Edit tour

Windows Analysis Report
GdsGKfLRby.exe

Overview

General Information

Sample name:	GdsGKfLRby.exe renamed because original name is a hash value
Original sample name:	b437936e1752bd430545f30ba5223fabe413dc39ec2a82f437d11fd857dcede8.exe
Analysis ID:	1447645
MD5:	48e6ba377d90401cee819471fcea38b9
SHA1:	0f6f6ef2b5691946703d37a6316452dda6d5eab5
SHA256:	b437936e1752bd430545f30ba5223fabe413dc39ec2a82f437d11fd857dcede8
Tags:	exeNetWire
Infos:

Detection

NetWire

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected NetWire RAT

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

GdsGKfLRby.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\GdsGKfLRby.exe" MD5: 48E6BA377D90401CEE819471FCEA38B9)

WerFault.exe (PID: 3140 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 400 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NetWire RC, NetWire	Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF	APT33	http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/ http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

Malware Configuration

Threatname: NetWire

{"C2 list": ["netwire2021.duckdns.org:7929"], "Password": "Password", "Host ID": "HostId-yISsE2", "Mutex": "qFlJFfII", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "C:\\Users\\Administrator\\AppData\\Roaming\\Logs\\"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
GdsGKfLRby.exe	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
GdsGKfLRby.exe	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x724e:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
GdsGKfLRby.exe	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x21be5:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x2247b:$a2: \Login Data 0x224f4:$a2: \Login Data 0x22572:$a2: \Login Data 0x22603:$a2: \Login Data 0x2266d:$a2: \Login Data 0x226d3:$a2: \Login Data 0x22701:$a2: \Login Data 0x21a4d:$a3: SOFTWARE\NetWire
GdsGKfLRby.exe	MALWARE_Win_NetWire	Detects NetWire RAT	ditekSHen	0x21a4d:$x1: SOFTWARE\NetWire 0x21a34:$x2: 4E 65 74 57 69 72 65 00 53 4F 46 54 57 41 52 45 5C 00 0x21ae0:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x2191e:$s2: filenames.txt 0x21ac4:$s3: GET %s HTTP/1.1 0x21be5:$s4: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x25e28:$s5: Host.exe 0x21a72:$s6: -m "%s" 0x20f80:$g1: HostId 0x21a46:$g1: HostId 0x223b0:$g2: History 0x22410:$g3: encrypted_key 0x21a65:$g4: Install Date 0x21ffd:$g5: hostname 0x22006:$g6: encryptedUsername 0x22018:$g7: encryptedPassword

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.2103922275.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x6e4e:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x1e5:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xa7b:$a2: \Login Data 0xaf4:$a2: \Login Data 0xb72:$a2: \Login Data 0xc03:$a2: \Login Data 0xc6d:$a2: \Login Data 0xcd3:$a2: \Login Data 0xd01:$a2: \Login Data 0x4d:$a3: SOFTWARE\NetWire
00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x11e5:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1a7b:$a2: \Login Data 0x1af4:$a2: \Login Data 0x1b72:$a2: \Login Data 0x1c03:$a2: \Login Data 0x1c6d:$a2: \Login Data 0x1cd3:$a2: \Login Data 0x1d01:$a2: \Login Data 0x104d:$a3: SOFTWARE\NetWire
00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x6e4e:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
Process Memory Space: GdsGKfLRby.exe PID: 6496	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: GdsGKfLRby.exe PID: 6496	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0xddb6:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1e905:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xedb5:$a2: \Login Data 0xee2e:$a2: \Login Data 0xeeac:$a2: \Login Data 0xef3d:$a2: \Login Data 0xefa7:$a2: \Login Data 0xf00d:$a2: \Login Data 0xf0db:$a2: \Login Data 0xf151:$a2: \Login Data 0xf1cc:$a2: \Login Data 0xf25a:$a2: \Login Data 0xf2c2:$a2: \Login Data 0xf326:$a2: \Login Data 0xf353:$a2: \Login Data 0xf3d2:$a2: \Login Data 0x1f9b3:$a2: \Login Data 0x1fa2c:$a2: \Login Data 0x1faaa:$a2: \Login Data 0x1fb3b:$a2: \Login Data 0x1fba5:$a2: \Login Data
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.GdsGKfLRby.exe.400000.0.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
1.0.GdsGKfLRby.exe.400000.0.unpack	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x724e:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
1.0.GdsGKfLRby.exe.400000.0.unpack	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x21be5:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x2247b:$a2: \Login Data 0x224f4:$a2: \Login Data 0x22572:$a2: \Login Data 0x22603:$a2: \Login Data 0x2266d:$a2: \Login Data 0x226d3:$a2: \Login Data 0x22701:$a2: \Login Data 0x21a4d:$a3: SOFTWARE\NetWire
1.0.GdsGKfLRby.exe.400000.0.unpack	MALWARE_Win_NetWire	Detects NetWire RAT	ditekSHen	0x21a4d:$x1: SOFTWARE\NetWire 0x21a34:$x2: 4E 65 74 57 69 72 65 00 53 4F 46 54 57 41 52 45 5C 00 0x21ae0:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x2191e:$s2: filenames.txt 0x21ac4:$s3: GET %s HTTP/1.1 0x21be5:$s4: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x21a72:$s6: -m "%s" 0x20f80:$g1: HostId 0x21a46:$g1: HostId 0x223b0:$g2: History 0x22410:$g3: encrypted_key 0x21a65:$g4: Install Date 0x21ffd:$g5: hostname 0x22006:$g6: encryptedUsername 0x22018:$g7: encryptedPassword
1.2.GdsGKfLRby.exe.400000.0.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
1.2.GdsGKfLRby.exe.400000.0.unpack	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x724e:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
1.2.GdsGKfLRby.exe.400000.0.unpack	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x21be5:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x2247b:$a2: \Login Data 0x224f4:$a2: \Login Data 0x22572:$a2: \Login Data 0x22603:$a2: \Login Data 0x2266d:$a2: \Login Data 0x226d3:$a2: \Login Data 0x22701:$a2: \Login Data 0x21a4d:$a3: SOFTWARE\NetWire
1.2.GdsGKfLRby.exe.400000.0.unpack	MALWARE_Win_NetWire	Detects NetWire RAT	ditekSHen	0x21a4d:$x1: SOFTWARE\NetWire 0x21a34:$x2: 4E 65 74 57 69 72 65 00 53 4F 46 54 57 41 52 45 5C 00 0x21ae0:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x2191e:$s2: filenames.txt 0x21ac4:$s3: GET %s HTTP/1.1 0x21be5:$s4: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x21a72:$s6: -m "%s" 0x21a46:$g1: HostId 0x223b0:$g2: History 0x22410:$g3: encrypted_key 0x21a65:$g4: Install Date 0x21ffd:$g5: hostname 0x22006:$g6: encryptedUsername 0x22018:$g7: encryptedPassword
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GdsGKfLRby.exe

Avira: detected

Antivirus detection for URL or domain

Source: netwire2021.duckdns.org:7929

Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.GdsGKfLRby.exe.400000.0.unpack

Malware Configuration Extractor: NetWire {"C2 list": ["netwire2021.duckdns.org:7929"], "Password": "Password", "Host ID": "HostId-yISsE2", "Mutex": "qFlJFfII", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "C:\\Users\\Administrator\\AppData\\Roaming\\Logs\\"}

Multi AV Scanner detection for domain / URL

Source: netwire2021.duckdns.org:7929

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: GdsGKfLRby.exe	ReversingLabs: Detection: 97%
Source: GdsGKfLRby.exe	Virustotal: Detection: 87%			Perma Link

Machine Learning detection for sample

Source: GdsGKfLRby.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	1_2_0040C4B7
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040E511 CryptUnprotectData,LocalFree,	1_2_0040E511
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,	1_2_0040EDD6
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_0040D290

Source: GdsGKfLRby.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00406453
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	1_2_0040680D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	1_2_0040753D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00413A85
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040DB1C
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	1_2_00406F83
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	1_2_00406390

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

1_2_00406084

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: netwire2021.duckdns.org:7929

Source: unknown

DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00405811 send,recv,

1_2_00405811

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: GdsGKfLRby.exe	String found in binary or memory: http://www.yandex.com
Source: GdsGKfLRby.exe	String found in binary or memory: http://www.yandex.comsocks=

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,

1_2_00409953

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00411D8C GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,calloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,free,

1_2_00411D8C

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

1_2_00409953

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

1_2_00409953

System Summary

Malicious sample detected (through community Yara rule)

Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 00000001.00000000.2103922275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: Process Memory Space: GdsGKfLRby.exe PID: 6496, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 703D0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 713A0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 72370000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73AE0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 77030000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 78000000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73340000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 763B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73740000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 74AB0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76080000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76BF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 74CB0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75BF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 767B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73940000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 74DB0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 750F0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75280000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 768B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76DF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73A80000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75170000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 759F0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75CF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75F80000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76280000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76930000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76B70000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75D30000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 762C0000 page read and write	Jump to behavior

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00403047	1_2_00403047
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0041D049	1_2_0041D049
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00419463	1_2_00419463
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00415079	1_2_00415079
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00420420	1_2_00420420
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_004208C0	1_2_004208C0
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_004034D3	1_2_004034D3
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00414976	1_2_00414976
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00402E68	1_2_00402E68
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00416619	1_2_00416619
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040AEC6	1_2_0040AEC6
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00402AFC	1_2_00402AFC
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00415ABF	1_2_00415ABF
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00420F40	1_2_00420F40
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0041FF50	1_2_0041FF50
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040A728	1_2_0040A728

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 400

Source: GdsGKfLRby.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 00000001.00000000.2103922275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: Process Memory Space: GdsGKfLRby.exe PID: 6496, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/0

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

1_2_00406084

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00402570 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00402570

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6496

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3ab78efb-164e-430d-a63c-7038e90018f3

Jump to behavior

Source: GdsGKfLRby.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GdsGKfLRby.exe	ReversingLabs: Detection: 97%
Source: GdsGKfLRby.exe	Virustotal: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\GdsGKfLRby.exe "C:\Users\user\Desktop\GdsGKfLRby.exe"
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 400

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,

1_2_00408417

Source: GdsGKfLRby.exe

Static PE information: real checksum: 0x2be0d should be: 0x307b4

Source: GdsGKfLRby.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h	1_2_0040DD9F
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah	1_2_0040DDD9
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h	1_2_0040DDF7
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push edx; mov dword ptr [esp], esi	1_2_0040E394
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040A4BC push esi; mov dword ptr [esp], 00423347h	1_2_0040A543
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00409953 push edi; mov dword ptr [esp], 00000091h	1_2_00409980
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00409953 push ebp; mov dword ptr [esp], 00000090h	1_2_0040998D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00411D8C push edx; mov dword ptr [esp], edi	1_2_00412058
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00409E61 push eax; mov dword ptr [esp], ebx	1_2_00409FDE
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406E04 push ecx; mov dword ptr [esp], ebx	1_2_00406E69
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040262F push edx; mov dword ptr [esp], edi	1_2_004027C8
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040262F push edx; mov dword ptr [esp], edi	1_2_00402815
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040262F push edx; mov dword ptr [esp], edi	1_2_004029B2
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_004146E1 push eax; mov dword ptr [esp], ebx	1_2_0041470B
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h	1_2_004097B9

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_1-8686

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_1-8830

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_1-8763

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

API coverage: 0.6 %

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00406453
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	1_2_0040680D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	1_2_0040753D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00413A85
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040DB1C
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	1_2_00406F83
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	1_2_00406390

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

1_2_00406084

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004132E6 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,

1_2_004132E6

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: GdsGKfLRby.exe, 00000001.00000002.2548942981.000000000064E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	API call chain: ExitProcess graph end node			graph_1-8573
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	API call chain: ExitProcess graph end node			graph_1-8546

