exception::exception
String ID: deque<T> too long$vA@
API String ID: 465789080-4126863640
Opcode ID: f33cbcf66e16c2a25828c68d3fcaf2c4da722b8d0307da1e6ce644ed141d220c
Instruction ID: fc59770f523df5e319aab616f4555756d12097ed23453be4461b829e2d949843
Opcode Fuzzy Hash: f33cbcf66e16c2a25828c68d3fcaf2c4da722b8d0307da1e6ce644ed141d220c
Instruction Fuzzy Hash: 831190B080024CAADB01EFE5DD81BDEBBB8FB04314F50466EE51167681EBB85608CA55

Function 0042384B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000001,?,00000000,00000000,00000000), ref: 004238A1
SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000), ref: 004238C6

Part of subcall function 00423319: GetCurrentProcess.KERNEL32(00000020,?), ref: 00423328
Part of subcall function 00423319: OpenProcessToken.ADVAPI32(00000000), ref: 0042332F

Strings

SeTakeOwnershipPrivilege, xrefs: 0042385C

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoNamedProcessSecurity$CurrentOpenToken
String ID: SeTakeOwnershipPrivilege
API String ID: 1489085889-3375656754
Opcode ID: 66fb1ad463e316866a370cfebf66fc59a1488bdf466a03bd9c02f467a86f0891
Instruction ID: 864b075c5d0e34cdf14af7649e880e6e9bf8eb427b33dc2ec0b00c8ad540bcab
Opcode Fuzzy Hash: 66fb1ad463e316866a370cfebf66fc59a1488bdf466a03bd9c02f467a86f0891
Instruction Fuzzy Hash: C7019670B50214BEFB149B64ED86FA973BDEB05705F40016AF601AB291D7F8AE4487E8

Function 00436964 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0043696B

Part of subcall function 00436036: __EH_prolog3.LIBCMT ref: 0043603D

Part of subcall function 00423A5B: CharLowerW.USER32(00000000), ref: 00423AB0

Strings

text, xrefs: 004369AA
Content-Type, xrefs: 00436970

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharH_prolog3H_prolog3_Lower
String ID: Content-Type$text
API String ID: 2243128287-210706158
Opcode ID: d45c22475398047e322e2295bf1ebd371aadfc2c0b8fd0f815d9454090e79b62
Instruction ID: 93206012dcea578c22f6d3166e43fcb743159657086cc934417cc3ccfe99115b
Opcode Fuzzy Hash: d45c22475398047e322e2295bf1ebd371aadfc2c0b8fd0f815d9454090e79b62
Instruction Fuzzy Hash: 07F0A431E40244A5CB14FA768D57ECF66789F88704F90812EF224BB2D2CABC5A458764

Function 00413CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041262B: __getptd.LIBCMT ref: 00412631
Part of subcall function 0041262B: __getptd.LIBCMT ref: 00412641

__getptd.LIBCMT ref: 00413CB6

Part of subcall function 0041507C: __getptd_noexit.LIBCMT ref: 0041507F
Part of subcall function 0041507C: __amsg_exit.LIBCMT ref: 0041508C

__getptd.LIBCMT ref: 00413CC4

Strings

csm, xrefs: 00413CD2

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: dad7ce64f9db8df9865c91e171c7ffd249f7b05e35bef5d51d16c9ac305832eb
Instruction ID: ecb524e3a6e8e2dd5ec2f19559e9ef451380fa04d6e86325529896a5299930fd
Opcode Fuzzy Hash: dad7ce64f9db8df9865c91e171c7ffd249f7b05e35bef5d51d16c9ac305832eb
Instruction Fuzzy Hash: 770128358003059BCF34AF65D4406EEBBB5AF14312F24442FE48197292DB39CED0CA59

Function 004267FF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00426806

Part of subcall function 004265AA: __EH_prolog3_GS.LIBCMT ref: 004265B4

Part of subcall function 0040173A: char_traits.LIBCPMT ref: 0040175F

Strings

1OtU3OaRC1xO5rErBozbP4G2hNm67mUH, xrefs: 00426820
hlPxjHRu9UWCOtTORdZ51F7RYWUCWy73, xrefs: 0042680F

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3H_prolog3_char_traits
String ID: 1OtU3OaRC1xO5rErBozbP4G2hNm67mUH$hlPxjHRu9UWCOtTORdZ51F7RYWUCWy73
API String ID: 3685356560-3654031149
Opcode ID: f8c47f994b8b0e701261e9c6139b01b79945696f217508fa54299c88fb875574
Instruction ID: 16ccc66f99b78474b49cfa79b4bae72fac64fe850044e664d0e2dc139a99c324
Opcode Fuzzy Hash: f8c47f994b8b0e701261e9c6139b01b79945696f217508fa54299c88fb875574
Instruction Fuzzy Hash: 05F03031A40108AAEB00FBA1DD92FDC7774AF14709F50806AF501BA1D2DBF96B8AC758

Function 00401060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(00000008), ref: 0040106B
SysFreeString.OLEAUT32(00000000), ref: 00401080