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,

1_2_00408417

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004121C0 keybd_event,

1_2_004121C0

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004121EF SetCursorPos,mouse_event,

1_2_004121EF

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_0040A115 GetLocalTime,

1_2_0040A115

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004130E8 GetUserNameW,WideCharToMultiByte,

1_2_004130E8

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004132E6 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,

1_2_004132E6

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected NetWire RAT

Source: Yara match	File source: GdsGKfLRby.exe, type: SAMPLE
Source: Yara match	File source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GdsGKfLRby.exe PID: 6496, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	121 Input Capture	1 System Time Discovery	Remote Services	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	121 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	5 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GdsGKfLRby.exe	97%	ReversingLabs	Win32.Backdoor.NetWired
GdsGKfLRby.exe	88%	Virustotal		Browse
GdsGKfLRby.exe	100%	Avira	TR/Spy.Gen
GdsGKfLRby.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
171.39.242.20.in-addr.arpa	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
netwire2021.duckdns.org:7929	6%	Virustotal		Browse
http://www.yandex.comsocks=	0%	Avira URL Cloud	safe
http://www.yandex.com	0%	Avira URL Cloud	safe
http://www.yandex.com	0%	Virustotal		Browse
netwire2021.duckdns.org:7929	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
171.39.242.20.in-addr.arpa	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
netwire2021.duckdns.org:7929	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
http://www.yandex.com	GdsGKfLRby.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.yandex.comsocks=	GdsGKfLRby.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447645
Start date and time:	2024-05-26 09:55:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GdsGKfLRby.exe renamed because original name is a hash value
Original Sample Name:	b437936e1752bd430545f30ba5223fabe413dc39ec2a82f437d11fd857dcede8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 105
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
03:56:56	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GdsGKfLRby.exe_47b0a69c1a3a44ac22d8e11787a70ffb2e917_5b85fd9f_eb65cfd7-65d8-4100-8a9c-2d3fd4393bae\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.749604798589042
Encrypted:	false
SSDEEP:	96:idgFl+MsChaY7vfNQXIDcQ2c6YcEfcw3x+HbHg/oJAnQO3q8PCFDbEgOyWZAX/di:V2Mk0YcFijkqzuiF0Z24IO8bi
MD5:	C77C9EBA5FE661A17F07D842EF1CE5AF
SHA1:	77BD272A442ACDAC02984E92630AF339D92B9079
SHA-256:	BF7E0AEA29CF7C2C216E8BA91C1FD8AAC2705BB29F737735108D88CBA14B2288
SHA-512:	C901944C93FDB86DA7202CF50969622EB90663DF88C40CAE03EA2720F24566F83DC84D01B063D4D997A5D158F51319D989421397C972C03D0FF1FE3C777EAFF6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.1.8.3.8.0.0.8.5.3.5.2.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.1.8.3.8.0.2.1.0.3.5.2.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.6.5.c.f.d.7.-.6.5.d.8.-.4.1.0.0.-.8.a.9.c.-.2.d.3.f.d.4.3.9.3.b.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.3.4.a.4.8.8.-.0.5.a.8.-.4.f.b.f.-.a.f.a.c.-.c.c.d.3.9.d.6.6.e.d.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.G.d.s.G.K.f.L.R.b.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.6.0.-.0.0.0.1.-.0.0.1.4.-.3.1.b.0.-.1.e.2.d.4.2.a.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.3.b.7.3.1.2.0.3.6.d.1.1.6.f.4.3.a.c.2.a.4.1.5.e.8.f.5.0.4.9.d.0.0.0.0.f.f.f.f.!.0.0.0.0.0.f.6.f.6.e.f.2.b.5.6.9.1.9.4.6.7.0.3.d.3.7.a.6.3.1.6.4.5.2.d.d.a.6.d.5.e.a.b.5.!.G.d.s.G.K.f.L.R.b.y...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D99.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun May 26 07:56:40 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	63556
Entropy (8bit):	1.6148188550427234
Encrypted:	false
SSDEEP:	192:3M3tX7Z5mOWF2QC8PCn3uNTWvkxSxAFOQcXyGC2W39o3KDNi+GIkzJckUi:GRxWFsmTWvkxSxAoQcCP2WN8R5Ik9
MD5:	8F194E5A0044726B1FE2EFBE015991BA
SHA1:	79A593995BE9290490F53DBCFFE70739CD84963C
SHA-256:	2BB73E7FFB4E56A9BF3C7960C264F2AD94B38E010ED3E575A1B44273207F3B85
SHA-512:	001B1FE0C47C17308790EA8935A4596043EE53173A5D8F452DB01671E66111C39F411AD18F4EE5326A9A928973D8CA6F16F9226F7F0DF48059E43ED646BB5150
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......8.Rf........................L...........4....!..........T.......8...........T.......................................................................................................................eJ......l.......GenuineIntel............T.......`.....Rf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E46.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8366
Entropy (8bit):	3.701478425040177
Encrypted:	false
SSDEEP:	192:R6l7wVeJzu6cQD6YEIYSU9yBgmfUpWyBpDx89b2ZsfSSm:R6lXJ66cQD6YE3SU9yBgmfU1K2yfO
MD5:	2938181CCA175503916E413BFC7362FF
SHA1:	2FC65C6B4BEA4EB472D657EBCC1EB66DB54E02FA
SHA-256:	DC2D3E760EBD093F989BD2B9B420516DDE8239BA8BE2B464004B609F037EF5D6
SHA-512:	793DC6FDC330A2BC86DA9DC3892246771528287BDC2F8F81922F2AB01A62A45D475F319BEDB2437810F8297256AD5C5FE99B1E5BF41C861FC1725DFAF9598E69
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E76.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.474369752148524
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg77aI9JeWpW8VYuYm8M4JgoRFOy+q88uc5rsCJ6vnMd:uIjfaI7rf7VaJgXyYWrsCEvnMd
MD5:	E9113B4E99B49F6DBB8983CDE3EF3713
SHA1:	87E006AFC3809171E1724A74950F15171CCA8258
SHA-256:	C1B18ED805EA1D878F1AF3FEB9D951D929BF05E70C9C730C68063DBFE405C69C
SHA-512:	F80956FFFE08F21EA83B3900CA80B307C91F66071A970AE4A1BDCD09C56F6ADAE330023258F43AA5A38952C1FF957B26BECD5679BB1600AA93300EC153E0D326
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="339779" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4215813472971135
Encrypted:	false
SSDEEP:	6144:WSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN10uhiTw:1vloTMW+EZMM6DFyb03w
MD5:	992E757362D3A5D078E92824678CC5EA
SHA1:	E0461E52932010E78D16F3FB8DC37AB3DD83D78A
SHA-256:	87956B76A3EA6A3DDB6AA8D05DAB190965A58146CB76FC6FF42AB0B459CA288B
SHA-512:	589134A880600220943A6CF59FF31F404F450974E8F97F70C21013DED0398276CC0B07D77A77E2690D9B1632831FF70D64E5E24FF161791843EF4B15CD5E1D58
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:.;>B.................................................................................................................................................................................................................................................................................................................................................-.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.334530398909801
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	GdsGKfLRby.exe
File size:	164'352 bytes
MD5:	48e6ba377d90401cee819471fcea38b9
SHA1:	0f6f6ef2b5691946703d37a6316452dda6d5eab5
SHA256:	b437936e1752bd430545f30ba5223fabe413dc39ec2a82f437d11fd857dcede8
SHA512:	caf22b64bf47f6515d7f75dbfc8605ce85a3248188d61049f1cd54ce0b6cbb441fd1005333464f66a95d990e2f912d4b60e5418a4d7b14fd4f115e156cbf307f
SSDEEP:	3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvGdYMjMqqDL0Ff:jOTcK+NrRioGHlz8rz0i/8zQqqDwFf
TLSH:	84F31718FA87A4F6FE4B1D31919BF33F0B757A01C130CE92EF141E85EA23D26151AA59
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Fy.^.....................x...h..-$....... ....@..........................0................ .........................1..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40242d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x5ECA7946 [Sun May 24 13:40:22 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4563c74acbd357d386b177e402b96ce4

Entrypoint Preview

Instruction
push ebp
push edi
mov eax, 0000802Ch
push esi
push ebx
call 00007FE2E86E8F4Ah
sub esp, eax
lea esi, dword ptr [esp+18h]
lea ebx, dword ptr [esp+1Ch]
call 00007FE2E86CF4A4h
call 00007FE2E86D9D7Ch
call 00007FE2E86CD4CAh
call 00007FE2E86DD534h
call 00007FE2E86D279Ch
call 00007FE2E86D2B12h
mov dword ptr [esp+1Ch], FFFFFFFFh
mov eax, dword ptr [esp+1Ch]
mov dword ptr [esp+08h], 00000004h
mov dword ptr [esp+04h], esi
mov dword ptr [esp+18h], 00000000h
mov dword ptr [esp], eax
call 00007FE2E86CFB30h
test al, al
je 00007FE2E86CC037h
mov ecx, dword ptr [esp+1Ch]
mov edi, dword ptr [esp+18h]
mov dword ptr [esp], ecx
mov dword ptr [esp+04h], edi
call 00007FE2E86CBED8h
test al, al
je 00007FE2E86CBF52h
lea eax, dword ptr [esp+20h]
mov dword ptr [esp+08h], edi
mov dword ptr [esp], ecx
mov dword ptr [esp+04h], eax
call 00007FE2E86CFAFCh
test al, al
je 00007FE2E86CBFF2h
mov ecx, dword ptr [esp+18h]
cmp ecx, 00007FFFh
jnbe 00007FE2E86CBF97h
mov byte ptr [esp+ecx+20h], 00000000h
movzx ebp, byte ptr [esp+20h]
mov edi, dword ptr [esp+1Ch]
mov dword ptr [esp], edi
mov dword ptr [esp+04h], ebp
call 00007FE2E86CBEBCh
test al, al
jne 00007FE2E86CBFABh
mov dword ptr [esp], 00002710h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2f000	0x31	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x30000	0x13e8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32000	0xdac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3039c	0x2d4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20578	0x20600	099fef7ea3c54ecba263d6dbc96a6e54	False	0.5099164454633205	data	6.008927586791251	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x22000	0x4c7c	0x4e00	34a0f70f7abfe596c8fc6c4117276fca	False	0.5350060096153846	data	6.994056753742937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.eh_fram	0x27000	0x5d8	0x600	ee3526956133654d2a7c0bf23fe30087	False	0.375	data	4.5721581531990685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x28000	0x6684	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x2f000	0x31	0x200	4fca42e2045a6ebca8ded8b2c6d69815	False	0.08203125	data	0.45736744622245973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x30000	0x13e8	0x1400	55b497ca7a3116d1f5cafda7acbac460	False	0.5333984375	data	5.67472061943603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x32000	0xdac	0xe00	ac467d2463f31d21d99a47c4563bad8a	False	0.8348214285714286	data	6.5719134371915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.DLL	CryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, GetUserNameW, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
CRYPT32.DLL	CryptUnprotectData
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDIBits, SelectObject
KERNEL32.dll	CloseHandle, CreateDirectoryW, CreateFileW, CreateMutexA, CreatePipe, CreateProcessA, CreateToolhelp32Snapshot, DeleteFileW, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, FindNextFileW, FreeLibrary, GetCommandLineA, GetComputerNameW, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetFileAttributesExW, GetFileAttributesW, GetLastError, GetLocalTime, GetLogicalDriveStringsA, GetModuleFileNameW, GetProcAddress, GetProcessTimes, GetStartupInfoA, GetSystemInfo, GetSystemTime, GetTickCount, GetVersionExA, GetVolumeInformationA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LocalFree, MoveFileW, MultiByteToWideChar, OpenProcess, PeekNamedPipe, Process32First, Process32Next, ReadFile, ReleaseMutex, ResumeThread, SetErrorMode, SetFileAttributesW, SetFilePointer, Sleep, TerminateProcess, WideCharToMultiByte, WriteFile
msvcrt.dll	_assert, _beginthreadex, _errno, _filelengthi64, _mkdir, _snwprintf, _stat, _vscprintf, _vsnprintf, _wfopen, calloc, fclose, fflush, fgetpos, fgets, fopen, fread, free, freopen, fseek, fsetpos, ftell, fwprintf, fwrite, getenv, localtime, malloc, memcmp, mktime, realloc, remove, sprintf, strcat, strchr, strcmp, strcpy, strncpy, time, utime, wcscat
NETAPI32.DLL	NetApiBufferFree, NetWkstaGetInfo
SHELL32.DLL	SHFileOperationW, ShellExecuteA, ShellExecuteW
USER32.dll	CreateWindowExW, DefWindowProcW, DispatchMessageA, EnumWindows, GetDC, GetDesktopWindow, GetForegroundWindow, GetKeyNameTextW, GetKeyState, GetKeyboardState, GetLastInputInfo, GetMessageW, GetSystemMetrics, GetWindowTextW, IsWindowVisible, MapVirtualKeyW, PostQuitMessage, RegisterClassExW, ReleaseDC, SendMessageA, SendMessageW, SetCursorPos, SetWindowTextW, ShowWindow, ToUnicode, TranslateMessage, keybd_event, mouse_event
WS2_32.dll	WSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, closesocket, connect, gethostbyname, htons, inet_ntoa, ioctlsocket, ntohs, recv, select, send, setsockopt, shutdown, socket

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 26, 2024 09:56:50.959733963 CEST	53	53445	162.159.36.2	192.168.2.5
May 26, 2024 09:56:51.481959105 CEST	56106	53	192.168.2.5	1.1.1.1
May 26, 2024 09:56:51.559561968 CEST	53	56106	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 26, 2024 09:56:51.481959105 CEST	192.168.2.5	1.1.1.1	0x4504	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 26, 2024 09:56:51.559561968 CEST	1.1.1.1	192.168.2.5	0x4504	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	1
Start time:	03:56:12
Start date:	26/05/2024
Path:	C:\Users\user\Desktop\GdsGKfLRby.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GdsGKfLRby.exe"
Imagebase:	0x400000
File size:	164'352 bytes
MD5 hash:	48E6BA377D90401CEE819471FCEA38B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Netwire_6a7df287, Description: unknown, Source: 00000001.00000000.2103922275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Netwire_1b43df38, Description: unknown, Source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Netwire_1b43df38, Description: unknown, Source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Netwire_6a7df287, Description: unknown, Source: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:56:40
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 400
Imagebase:	0xfa0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13%
Total number of Nodes:	261
Total number of Limit Nodes:	2

Executed Functions

Function 00408C65 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00408C81
malloc.MSVCRT ref: 00408D36
malloc.MSVCRT ref: 00408D91

Strings

@, xrefs: 00408DEB
:, xrefs: 00408DFB

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: malloc
String ID: :$@
API String ID: 2803490479-1367939426
Opcode ID: 49f5d5e5c66d449692c97e5cfd2201180b6792fa2bdc3c508c2aecf96e8573c9
Instruction ID: ef4ad269280774ff2184a95f10acb59d81b6a7d54bd4368cac39de452cc0daf6
Opcode Fuzzy Hash: 49f5d5e5c66d449692c97e5cfd2201180b6792fa2bdc3c508c2aecf96e8573c9
Instruction Fuzzy Hash: 975128B05087009FD310EF29D58425ABBE0FF88718F41892EF5D887291D7B8958ACF8A

Function 00405959 Relevance: 4.5, APIs: 3, Instructions: 16
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0040596E
ExitProcess.KERNEL32 ref: 00405980
InitializeCriticalSection.KERNEL32 ref: 0040598C

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CriticalExitInitializeProcessSectionStartup
String ID:
API String ID: 3456047655-0
Opcode ID: 586562ab7f660d792621f7f3ff03a76942849b748750d6b5247e0080a37609ce
Instruction ID: 24ad92727fe000e7c60640d94de1f7f21ee868b5df478abe0a14dc0806b9406b
Opcode Fuzzy Hash: 586562ab7f660d792621f7f3ff03a76942849b748750d6b5247e0080a37609ce
Instruction Fuzzy Hash: A4D012F0504301AEE710BF51D4057BA7AE8AB41310F41483EA8D086242D77D448D4AA7

Non-executed Functions

Function 00408417 Relevance: 49.3, APIs: 13, Strings: 15, Instructions: 294
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,?,0040914E), ref: 0040843C
GetProcAddress.KERNEL32(?,?), ref: 00408449
LoadLibraryA.KERNEL32(?,?,?,?,?,0040914E), ref: 00408467
GetProcAddress.KERNEL32 ref: 00408474
malloc.MSVCRT ref: 004085DE
malloc.MSVCRT ref: 00408678
malloc.MSVCRT ref: 004086BF
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040914E), ref: 00408730
GetProcAddress.KERNEL32 ref: 0040873D
malloc.MSVCRT ref: 00408755
malloc.MSVCRT ref: 00408802
malloc.MSVCRT ref: 004088A2
malloc.MSVCRT ref: 004088E9

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

socks=, xrefs: 0040863E, 00408865
t, xrefs: 004087DB
p, xrefs: 004085BC
h, xrefs: 004087C6
p/B, xrefs: 004087AA
h, xrefs: 004085A2
=, xrefs: 004087E5
InternetProxy, xrefs: 00408491
@, xrefs: 004088F3
t, xrefs: 004087CB
http://www.yandex.com, xrefs: 004084E8
p, xrefs: 004087E0
t, xrefs: 004085B7
=, xrefs: 004085C1
t, xrefs: 004085A7

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: malloc$AddressLibraryLoadProc$_vsnprintf
String ID: =$=$@$InternetProxy$h$h$http://www.yandex.com$p$p$p/B$socks=$t$t$t$t
API String ID: 3272051020-3390938176
Opcode ID: 2a297506814e41453f0cb424917c6166d847a589c1b2d897310f0baa7ccc6c15
Instruction ID: 129794d27e18b5d836c16bc2de0120feea3297db44a07732c008f05b0d4f5d07
Opcode Fuzzy Hash: 2a297506814e41453f0cb424917c6166d847a589c1b2d897310f0baa7ccc6c15
Instruction Fuzzy Hash: 09D1F5B0508740AFD710EF25C68479ABBF0BF84744F418C2EE5C897351EBB99989CB5A

Function 00411D8C Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 195
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00411DBD
GetSystemMetrics.USER32(?), ref: 00411DCC
GetDesktopWindow.USER32 ref: 00411DD4
GetDC.USER32 ref: 00411DFD
CreateCompatibleDC.GDI32 ref: 00411E08
CreateCompatibleBitmap.GDI32(?,?), ref: 00411E1D
SelectObject.GDI32 ref: 00411E4F
BitBlt.GDI32(00000000,00000000), ref: 00411E91
GetDIBits.GDI32 ref: 00411F17
calloc.MSVCRT ref: 00411F9C
GetDIBits.GDI32 ref: 00411FD7
ReleaseDC.USER32 ref: 00412044
DeleteDC.GDI32(00000000), ref: 00412052
DeleteObject.GDI32 ref: 0041205B
free.MSVCRT(?,00000000), ref: 004120B2

Strings

, xrefs: 00411E5A
(, xrefs: 00411F58
BM, xrefs: 00411F32
(, xrefs: 00412003
6, xrefs: 00411F47

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: BitsCompatibleCreateDeleteMetricsObjectSystem$BitmapDesktopReleaseSelectWindowcallocfree
String ID: $($($6$BM
API String ID: 3075093512-2637400849
Opcode ID: d7d7e5d3c01187142e8c43228c98c6042b0c96f3a722dfa341cae57414d2b9e1
Instruction ID: c42d9fa6f562a18c3eedbb1c72d559f421865ac330c7369b2ec7bacda9b62638
Opcode Fuzzy Hash: d7d7e5d3c01187142e8c43228c98c6042b0c96f3a722dfa341cae57414d2b9e1
Instruction Fuzzy Hash: 4781BDB05093409FD310EF6AD68475BBBE4AF88744F40892EF58887351E7B9D8888B5B

Function 00409953 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 210
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetKeyState.USER32 ref: 0040996B
GetKeyState.USER32 ref: 0040997A
GetKeyState.USER32 ref: 00409987
GetKeyState.USER32 ref: 00409994
GetKeyboardState.USER32(00000000), ref: 004099A4
MapVirtualKeyW.USER32(00000000,00000000), ref: 00409B33
ToUnicode.USER32 ref: 00409B60
WideCharToMultiByte.KERNEL32 ref: 00409BAA
GetKeyState.USER32 ref: 00409BB9
MapVirtualKeyW.USER32 ref: 00409C01
GetKeyNameTextW.USER32 ref: 00409C21
GetKeyState.USER32 ref: 00409C38
WideCharToMultiByte.KERNEL32 ref: 00409CA8

Strings

@, xrefs: 00409C81
@, xrefs: 00409C12
@, xrefs: 00409B49

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: State$ByteCharMultiVirtualWide$KeyboardNameTextUnicode
String ID: @$@$@
API String ID: 284565539-1177533131
Opcode ID: a7201299a71ac298b4eb1a048ca88babafc008e2bbcecdb455fdf88870e38ce2
Instruction ID: 165817b8f912d8248abf4659c11c564849502453b133aa370f8f06421a69fc02
Opcode Fuzzy Hash: a7201299a71ac298b4eb1a048ca88babafc008e2bbcecdb455fdf88870e38ce2
Instruction Fuzzy Hash: 5D815AB0608351DAD720AF59D4C436FBAF4FB81304F51892FE4D566282C3BD49859F6B

Function 0040C4B7 Relevance: 26.9, APIs: 13, Strings: 2, Instructions: 656
registryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 0040C503
RegEnumKeyExA.ADVAPI32 ref: 0040C55F
RegOpenKeyExA.ADVAPI32 ref: 0040C5CE
RegCloseKey.ADVAPI32 ref: 0040C9E3

Part of subcall function 0040C46E: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0040CB2E), ref: 0040C4A6

RegOpenKeyExA.ADVAPI32 ref: 0040CA1C
RegEnumKeyExA.ADVAPI32 ref: 0040CA78
RegOpenKeyExA.ADVAPI32 ref: 0040CAE7
RegCloseKey.ADVAPI32 ref: 0040CF16

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

RegCloseKey.ADVAPI32 ref: 0040CEFC
CryptUnprotectData.CRYPT32 ref: 0040CF7D
LocalFree.KERNEL32 ref: 0040CFAC
CryptUnprotectData.CRYPT32 ref: 0040D072
LocalFree.KERNEL32 ref: 0040D0A1

Strings

~7B, xrefs: 0040D0CF
?, xrefs: 0040C5AF

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Open$Close$CryptDataEnumFreeLocalUnprotect$QueryValue_vsnprintf
String ID: ?$~7B
API String ID: 1208127340-2629379569
Opcode ID: f100039afa170a0f1c15f42b57fe66f6d4ca87e9390f3ad64929befda264930a
Instruction ID: c2d439ac8c23cb570df0ab79087284893563063e171fb1edf2eb3d6011b472d7
Opcode Fuzzy Hash: f100039afa170a0f1c15f42b57fe66f6d4ca87e9390f3ad64929befda264930a
Instruction Fuzzy Hash: DA726BB0408345AFD710EF6AC58525EFBF0BF88748F408E2EE4D897291D7B995498F46