Strings

`LwLw, xrefs: 0040106B

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DecrementFreeInterlockedString
String ID: `LwLw
API String ID: 3298718523-3431591817
Opcode ID: 8be9b92f1e793706b24cad95a68e9e8b11b91d79ff362938f030ae69a6946580
Instruction ID: 25eceb43c7ef64e8d8626d1cbd83fce6d3d1eae0a7294534f156ff57a9ef5d55
Opcode Fuzzy Hash: 8be9b92f1e793706b24cad95a68e9e8b11b91d79ff362938f030ae69a6946580
Instruction Fuzzy Hash: BBE09231A11A614BD7309F75E809BA773ACAF00B50B15042BFD80E76A0DB7CDCC0865C

Function 00422C29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000006), ref: 00422C32
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00422C45

Strings

open, xrefs: 00422C3F

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExecuteInitializeShell
String ID: open
API String ID: 4132032380-2758837156
Opcode ID: b0fb4df7280baee9e47ae6117738990c2442dded8765d74958e942715b99032e
Instruction ID: 9f25706f014e614f09682f07908b313a76c6fb494b28c1d5c140758ed5bbb107
Opcode Fuzzy Hash: b0fb4df7280baee9e47ae6117738990c2442dded8765d74958e942715b99032e
Instruction Fuzzy Hash: 9CE08C371552343AE72127E2AC0EFDB7E18EB077B0F008022FA0966090C9A645A0C2E8

Function 00422695 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004226B5

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

SetParent.USER32(?,?), ref: 004226C8

Strings

Can't add child because window not created, xrefs: 004226AE

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8ParentRaiseThrow
String ID: Can't add child because window not created
API String ID: 3573755502-3609820812
Opcode ID: 41fc45c9c2396026ed0096bb1d7629a19afdbb5fee840107ece15b1a4427e377
Instruction ID: 3e68ee832d66d77b90622337689a757592fac7eeb3564d1474f0d21e8580a717
Opcode Fuzzy Hash: 41fc45c9c2396026ed0096bb1d7629a19afdbb5fee840107ece15b1a4427e377
Instruction Fuzzy Hash: F1E04FB4700209BBD710DF95EA85A5B77FDBB9470C324C0A9E409D7201E7B5D9029758

Function 00422703 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042271D

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

ShowWindow.USER32(?,?), ref: 0042272F

Strings

Can't show window because window not created, xrefs: 00422716

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseShowThrowWindow
String ID: Can't show window because window not created
API String ID: 4018245886-1727106819
Opcode ID: 825a779ae32149502b7cce05e22d4fbd780263d3852b98b6433407f3e144c74e
Instruction ID: ce0bf999913aecd15be768acb17c4f5f0ee8748b15b1656f216c50c0607f2635
Opcode Fuzzy Hash: 825a779ae32149502b7cce05e22d4fbd780263d3852b98b6433407f3e144c74e
Instruction Fuzzy Hash: 43D02BF03102087A9B088FA4D8CAEEA3BECDA14B40741C11EF90DC6001E7F8E5408668

Function 004226D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004226EA

Part of subcall function 004122AB: RaiseException.KERNEL32(?,?,00411037,?,?,?,?,?,00411037,?,0044D68C,00456CF8,?,00401373,?), ref: 004122ED

EnableWindow.USER32(?,00000000), ref: 004226F9

Strings

Can't disable window because window not created, xrefs: 004226E3

Memory Dump Source

Source File: 00000000.00000002.1539061781.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539044167.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539103333.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539125304.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1539142138.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EnableExceptionException@8RaiseThrowWindow
String ID: Can't disable window because window not created
API String ID: 2161987055-2392149179
Opcode ID: 98cae38be1c326f5a8dc78fb8512496407140d83bcafc7f7d42d6892300fd088
Instruction ID: 2d8dfacf987e22632f39275ccb3b2134d8b9c119db3ffa555be09886ea7f2adc
Opcode Fuzzy Hash: 98cae38be1c326f5a8dc78fb8512496407140d83bcafc7f7d42d6892300fd088
Instruction Fuzzy Hash: 11D05BB16003087FD744DF64DD49D9E3F9C9A54740704C05EB40DC6501E7F4E5548769

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_ec24384a58645712a8216dd34a3884cb9132512_265dce86_e1f415c1-83d4-44dc-a094-cc48ee5b9763\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAC8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB46.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB95.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Function 0041978C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47
COMMONLIBRARYCODE

Function 00415791 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 00419C2C Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 0042EADB Relevance: 86.3, APIs: 15, Strings: 33, Instructions: 2324
windowCOMMON

Function 0042B78D Relevance: 51.4, APIs: 19, Strings: 10, Instructions: 682
windowCOMMON

Function 00436131 Relevance: 45.9, APIs: 17, Strings: 9, Instructions: 373
networkfilesynchronizationCOMMON

Function 0043545F Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 256
COMMON

Function 00429751 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 251
memorylibrarythreadCOMMON

Function 00436A86 Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 435
networkCOMMON

Function 0042A64E Relevance: 33.2, APIs: 22, Instructions: 163
memorywindowCOMMON