Function 0041D049 Relevance: 25.0, APIs: 11, Strings: 3, Instructions: 453
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_stat.MSVCRT ref: 0041D1A1
fopen.MSVCRT ref: 0041D1DA
fseek.MSVCRT ref: 0041D1FA
ftell.MSVCRT ref: 0041D206
fseek.MSVCRT ref: 0041D231
fclose.MSVCRT ref: 0041D244

Strings

P, xrefs: 0041D682
K, xrefs: 0041D698
FB, xrefs: 0041D2AB

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: fseek$_statfclosefopenftell
String ID: FB$K$P
API String ID: 2614710449-1627385504
Opcode ID: 54049fe808654b227bba1578e1d34335061ffaf98f8a99cde8e77accde8bca1c
Instruction ID: 2f0101dfcf5e0978000162e92f0ac79abf139ad8f29847253f420d5a98adee70
Opcode Fuzzy Hash: 54049fe808654b227bba1578e1d34335061ffaf98f8a99cde8e77accde8bca1c
Instruction Fuzzy Hash: 67229FB4A087818FD720DF69C18479BFBE1AF89744F10892EE9D887350E779D885CB46

Function 0040753D Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 280
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32 ref: 004075C4
SetErrorMode.KERNEL32 ref: 004076EB
MultiByteToWideChar.KERNEL32 ref: 0040771F
wcscat.MSVCRT ref: 00407732
FindFirstFileW.KERNEL32 ref: 00407745
FindClose.KERNEL32(?,?), ref: 00407775
WideCharToMultiByte.KERNEL32 ref: 00407809
MultiByteToWideChar.KERNEL32 ref: 00407932
wcscat.MSVCRT ref: 00407948

Part of subcall function 00406B2B: _wfopen.MSVCRT ref: 00406B69
Part of subcall function 00406B2B: fread.MSVCRT ref: 00406BA2
Part of subcall function 00406B2B: fclose.MSVCRT ref: 00406C1A

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004079AB

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

FindNextFileW.KERNEL32(?,?), ref: 00407A42

Strings

;/B, xrefs: 0040789A
8/B, xrefs: 00407798
!, xrefs: 00407951

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$Find$CriticalFileSectionwcscat$CloseEnterErrorFirstLeaveModeNext_vsnprintf_wfopenfclosefread
String ID: !$8/B$;/B
API String ID: 1195691543-3428488148
Opcode ID: 0db96d41e41699db9f656d7569e1933fb0474d28dc8816ba95a9ce2816225d2e
Instruction ID: 2942108eb55d8b4688eca57bfe31ed8b2614f53b08094f2a7ccf2ab1801ba34f
Opcode Fuzzy Hash: 0db96d41e41699db9f656d7569e1933fb0474d28dc8816ba95a9ce2816225d2e
Instruction Fuzzy Hash: 5DE1B0B09097819FD320EF25C58879FBBE0BF84744F41892EE4D897291D7B895898F87

Function 00406F83 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32 ref: 00407056
FindFirstFileA.KERNEL32 ref: 0040708A
strcmp.MSVCRT ref: 004070B2
strcmp.MSVCRT ref: 004070CA
strcat.MSVCRT ref: 00407110
fopen.MSVCRT ref: 00407157
strncpy.MSVCRT ref: 00407195
fclose.MSVCRT ref: 004071D3
strcpy.MSVCRT ref: 00407242
FindNextFileA.KERNEL32 ref: 0040725E
FindClose.KERNEL32 ref: 00407274

Strings

X/B, xrefs: 0040714C
;/B, xrefs: 004071EE

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Find$Filestrcmp$CloseErrorFirstModeNextfclosefopenstrcatstrcpystrncpy
String ID: ;/B$X/B
API String ID: 1295692060-619761068
Opcode ID: cc94f65e219aa78bc87248342c53200a3b884502bad93e8bca9f56ca5310b663
Instruction ID: 6627613b86e129a79f3514e70df2e2269c09e6d90b38cf378645e3f88cd6e25a
Opcode Fuzzy Hash: cc94f65e219aa78bc87248342c53200a3b884502bad93e8bca9f56ca5310b663
Instruction Fuzzy Hash: 28811CB44087459FC710EF25C2846AEBBE4BF84318F45892EF9D89B342D7789486DF1A

Function 00406453 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 204filetimeCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00406492
SetErrorMode.KERNEL32 ref: 004064A1
FindFirstFileW.KERNEL32 ref: 004064B5
FileTimeToSystemTime.KERNEL32 ref: 00406547
WideCharToMultiByte.KERNEL32 ref: 00406617
FindNextFileW.KERNEL32 ref: 00406745
FindClose.KERNEL32 ref: 00406757

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

Part of subcall function 00407F59: free.MSVCRT ref: 00407F6A

Strings

"B, xrefs: 00406675
%.2d/%.2d/%d %.2d:%.2d:%.2d, xrefs: 00406534
, xrefs: 00406568

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: FileFind$ByteCharCriticalMultiSectionTimeWide$CloseEnterErrorFirstLeaveModeNextSystemfree
String ID: $%.2d/%.2d/%d %.2d:%.2d:%.2d$"B
API String ID: 2473485750-57038091
Opcode ID: 3a87355c9401e98f2b6dd8472ebd5ff4394208b68e8698201d5d1cc5e3771088
Instruction ID: 4c70007c882a7ce573aae617e01390b0b466164858f4fbbb4a898ac5e72415b9
Opcode Fuzzy Hash: 3a87355c9401e98f2b6dd8472ebd5ff4394208b68e8698201d5d1cc5e3771088
Instruction Fuzzy Hash: 36A1B2B48087459FD710EF25C18469BBBE4BF84714F01892EF8D897391D7789589CF86

Function 0040EDD6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 236stringfileencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00408042: MultiByteToWideChar.KERNEL32 ref: 00408094
Part of subcall function 00408042: _wfopen.MSVCRT ref: 004080AE
Part of subcall function 00408042: fgetpos.MSVCRT ref: 004080F0
Part of subcall function 00408042: fsetpos.MSVCRT ref: 00408126
Part of subcall function 00408042: malloc.MSVCRT ref: 00408132
Part of subcall function 00408042: fread.MSVCRT ref: 00408152
Part of subcall function 00408042: realloc.MSVCRT ref: 00408168
Part of subcall function 00408042: fclose.MSVCRT ref: 00408174

fopen.MSVCRT ref: 0040EE98

Part of subcall function 004074C5: MultiByteToWideChar.KERNEL32 ref: 004074FE
Part of subcall function 004074C5: GetFileAttributesExW.KERNEL32 ref: 00407519

malloc.MSVCRT ref: 0040EEB4
fclose.MSVCRT ref: 0040EEC8
fread.MSVCRT ref: 0040EEE7
fclose.MSVCRT ref: 0040EEEF
CryptUnprotectData.CRYPT32 ref: 0040EFBC
sprintf.MSVCRT ref: 0040F036
strcmp.MSVCRT ref: 0040F046
strcmp.MSVCRT ref: 0040F05A

Strings

!, xrefs: 0040EFD7

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: fclose$ByteCharMultiWidefreadmallocstrcmp$AttributesCryptDataFileUnprotect_wfopenfgetposfopenfsetposreallocsprintf
String ID: !
API String ID: 2596569898-2657877971
Opcode ID: c147f44153b1e83bce3759e73796935fe42ee2f7056049f32318ccd0c49cd86e
Instruction ID: 786053efb03fb7134250340436023ef553204ed8f41ee6c066ba5e47f52fe47d
Opcode Fuzzy Hash: c147f44153b1e83bce3759e73796935fe42ee2f7056049f32318ccd0c49cd86e
Instruction Fuzzy Hash: FEC1EAB1A053198FDB50DF25C844B9EBBF0BF45308F0588AEE489E7681D7789A84CF46

Function 0040680D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 168fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00406824
MultiByteToWideChar.KERNEL32 ref: 0040685F
wcscat.MSVCRT ref: 00406872
FindFirstFileW.KERNEL32 ref: 00406885
FindClose.KERNEL32 ref: 004068B2
WideCharToMultiByte.KERNEL32 ref: 00406924
FindNextFileW.KERNEL32 ref: 00406AB7

Strings

"B, xrefs: 004069A4
8/B, xrefs: 004068D5
;/B, xrefs: 00406A5F

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Find$ByteCharFileMultiWide$CloseErrorFirstModeNextwcscat
String ID: 8/B$;/B$"B
API String ID: 1999808103-785463125
Opcode ID: f1dd5b59dd90e2cd6b86d21233615770f5833fe61e03e8d61d53419095457b90
Instruction ID: 3ec7505ef3af3f69d728aa0d249a2e56fce710592115df83b66c59d2158606e8
Opcode Fuzzy Hash: f1dd5b59dd90e2cd6b86d21233615770f5833fe61e03e8d61d53419095457b90
Instruction Fuzzy Hash: CB8102B06093419FD320EF25C18469BBBE4BF85348F45882EE4C997381D7B89589CF87

Function 00406390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 004063AF
fopen.MSVCRT ref: 004063DB
_snwprintf.MSVCRT ref: 00406405
fwprintf.MSVCRT ref: 00406415
_snwprintf.MSVCRT ref: 0040641C
FindNextFileW.KERNEL32 ref: 00406428
FindClose.KERNEL32 ref: 00406436
fclose.MSVCRT ref: 00406443

Strings

,/B, xrefs: 004063F0

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Find$File_snwprintf$CloseFirstNextfclosefopenfwprintf
String ID: ,/B
API String ID: 4215708556-1155038791
Opcode ID: 8a012b87caedc31829cbf4f9110065dd04a3999989f632e85736f7b71116f674
Instruction ID: 110ac6783a2aa76cc845fc41d9c104154397b4f26a6f194d14aa4f1c43fee32b
Opcode Fuzzy Hash: 8a012b87caedc31829cbf4f9110065dd04a3999989f632e85736f7b71116f674
Instruction Fuzzy Hash: 7E115BB0509701AEC710AF25898459FFBE4AF80718F018D2EF4D497281D778848A8B6A

Function 00416619 Relevance: 11.3, APIs: 4, Strings: 3, Instructions: 783COMMON

Download Yara Rule

Strings

-, xrefs: 00416AAF
+, xrefs: 00416880
8, xrefs: 004167F7

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID: +$-$8
API String ID: 0-3055312362
Opcode ID: f26fa2f78899781a49932aac13294cfda41e400e31aa373076b0278284c81065
Instruction ID: d0e530c000626a38c585737fd68ea07c8af64da2075d248bad87d4caaf24723a
Opcode Fuzzy Hash: f26fa2f78899781a49932aac13294cfda41e400e31aa373076b0278284c81065
Instruction Fuzzy Hash: 3F723975908351CFCB24CF19C0806AABBF1FF88314F168A1EE89597355D379E985CB8A

Function 00413A85 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00413AA4

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

MultiByteToWideChar.KERNEL32 ref: 00413B02
FindFirstFileW.KERNEL32 ref: 00413B18
WideCharToMultiByte.KERNEL32 ref: 00413BB1
WideCharToMultiByte.KERNEL32 ref: 00413CA7
FindNextFileW.KERNEL32 ref: 00413D1B
FindClose.KERNEL32 ref: 00413D3D

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: ByteCharFindMultiWide$File$CloseErrorFirstModeNext_vsnprintf
String ID:
API String ID: 2650927523-0
Opcode ID: 334888fa3b4434e061fa7b69daef3cafc177c312af5b0b50911e5eeb64500dc7
Instruction ID: f6b2b9afb8f28ceff06ae1ca88c29ba9ed65548566ee5afaf2077295461a783a
Opcode Fuzzy Hash: 334888fa3b4434e061fa7b69daef3cafc177c312af5b0b50911e5eeb64500dc7
Instruction Fuzzy Hash: 0971AFB44093459BD320EF6AD18469FBBE0AF84758F008E1EE4D887391D7B89689CF57

Function 00406084 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 0041236C: malloc.MSVCRT ref: 0041237C

SetErrorMode.KERNEL32 ref: 004060A9
GetLogicalDriveStringsA.KERNEL32 ref: 004060C1
GetVolumeInformationA.KERNEL32 ref: 0040617C
GetDiskFreeSpaceExA.KERNEL32 ref: 004061D3
GetDriveTypeA.KERNEL32 ref: 00406250

Strings

@, xrefs: 00406215

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Drive$DiskErrorFreeInformationLogicalModeSpaceStringsTypeVolumemalloc
String ID: @
API String ID: 4103324456-2766056989
Opcode ID: 6e05202e2b6317dcf9b285d138a61c7554b9cffc0ce9619bb66956b9d9d47aae
Instruction ID: 7bbe8d17847550f4164a14e3f7f2cb4162b00115eb79a228a3fcc10edc21327c
Opcode Fuzzy Hash: 6e05202e2b6317dcf9b285d138a61c7554b9cffc0ce9619bb66956b9d9d47aae
Instruction Fuzzy Hash: EF61ABB0509741AEE300AF26C59435FFBE4BF84748F01882EE4D897251E7B985898F86

Function 0040DB1C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040DB2D

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

FindFirstFileA.KERNEL32 ref: 0040DB6F
FindNextFileA.KERNEL32 ref: 0040DCC6
FindClose.KERNEL32 ref: 0040DCD8

Strings

49B, xrefs: 0040DB41
=9B, xrefs: 0040DBA4

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Find$File$CloseErrorFirstModeNext_vsnprintf
String ID: 49B$=9B
API String ID: 3730131509-1437851871
Opcode ID: 614e9fffcf9219516c0050d8f59d1067c41d6f899a0319c1393b422afb48b831
Instruction ID: d2bbd74eba1eaf649f0bd4c37a8a6416b9e5ed0152e307ea26bcf85ad81135cc
Opcode Fuzzy Hash: 614e9fffcf9219516c0050d8f59d1067c41d6f899a0319c1393b422afb48b831
Instruction Fuzzy Hash: 064108B09083459AD720AF66C58455AFBE4FF85318F00892EA4DCD7381D7B8958ACF4A

Function 0040D290 Relevance: 9.1, APIs: 6, Instructions: 98encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 0040D2E2
CryptCreateHash.ADVAPI32 ref: 0040D31C
CryptHashData.ADVAPI32 ref: 0040D34B
CryptGetHashParam.ADVAPI32 ref: 0040D38A

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

CryptDestroyHash.ADVAPI32 ref: 0040D3F7
CryptReleaseContext.ADVAPI32 ref: 0040D40D

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease_vsnprintf
String ID:
API String ID: 3013291059-0
Opcode ID: 39854ef80ab4a7fbc3dc680ded39b80eed89874fe177f232a89a79b64462ce99
Instruction ID: 943cf95f321e7325facb401f71863eb3bfed9abde62d642a269049118650948e
Opcode Fuzzy Hash: 39854ef80ab4a7fbc3dc680ded39b80eed89874fe177f232a89a79b64462ce99
Instruction Fuzzy Hash: 7441F5B05083019FD700EF2AC58935FBBE4AF88718F01892EE8C897381D779C5498F96

Function 00420420 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00420557
_assert.MSVCRT ref: 004206E6

Strings

jB, xrefs: 004206D7
o, xrefs: 004206CF

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: jB$o
API String ID: 1222420520-209914815
Opcode ID: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
Instruction ID: 3ee2903d3d2c0e63440c59b9d95d43c21fe2c472ea4d5dc2fd0c85ac53de4ac0
Opcode Fuzzy Hash: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
Instruction Fuzzy Hash: BB919E72A083628FC714CF29D48051AFBE2BFD8314F498A2EE8D59B355D735E945CB82

Function 00419463 Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1076COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00419926

Part of subcall function 00415ABF: _assert.MSVCRT ref: 00415ED2

Strings

j, xrefs: 00419822
FB, xrefs: 0041A30A

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: FB$j
API String ID: 1222420520-2384955494
Opcode ID: b3fe8b43fc6bca3c0a33ffa51e4bd9a6c448f1523a39c18d1db3d81232f94cc6
Instruction ID: 85f7a6da2dcfde57a4cfc22b025c18cb3d8a1a973eabce23ce6fb58419e1cbaa
Opcode Fuzzy Hash: b3fe8b43fc6bca3c0a33ffa51e4bd9a6c448f1523a39c18d1db3d81232f94cc6
Instruction Fuzzy Hash: A3B28071909341CFCB54CF28C0906AABBE1FF88304F1585AEE8999B346D778DD85CB96

Function 004132E6 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00413325
GetVersionExA.KERNEL32(?), ref: 00413379
GetSystemInfo.KERNEL32(?,?), ref: 0041338C

Part of subcall function 0041328F: NetWkstaGetInfo.NETAPI32 ref: 004132B1
Part of subcall function 0041328F: NetApiBufferFree.NETAPI32 ref: 004132D8

GetSystemMetrics.USER32 ref: 004133FA

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: InfoSystemVersion$BufferFreeMetricsWksta
String ID:
API String ID: 1266462847-0
Opcode ID: a2f5e60309e9ea63997a5f63661c2a67e865f2bf7c7b30ca2f3ef5845b7a97e1
Instruction ID: aea862b3450ebf307a16053a8a3fc20b1df094ade6bc7c343729d6a33193dea1
Opcode Fuzzy Hash: a2f5e60309e9ea63997a5f63661c2a67e865f2bf7c7b30ca2f3ef5845b7a97e1
Instruction Fuzzy Hash: D7418E7040C7419AEB21AF21C5457AFBAE0AF81759F148E2FE4C487281D37D8AC98B5B

Function 00402570 Relevance: 6.1, APIs: 4, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004025BF
Process32First.KERNEL32 ref: 004025DF
Process32Next.KERNEL32 ref: 00402614
CloseHandle.KERNEL32 ref: 0040261E

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8705725f05fe9afeeedec4a0c2d3b20b049fa06699c5a5ff1e195fb4d0e9f0db
Instruction ID: dbb4d6dc22455ac6b6b4c8bb6317d27c69ec59bbf57194761826882fdadde184
Opcode Fuzzy Hash: 8705725f05fe9afeeedec4a0c2d3b20b049fa06699c5a5ff1e195fb4d0e9f0db
Instruction Fuzzy Hash: EB1119B0409701AAD710AF15CA856AFFBE8EF80718F008D2FF4C893252D3B99485CB5A

Function 004208C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 485COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00420C90
_assert.MSVCRT ref: 00420F11

Strings

HjB, xrefs: 00420F02

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: HjB
API String ID: 1222420520-2248713979
Opcode ID: f62c3d4576d8ad505b0a81f0fa83231c5cc89cc9aafe5267dd7225276671c9f6
Instruction ID: a3441135aa71a6079429eef520cd0e1a6c464effaa05f67e07f9da83f6d0b88a
Opcode Fuzzy Hash: f62c3d4576d8ad505b0a81f0fa83231c5cc89cc9aafe5267dd7225276671c9f6
Instruction Fuzzy Hash: 222288716083A18FC724CF29D49052ABBE1BFC9314F448A6EF9E597356D234EA05CF92

Function 0040E511 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0040E645
LocalFree.KERNEL32 ref: 0040E704

Strings

5B, xrefs: 0040E68E

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID: 5B
API String ID: 1561624719-3738334870
Opcode ID: c63f1e79abc16ef90ff5286a14a4e2a9458261c6144f1dd153b029fa06e06a91
Instruction ID: 6f154d43ee89b411a9f17fea58252a0a0f24be58a4641eb8c9eefda1aa91bd9a
Opcode Fuzzy Hash: c63f1e79abc16ef90ff5286a14a4e2a9458261c6144f1dd153b029fa06e06a91
Instruction Fuzzy Hash: 3171BFB05083449FC710DF2AC18475BFBE0BB89348F448D2EE99897391E779D999CB86

Function 00405811 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

send.WS2_32 ref: 00405878
recv.WS2_32 ref: 004058B7

Strings

.B, xrefs: 004058C7

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _vsnprintfrecvsend
String ID: .B
API String ID: 2169655391-2011479308
Opcode ID: 2ec24ba702f98473ee5d9a715ab26bdcf3092223efe4a5c028eb6e3fbd3b2434
Instruction ID: 44476910b367cb1c2704fc52ca41c1ffc0a5ae24bf239666488ca44df54fa44d
Opcode Fuzzy Hash: 2ec24ba702f98473ee5d9a715ab26bdcf3092223efe4a5c028eb6e3fbd3b2434
Instruction Fuzzy Hash: 4111E2B1409301AED310AF29D58935FFBE0FF84354F51882EE4D897251D7788989DF96

Function 004130E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00413112
WideCharToMultiByte.KERNEL32 ref: 00413154

Strings

@, xrefs: 0041312D

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: ByteCharMultiNameUserWide
String ID: @
API String ID: 2949824840-2766056989
Opcode ID: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
Instruction ID: 75a62b7ad59212d7e7d3757252a2119b8f15ada3fb68da9ed8f134ad780259a0
Opcode Fuzzy Hash: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
Instruction Fuzzy Hash: 830108B0409341AED320AF26D94479BFBE4BBD4714F008A1EE49847290D37985498B97

Function 00415079 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 004155C8

Strings

FB, xrefs: 00415609

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: FB
API String ID: 1222420520-4194129869
Opcode ID: 46893e09e37b25dd200b0db0f7321bbeb65247fb8bfb45dea1f34a14322b6770
Instruction ID: 8934405eb0176573ac8fe7b21ac65539928ae6525602ef26ebf357b260492e82
Opcode Fuzzy Hash: 46893e09e37b25dd200b0db0f7321bbeb65247fb8bfb45dea1f34a14322b6770
Instruction Fuzzy Hash: 7712B131508741CBCB15CF28C0842EABBE2FFD5304F5849AED8994B346E779D989CB96

Function 00415ABF Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00415ED2

Strings

FB, xrefs: 00415D93

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: FB
API String ID: 1222420520-4194129869
Opcode ID: 8ddbe3c9850994fc0d72c42226f444b701068ab875a1f9731f5df1535297b31b
Instruction ID: a7d617267acf3779656a729e3d165d253c0adcf1a2096d40c2f4e68e066cb6e0
Opcode Fuzzy Hash: 8ddbe3c9850994fc0d72c42226f444b701068ab875a1f9731f5df1535297b31b
Instruction Fuzzy Hash: 5C02F370505601CFCB58CF28C5C46957BA2FF95304F5886AADD4A8F34AE339E8C9CB99

Function 0040A115 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0040A13F

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Part of subcall function 0040970C: GetLocalTime.KERNEL32 ref: 00409733
Part of subcall function 0040970C: CloseHandle.KERNEL32 ref: 0040979A
Part of subcall function 0040970C: MultiByteToWideChar.KERNEL32 ref: 0040982A
Part of subcall function 0040970C: CreateFileW.KERNEL32 ref: 00409865

Strings

3B, xrefs: 0040A1AC

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: LocalTime$ByteCharCloseCreateFileHandleMultiWide_vsnprintf
String ID: 3B
API String ID: 1146952123-2602569677
Opcode ID: 5591ed2e94f3fe8972e20bad9ffc4cb21d90fde9e93a0863d429b9defc772554
Instruction ID: 34f9120a3e00634d565d7763f47cba82c7014e7225e68866d6d8ccf2245a1495
Opcode Fuzzy Hash: 5591ed2e94f3fe8972e20bad9ffc4cb21d90fde9e93a0863d429b9defc772554
Instruction Fuzzy Hash: FC11FAB4418311ABD710EF21D58426FBBE4BF84308F418D2EF8D89B281D7BC8985DB4A

Function 004121EF Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

SetCursorPos.USER32 ref: 00412203
mouse_event.USER32 ref: 00412297

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Cursormouse_event
String ID:
API String ID: 1102576784-0
Opcode ID: 02aa775cd51f21a886bada7529a77aa4c4527e8a93dc87a2c038cd1471ca5427
Instruction ID: 2d8ae4a002b4347ec37d14b3ea5e3552e9b4ec24971f98579b9e90b097ea308f
Opcode Fuzzy Hash: 02aa775cd51f21a886bada7529a77aa4c4527e8a93dc87a2c038cd1471ca5427
Instruction Fuzzy Hash: B70184B4009350AAE744AF15C11936FBFE1BB80708F408C5EF4D44A290D3BD8599DB97

Function 004121C0 Relevance: 1.5, APIs: 1, Instructions: 10keyboardCOMMON

Download Yara Rule

APIs

keybd_event.USER32 ref: 004121E3

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: keybd_event
String ID:
API String ID: 2665452162-0
Opcode ID: fc0e2f1ce52b91d2f25bab5800c9da4a646e5a4d84648ec4c398f99e0da44be8
Instruction ID: c3d59fdb0b4da9d538631368c5f777f5d3843ca3ad337a3792014ed51d975762
Opcode Fuzzy Hash: fc0e2f1ce52b91d2f25bab5800c9da4a646e5a4d84648ec4c398f99e0da44be8
Instruction Fuzzy Hash: 55D0E9B58087545AD7007F29C15A32ABEE0BB85308F84899DE8D846256E37D82589F97

Function 0040A728 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64fd2081e40542ec24b5bab1fe1992d84aed860da4e2f42b8fc7b43fd1c603b
Instruction ID: 3df998bb04c351a582b34812b499681519a7d1f8fe80b65cb1d05d8504fcfd5d
Opcode Fuzzy Hash: c64fd2081e40542ec24b5bab1fe1992d84aed860da4e2f42b8fc7b43fd1c603b
Instruction Fuzzy Hash: F92230B7F443214BC71CCE55C890596B393BBD822071FD66D8C46AB719DAB8BD0A8AC0

Function 00414976 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6db6ac2926072ef1bc6234f6135838dcb1d9f06ecfca5c34d07e106ff1408f
Instruction ID: 0afe2eb6dae3cd22a8d80e04e73e90d298cf68a03aa805315aad90411e67708f
Opcode Fuzzy Hash: ac6db6ac2926072ef1bc6234f6135838dcb1d9f06ecfca5c34d07e106ff1408f
Instruction Fuzzy Hash: F6D1BC75508352CFC720DF58D0806ABB7E1FFC5354F16896ED48A8B351E738A886CB8A

Function 00403047 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fff2553cdd902432e618f4e3bbb8c487e60df0bcc975cc7b3d7c1c351fff24
Instruction ID: 8797af91ac4715f1fb2e54a80d0cb35914c2db1e63e77e2d212aaf63986e366c
Opcode Fuzzy Hash: 51fff2553cdd902432e618f4e3bbb8c487e60df0bcc975cc7b3d7c1c351fff24
Instruction Fuzzy Hash: 11D1C7316082904FC364DF2ED8D047AF7E2EBC9301B99C66EE5D5473A6CA34E512DBA4

Function 004034D3 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fca94041a9df32a14316a36e9a12f077d164a7417f38a532b740c9282b2453
Instruction ID: 2765ddb06063666b79bad2b3ff5c0cc9fb0e1b865b8642978e654f5c271af5cc
Opcode Fuzzy Hash: 27fca94041a9df32a14316a36e9a12f077d164a7417f38a532b740c9282b2453
Instruction Fuzzy Hash: 3BD1EA31A042A58FC314DF2DD8D157AF7E0EB49301F86856EE5D6573A2CB34A811DBD4

Function 00402AFC Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3fcca1c993dc30e769f274d1395556741c4fbbbb2cde2ff695ebfbbd3511dcc
Instruction ID: b015c0dcccaa6a010ea3fa599d91632165f755c2c91e9af8a801e1c9d75bd2f2
Opcode Fuzzy Hash: c3fcca1c993dc30e769f274d1395556741c4fbbbb2cde2ff695ebfbbd3511dcc
Instruction Fuzzy Hash: 1AA17472A241714BD31D8F2D98A453ABBE0BF0920174B46EFD896EB293CA74DC41DBD4

Function 00420F40 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d356f27bb473633d8b53949ddcdb445a6e1839317b6b1b33dede28864bd044b
Instruction ID: 0f5424987ccef4c18d47929a767011605ba0901791081486b192bd6b24ef0d2b
Opcode Fuzzy Hash: 2d356f27bb473633d8b53949ddcdb445a6e1839317b6b1b33dede28864bd044b
Instruction Fuzzy Hash: C9717C33C047359BD3108F26D8402AABBE1AF98318F8B8969EC9963341C674AD029BD5

Function 00402E68 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f8c30ec476356e5b62ab59b84050d130f009497b096a1606cb89d09e085b6b
Instruction ID: e819e0456b28a7b1ad2ee4cb1be710d210eb08b349be8c4b8c9e5110c3859625
Opcode Fuzzy Hash: 84f8c30ec476356e5b62ab59b84050d130f009497b096a1606cb89d09e085b6b
Instruction Fuzzy Hash: 1C518E71A042988FD7149F1AEC94075BBE1F78D311B8A45BEEA84173A1D734F402DBE8

Function 0041FF50 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92d4ecba4161925266479d0afbb402e3def9d4cd15aad5feb47486b5a973f05
Instruction ID: 86110b307b21d8af55dc1a997a8f43314d6b7871475df1e76ed2e41889e1307b
Opcode Fuzzy Hash: a92d4ecba4161925266479d0afbb402e3def9d4cd15aad5feb47486b5a973f05
Instruction Fuzzy Hash: 6E4152B2A14B058FD304CF69C88471AF7E1FB98324F59C56CE6598B392D675E847CB80

Function 0040AEC6 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c45a9dc0c36618680e4bd6899bb43762db179e5c9582f89233faa09b195c5ab
Instruction ID: c8ef6340a37f776bde53b87d3697213aec168059dab6d3096e9a931dd9a6e3bf
Opcode Fuzzy Hash: 0c45a9dc0c36618680e4bd6899bb43762db179e5c9582f89233faa09b195c5ab
Instruction Fuzzy Hash: CA4119752093C08ECB15CF6D84C055ABFE1AFA6200B08C99EE8D99F74BD638D949C762

Function 0040262F Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 282
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041236C: malloc.MSVCRT ref: 0041237C

Part of subcall function 00407F7A: LoadLibraryA.KERNEL32 ref: 00407F84

Part of subcall function 00407F8E: GetProcAddress.KERNEL32 ref: 00407FA0

malloc.MSVCRT ref: 00402760
htons.WS2_32 ref: 004027C2
htons.WS2_32 ref: 0040280F
htons.WS2_32 ref: 004029AC
inet_ntoa.WS2_32 ref: 004029BA
inet_ntoa.WS2_32 ref: 0040281D

Part of subcall function 00402570: CreateToolhelp32Snapshot.KERNEL32 ref: 004025BF
Part of subcall function 00402570: Process32First.KERNEL32 ref: 004025DF
Part of subcall function 00402570: CloseHandle.KERNEL32 ref: 0040261E

inet_ntoa.WS2_32 ref: 004027D0

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

malloc.MSVCRT ref: 00402948

Strings

%s:%d, xrefs: 004029CD
@, xrefs: 004029D5
+B, xrefs: 004028A6
psapi.dll, xrefs: 00402659
Ed5jf5dRSdSqYsqCVid, xrefs: 00402679
Ed590WYd66XlCnd_4idLCldD, xrefs: 004026B7, 004026DB
%s:%u, xrefs: 0040282C
iphlpapi.dll, xrefs: 0040264D
kernel32.dll, xrefs: 00402669
Ed5jf5dRSdSuSsqCVid, xrefs: 00402699

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: htonsinet_ntoamalloc$AddressCloseCreateFirstHandleLibraryLoadProcProcess32SnapshotToolhelp32_vsnprintf
String ID: %s:%d$%s:%u$@$Ed590WYd66XlCnd_4idLCldD$Ed5jf5dRSdSqYsqCVid$Ed5jf5dRSdSuSsqCVid$iphlpapi.dll$kernel32.dll$psapi.dll$+B
API String ID: 3806733647-2364278594
Opcode ID: e5527e295c1d145b3a1be5e2b79c9850e15ab6488274ec27ffee1723177acfe5
Instruction ID: 64c6eb304da1bd60933a222d55b1bae016526deff2b752f498ff56c04a6099ea
Opcode Fuzzy Hash: e5527e295c1d145b3a1be5e2b79c9850e15ab6488274ec27ffee1723177acfe5
Instruction Fuzzy Hash: 28D1A3B4908341ABC710AF65C58965EFBF0BF84748F418C2EF8C897291D7B9D988CB56

Function 00410FC4 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 236
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.ADVAPI32 ref: 0041103A
RegOpenKeyExA.ADVAPI32 ref: 0041107E
RegSetValueExA.ADVAPI32 ref: 004110C2
RegCloseKey.ADVAPI32 ref: 004110D3
RegOpenKeyExA.ADVAPI32 ref: 00411188
RegDeleteValueA.ADVAPI32 ref: 004111A3
RegCloseKey.ADVAPI32 ref: 004111B3
RegOpenKeyExA.ADVAPI32 ref: 0041123A
RegQueryValueExA.ADVAPI32 ref: 00411277
malloc.MSVCRT ref: 0041128E
RegQueryValueExA.ADVAPI32 ref: 004112C6
RegSetValueExA.ADVAPI32 ref: 00411308
RegDeleteValueA.ADVAPI32 ref: 0041131F
RegCloseKey.ADVAPI32 ref: 0041133E

Strings

?, xrefs: 00411007
<DB, xrefs: 00411367

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Value$CloseOpen$DeleteQuery$Createmalloc
String ID: <DB$?
API String ID: 2456196832-2182478021
Opcode ID: 2a6c15e5110915527470d0c5e75be917cad7f867061e65323b0ccb08af8f21c4
Instruction ID: 5e49c9d9379b1dd87b15daa38270e0e0a3fc6f91244b4719e2a77dc22190009b
Opcode Fuzzy Hash: 2a6c15e5110915527470d0c5e75be917cad7f867061e65323b0ccb08af8f21c4
Instruction Fuzzy Hash: DAB1CFB0909345AFD700EF69D18469FFBE4BF84744F40892EF99887311D7B8D5898B46

Function 004113B8 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 198
pipeprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.MSVCRT ref: 004113D7

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

getenv.MSVCRT ref: 0041140B
CreatePipe.KERNEL32 ref: 004114B1
CreatePipe.KERNEL32 ref: 004114E0
GetStartupInfoA.KERNEL32 ref: 004114F3
CreateProcessA.KERNEL32 ref: 0041156E
CloseHandle.KERNEL32 ref: 004115A8
CloseHandle.KERNEL32(?), ref: 004115B7

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

PeekNamedPipe.KERNEL32 ref: 0041161A
malloc.MSVCRT ref: 0041163E
ReadFile.KERNEL32 ref: 0041166C
CloseHandle.KERNEL32 ref: 004116BB
CloseHandle.KERNEL32(00000000), ref: 004116C9
TerminateProcess.KERNEL32(?,00000000), ref: 004116DE

Strings

lDB, xrefs: 004113DC
D, xrefs: 0041144E

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$CriticalFileProcessSectiongetenv$AttributesByteCharEnterInfoLeaveMultiNamedPeekReadStartupTerminateWide_vsnprintfmalloc
String ID: D$lDB
API String ID: 875277771-151759108
Opcode ID: ca23d0f52e549a3f760370a8f3994d7dd9e6cb6ea0e7ea4ebefd2ad8d4038f33
Instruction ID: c0a2dff8ecfd3ca449ec7184aa16f3f0f3f293b9e2d18e22baf8a99b3bb4e763
Opcode Fuzzy Hash: ca23d0f52e549a3f760370a8f3994d7dd9e6cb6ea0e7ea4ebefd2ad8d4038f33
Instruction Fuzzy Hash: F4919EB05087419FD710AF65C18875FBBE4AF84748F01892EE5D88B3A1D7B99489CF8A

Function 0041AC15 Relevance: 27.2, APIs: 6, Strings: 12, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0041AC2A
malloc.MSVCRT ref: 0041AC8B
free.MSVCRT ref: 0041AC9F

Part of subcall function 00414FEF: realloc.MSVCRT ref: 00415034

free.MSVCRT ref: 0041AF2C
free.MSVCRT ref: 0041AF38
free.MSVCRT ref: 0041AF8A

Strings

R, xrefs: 0041AE3C
), xrefs: 0041ACB5
G, xrefs: 0041ADFD
I, xrefs: 0041AEAC
T, xrefs: 0041AED0
D, xrefs: 0041AE37
D, xrefs: 0041AEBE
A, xrefs: 0041AEC3
I, xrefs: 0041AE2D
H, xrefs: 0041AE32
P, xrefs: 0041ADD0
N, xrefs: 0041ADF4

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: free$malloc$realloc
String ID: )$A$D$D$G$H$I$I$N$P$R$T
API String ID: 10190057-4026286603
Opcode ID: 25416bb5c249f3873459c7c3242fdf6bd4d75fafb1925d00441d8b37c87fa026
Instruction ID: 7b50295ee95f3483ab7dff93a2a89c17451d79e52031df4d4eaf42e24e8d509c
Opcode Fuzzy Hash: 25416bb5c249f3873459c7c3242fdf6bd4d75fafb1925d00441d8b37c87fa026
Instruction Fuzzy Hash: 14A1D27110D3809ED311DB69C48438FFFE1ABA6308F44895EE5C89B382D7B99989CB57

Function 0040DCE9 Relevance: 24.4, APIs: 16, Instructions: 395
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0040DD57
GetProcAddress.KERNEL32(?), ref: 0040DD7C
GetProcAddress.KERNEL32 ref: 0040DD98
GetProcAddress.KERNEL32 ref: 0040DDB6
GetProcAddress.KERNEL32(?,?), ref: 0040DDD2
GetProcAddress.KERNEL32 ref: 0040DDF0
GetProcAddress.KERNEL32 ref: 0040DE0E
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E397

Part of subcall function 004132E6: GetVersionExA.KERNEL32 ref: 00413325
Part of subcall function 004132E6: GetSystemMetrics.USER32 ref: 004133FA

WideCharToMultiByte.KERNEL32 ref: 0040DF74
WideCharToMultiByte.KERNEL32 ref: 0040DFC0
WideCharToMultiByte.KERNEL32 ref: 0040E00C
WideCharToMultiByte.KERNEL32 ref: 0040E0B0
WideCharToMultiByte.KERNEL32 ref: 0040E1B4
WideCharToMultiByte.KERNEL32 ref: 0040E200
WideCharToMultiByte.KERNEL32 ref: 0040E24C
WideCharToMultiByte.KERNEL32 ref: 0040E2E8

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AddressProc$Library$FreeLoadMetricsSystemVersion
String ID:
API String ID: 4051271034-0
Opcode ID: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
Instruction ID: 0411f2c87eaa10a6bc819440aee1928311a11f64f3fd3897648e7812cf6e01f9
Opcode Fuzzy Hash: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
Instruction Fuzzy Hash: 6802ADB04087419FD310EF6AC58875BBBE4BF84358F108D2EF4948B291E7B9D5898F96

Function 0040FE8C Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 184timeprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0040FEA5
Process32First.KERNEL32 ref: 0040FECC
CloseHandle.KERNEL32 ref: 0040FEDA

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

OpenProcess.KERNEL32 ref: 0040FF95
GetProcessTimes.KERNEL32 ref: 0040FFFE
FileTimeToSystemTime.KERNEL32 ref: 00410028
CloseHandle.KERNEL32(00000000,00000000), ref: 00410088
Process32Next.KERNEL32(00000000,00000000), ref: 004100F5
CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 00410107

Strings

vCB, xrefs: 0041009D
tCB, xrefs: 00410173
, xrefs: 0041016B

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CloseHandle$ProcessProcess32Time$CreateFileFirstNextOpenSnapshotSystemTimesToolhelp32_vsnprintf
String ID: $tCB$vCB
API String ID: 1698657367-2528537987
Opcode ID: 29e0c6c4af74bcfaac4a1d46f5b8779cc5999e189975c46573ebb5cc9df879ed
Instruction ID: 6fadafcb3b73e839ba5121377a1d1d4624def229cb7cc3727062cbee2f3d546e
Opcode Fuzzy Hash: 29e0c6c4af74bcfaac4a1d46f5b8779cc5999e189975c46573ebb5cc9df879ed
Instruction Fuzzy Hash: BB81C3B0408741AED720AF25C54566FBBE4AF85748F018D2EF8D887351E7BDC989CB46

Function 00407302 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00407341
_wfopen.MSVCRT ref: 00407354
MultiByteToWideChar.KERNEL32 ref: 00407397
_wfopen.MSVCRT ref: 004073AC
malloc.MSVCRT ref: 004073CC
fread.MSVCRT ref: 004073EE
fwrite.MSVCRT ref: 0040741C
free.MSVCRT ref: 0040742E
fclose.MSVCRT ref: 0040743F
fclose.MSVCRT ref: 00407447

Strings

\/B, xrefs: 004073A2

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_wfopenfclose$freadfreefwritemalloc
String ID: \/B
API String ID: 2679953470-271128087
Opcode ID: 1a201ae08c697f7eeda60a02ea33dc54c079bd51e64b70313e0bd476c0a05067
Instruction ID: bd1c24ee40381327b35b8d10bbed57f0e5c37a6e482eaac28a171252adbfc4ce
Opcode Fuzzy Hash: 1a201ae08c697f7eeda60a02ea33dc54c079bd51e64b70313e0bd476c0a05067
Instruction Fuzzy Hash: FC3117B09097059FD710AF76D58526EBBE0BF84348F41883EE4D897382D7789489CB8B

Function 0040D745 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 232registryfileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040D769
RegOpenKeyExA.ADVAPI32 ref: 0040D80C
RegCloseKey.ADVAPI32 ref: 0040D858
fclose.MSVCRT ref: 0040DB08

Strings

/, xrefs: 0040DA54
E, xrefs: 0040D98F
, xrefs: 0040D7AF
A, xrefs: 0040D99A
K, xrefs: 0040D9A5
19B, xrefs: 0040DA99

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CloseOpenfclosefopen
String ID: $/$19B$A$E$K
API String ID: 4197589263-888862201
Opcode ID: c0e3fb71f7fc6bda4d548a6fbe01f6975c31a5aa555185305a4db6e8dc71234b
Instruction ID: b3a366508a3bf55356eea0268f728a85e1b25c4e3c11778993a5dcbc8714eb01
Opcode Fuzzy Hash: c0e3fb71f7fc6bda4d548a6fbe01f6975c31a5aa555185305a4db6e8dc71234b
Instruction Fuzzy Hash: B2A1C2B09083419BD710EFA5C18465BBBE0AF85358F00882EF5D897391D7B9D989DF4A

Function 00410ADA Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 230registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410B26
RegEnumValueA.ADVAPI32 ref: 00410B7F
RegQueryValueExA.ADVAPI32 ref: 00410BF6
RegQueryValueExA.ADVAPI32 ref: 00410C92

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

RegQueryValueExA.ADVAPI32 ref: 00410DA4
malloc.MSVCRT ref: 00410DBB
RegQueryValueExA.ADVAPI32 ref: 00410DEB
RegCloseKey.ADVAPI32 ref: 00410EAE

Strings

CB, xrefs: 00410E30

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Value$Query$CloseEnumOpen_vsnprintfmalloc
String ID: CB
API String ID: 4070552197-2813831398
Opcode ID: 9bee3dbd4e7d19c30e3e32ea7d95f2c090d671b3ace4d02c6f0daefd3a3cde72
Instruction ID: f9e542294e120a942ba3f9c894af39fbc12760f83aa3f443d205d2010ae74b6d
Opcode Fuzzy Hash: 9bee3dbd4e7d19c30e3e32ea7d95f2c090d671b3ace4d02c6f0daefd3a3cde72
Instruction Fuzzy Hash: E2B16BB45083419FD710EF6AC18479BFBE4BF88744F408D2EE89887351E7B9D5898B86

Function 00401421 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 101COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401428
getenv.MSVCRT ref: 00401559

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040159B

Strings

s, xrefs: 00401540
s, xrefs: 00401528
\, xrefs: 00401530
TEMP, xrefs: 00401550
%s\%s.%s, xrefs: 0040145A
%, xrefs: 0040151E
%, xrefs: 00401538

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: getenv$_vsnprintfmalloc
String ID: %$%$%s\%s.%s$TEMP$\$s$s
API String ID: 3160696619-3075679649
Opcode ID: 7c1266ee4a8bb0ef58b53bdb6cf553ef2235b8560277cd116898d57bbc94ea4a
Instruction ID: f04d716bfdf1a3b2f19b14ba05fef692e22545d8b3c1490e52eb58049ae1adaa
Opcode Fuzzy Hash: 7c1266ee4a8bb0ef58b53bdb6cf553ef2235b8560277cd116898d57bbc94ea4a
Instruction Fuzzy Hash: 435196B040C385DEE720EF25D54879EBBE0BF84348F408D2EE5D887281E7B99588DB56

Function 00408042 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00408094
_wfopen.MSVCRT ref: 004080AE

Part of subcall function 00407FC3: fgetpos.MSVCRT ref: 00407FE9

fgetpos.MSVCRT ref: 004080F0
fsetpos.MSVCRT ref: 00408126
malloc.MSVCRT ref: 00408132
fread.MSVCRT ref: 00408152
realloc.MSVCRT ref: 00408168
fclose.MSVCRT ref: 00408174
fclose.MSVCRT ref: 00408185

Strings

d/B, xrefs: 004080A3

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: fclosefgetpos$ByteCharMultiWide_wfopenfreadfsetposmallocrealloc
String ID: d/B
API String ID: 1812338015-978428479
Opcode ID: 2d6ccdd2d2fb629f81430ef7c6409be28087138821b7d1f134346664b6263e99
Instruction ID: cce78eb31c107fb340ace7c9921005f6624d878254cb06048c37cb8e28fe17a8
Opcode Fuzzy Hash: 2d6ccdd2d2fb629f81430ef7c6409be28087138821b7d1f134346664b6263e99
Instruction Fuzzy Hash: 6031B6B0509705ABD750AF26C68535EBBE4AF84348F01892EE8D89B281D778D54A8F4B

Function 004093E7 Relevance: 16.7, APIs: 11, Instructions: 177networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00409442

Part of subcall function 004051B5: gethostbyname.WS2_32 ref: 004051C5
Part of subcall function 004051B5: htons.WS2_32 ref: 00405202

connect.WS2_32 ref: 0040948F
send.WS2_32 ref: 004094F4
recv.WS2_32 ref: 00409533

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsrecvsendsocket
String ID:
API String ID: 2370112503-0
Opcode ID: e07faabcde73fad5de2f234cc241048b4efe75730fad398a918129e32e759b8a
Instruction ID: e31714b0b2c18d3bfe683e3de1011ef27751aa1e39aef002969c9c8643353b02
Opcode Fuzzy Hash: e07faabcde73fad5de2f234cc241048b4efe75730fad398a918129e32e759b8a
Instruction Fuzzy Hash: 1471E8B05087059FD710AF6AC58539ABBE0EF84348F418D2EE4D897392D7BD89898B47

Function 00411770 Relevance: 15.2, APIs: 10, Instructions: 170networkCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00411781
select.WS2_32 ref: 00411821
__WSAFDIsSet.WS2_32 ref: 0041186C
__WSAFDIsSet.WS2_32 ref: 00411885
__WSAFDIsSet.WS2_32 ref: 0041189E
__WSAFDIsSet.WS2_32 ref: 004118B7
recv.WS2_32 ref: 004118ED
send.WS2_32 ref: 00411921
recv.WS2_32 ref: 0041197F
send.WS2_32 ref: 004119B3

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: recvsend$mallocselect
String ID:
API String ID: 2752384660-0
Opcode ID: b82e8287e89736ba92eba444ea1445ecdc45d6602fffcca40b5c4f4261706058
Instruction ID: 396cab881292c67bc80472d702024345634477e2cb390eb29da05618a31f840e
Opcode Fuzzy Hash: b82e8287e89736ba92eba444ea1445ecdc45d6602fffcca40b5c4f4261706058
Instruction Fuzzy Hash: 5A61FCB05197419FD720BF79C5847ABBBE4AF84314F10892FE998C3351E77898858B47

Function 00413EB3 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 274COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00413F0A
_wfopen.MSVCRT ref: 00413F1D
fgetpos.MSVCRT ref: 00413F62
MultiByteToWideChar.KERNEL32 ref: 004141E8
_wfopen.MSVCRT ref: 004141FB
_wfopen.MSVCRT ref: 00413F92

Part of subcall function 00407FC3: fgetpos.MSVCRT ref: 00407FE9

fread.MSVCRT ref: 00414339

Strings

EB, xrefs: 00413F12

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _wfopen$ByteCharMultiWidefgetpos$fread
String ID: EB
API String ID: 938800225-4058845024
Opcode ID: 950e416187ae905cf82d7dafeef771dc36a792c2880a9897fab731ecdff24896
Instruction ID: fdcfd7fcdd99f777d3a34adf36677ce69dcc47347dc1f65e5ed97d3c26df3997
Opcode Fuzzy Hash: 950e416187ae905cf82d7dafeef771dc36a792c2880a9897fab731ecdff24896
Instruction Fuzzy Hash: 75D1E7B45087459FC310EF65C1886AABBE0BF89308F15C97EE8D897352D7789885CF46

Function 0040970C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132filetimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00409733
CloseHandle.KERNEL32 ref: 0040979A
CloseHandle.KERNEL32 ref: 004097B3
MultiByteToWideChar.KERNEL32 ref: 0040982A
CreateFileW.KERNEL32 ref: 00409865
SetFilePointer.KERNEL32 ref: 004098A1
WriteFile.KERNEL32 ref: 00409936

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

1B, xrefs: 004098B2

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$ByteCharCreateLocalMultiPointerTimeWideWrite_vsnprintf
String ID: 1B
API String ID: 1679277924-3133059986
Opcode ID: 4e2e8c59022566be6e83790a85539b938eb59b7fa42426b377093483d846f68c
Instruction ID: e376d887f57f93dc865b5eaaf6567e86db3f04f64e7ab8cebec23d02cc14b5b1
Opcode Fuzzy Hash: 4e2e8c59022566be6e83790a85539b938eb59b7fa42426b377093483d846f68c
Instruction Fuzzy Hash: E9512DB05083009BC310EF26D54426BBBF0BB85718F518A2EF4D497392D7BD9989CB9A

Function 00409E61 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F7A: LoadLibraryA.KERNEL32 ref: 00407F84

Part of subcall function 00407F8E: GetProcAddress.KERNEL32 ref: 00407FA0

RegisterClassExW.USER32 ref: 00409F29

Strings

ssdaClass, xrefs: 00409E69
0, xrefs: 00409F0A
0, xrefs: 00409EEF

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: AddressClassLibraryLoadProcRegister
String ID: 0$0$ssdaClass
API String ID: 3006457887-3236872048
Opcode ID: eed60d624a5036191c5a01f9f44c180ff77991b3a128f902be9f0c859de88d18
Instruction ID: dc59c3b724a470855dcc4065ae2b59d1d9b3c777af613543eb6a0d926dcb9681
Opcode Fuzzy Hash: eed60d624a5036191c5a01f9f44c180ff77991b3a128f902be9f0c859de88d18
Instruction Fuzzy Hash: 863108B05183019AE310BF25D55531FBAE0BF84348F41892EF4C4AB292D7BD8949CB9B

Function 0040C197 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040C1B8

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

getenv.MSVCRT ref: 0040C1F6

Part of subcall function 00407F59: free.MSVCRT ref: 00407F6A

fopen.MSVCRT ref: 0040C22C
malloc.MSVCRT ref: 0040C259
fread.MSVCRT ref: 0040C27D
fclose.MSVCRT ref: 0040C2B0
fclose.MSVCRT ref: 0040C2CA

Strings

k6B, xrefs: 0040C294

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: fclosegetenv$AttributesByteCharFileMultiWide_vsnprintffopenfreadfreemalloc
String ID: k6B
API String ID: 164930318-2852998170
Opcode ID: b606a953a79d5e5e18e6b6d3c7a24a57053edc5fa5b6b61cec116d80e729aa60
Instruction ID: 923c2ccaee423b8f51ada5992f51b5999be8c953822dc98e8fb21a0b7bf81a7a
Opcode Fuzzy Hash: b606a953a79d5e5e18e6b6d3c7a24a57053edc5fa5b6b61cec116d80e729aa60
Instruction Fuzzy Hash: 113118B05087019ED710BFA6D58526EFBE4AF94358F41883EE4D89B392D77CC4858B4A

Function 0041F151 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 187stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C5A7: fopen.MSVCRT ref: 0041C5C3
Part of subcall function 0041C5A7: fseek.MSVCRT ref: 0041C5E1
Part of subcall function 0041C5A7: ftell.MSVCRT ref: 0041C5ED
Part of subcall function 0041C5A7: fclose.MSVCRT ref: 0041C604

strcpy.MSVCRT ref: 0041F216
strncpy.MSVCRT ref: 0041F29A
_mkdir.MSVCRT ref: 0041F337
_errno.MSVCRT ref: 0041F33F

Strings

\, xrefs: 0041F227
, xrefs: 0041F35F
:, xrefs: 0041F2B1

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _errno_mkdirfclosefopenfseekftellstrcpystrncpy
String ID: $:$\
API String ID: 268051615-2457500751
Opcode ID: 9526ac459c02bb7793610bcab494c40ffb002977be289f00c765dc40185c480f
Instruction ID: 79c026138aa9a439cba8819bc206cad1fae7c9babfb4a3138d3d5cf70f9326d1
Opcode Fuzzy Hash: 9526ac459c02bb7793610bcab494c40ffb002977be289f00c765dc40185c480f
Instruction Fuzzy Hash: 56616E7550C7898AD7249F39C4803EFBBE1AF84304F54493FE8E883341D779898A8B4A

Function 00411A5C Relevance: 12.1, APIs: 8, Instructions: 148networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00411AC7
__WSAFDIsSet.WS2_32 ref: 00411AE0
recv.WS2_32 ref: 00411B0C
recv.WS2_32 ref: 00411B43
recv.WS2_32 ref: 00411BC2
htons.WS2_32 ref: 00411C16
socket.WS2_32 ref: 00411C5C
connect.WS2_32 ref: 00411C94

Part of subcall function 00411A22: send.WS2_32 ref: 00411A4C

Part of subcall function 00405999: shutdown.WS2_32 ref: 004059B6
Part of subcall function 00405999: closesocket.WS2_32(00000000), ref: 004059C2

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: recv$closesocketconnecthtonsselectsendshutdownsocket
String ID:
API String ID: 1430705073-0
Opcode ID: 7aa564cc39fd655c1c646bbf1d1799004d24cdb641ddc06cc15a049bd6b3ff1c
Instruction ID: 331b2ee2af7af9e314b8cfd2fab8a33ff8218399bbf528e54cfcbcff9f8d33b6
Opcode Fuzzy Hash: 7aa564cc39fd655c1c646bbf1d1799004d24cdb641ddc06cc15a049bd6b3ff1c
Instruction Fuzzy Hash: 2461D6B0509740AED710AF25C18979ABBE4FF84348F008D1EF9D887251E7B994899F47

Function 0040A4BC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 155libraryloadertimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041236C: malloc.MSVCRT ref: 0041237C

LoadLibraryA.KERNEL32 ref: 0040A519
GetProcAddress.KERNEL32 ref: 0040A53C
GetProcAddress.KERNEL32 ref: 0040A55A
GetProcAddress.KERNEL32 ref: 0040A576
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A604

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

Strings

`(B, xrefs: 0040A5E2

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalSectionTime$EnterFileLeaveLibraryLoadSystemmalloc
String ID: `(B
API String ID: 2869995242-1914280996
Opcode ID: 19d6fc8c2d1306d8d053f19c73e800395e5ac708471e6663d3d13c85d9c19fe9
Instruction ID: 94c08b94b57df9e53fa0a2455e2e566f66701f19132ff7a1c430a127e0c0603f
Opcode Fuzzy Hash: 19d6fc8c2d1306d8d053f19c73e800395e5ac708471e6663d3d13c85d9c19fe9
Instruction Fuzzy Hash: 9761DEB44087109FD710AF26C584A6BBBF4BF88704F01892EE8D897391E7799985CF56

Function 00405D7D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00405DAD
malloc.MSVCRT ref: 00405DF8
send.WS2_32 ref: 00405E96
WSAGetLastError.WS2_32 ref: 00405EA5
LeaveCriticalSection.KERNEL32 ref: 00405ECC

Strings

-, xrefs: 00405DB7

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeavemallocsend
String ID: -
API String ID: 1786834168-2547889144
Opcode ID: 5150198c8eb0ce58f61dc6932d24a873176d766e4a27cdd26a3c85565558810d
Instruction ID: 542a74277ee6daf56934a715b94c3cb6415021c893f49c4910618d7e1c795e3b
Opcode Fuzzy Hash: 5150198c8eb0ce58f61dc6932d24a873176d766e4a27cdd26a3c85565558810d
Instruction Fuzzy Hash: 8B416E70608B008FC720EF69D48461BBBE4EF85324F518A3FE994A73D1C77899458F9A

Function 004054AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00405519
send.WS2_32 ref: 004055BC
select.WS2_32 ref: 0040561A
__WSAFDIsSet.WS2_32 ref: 00405631
recv.WS2_32 ref: 00405657

Strings

Z, xrefs: 00405668

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: htonsrecvselectsend
String ID: Z
API String ID: 3248711867-1505515367
Opcode ID: 7fdafd5f5f0b92cca46f8b9916048dc5279d19b1817b053ad7dd1c959cdc6263
Instruction ID: 3f3365598393d2eea2e9170436329f57a1f754e33c93ecced5829fb6f7628eb6
Opcode Fuzzy Hash: 7fdafd5f5f0b92cca46f8b9916048dc5279d19b1817b053ad7dd1c959cdc6263
Instruction Fuzzy Hash: 094117B0418744ABD321AF25C1843AFBBE4FF84758F508D2EF4D887291D7B995888B57

Function 0041086B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32 ref: 004108D0
RegOpenKeyExA.ADVAPI32 ref: 00410900

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

RegEnumKeyExA.ADVAPI32 ref: 00410958
RegCloseKey.ADVAPI32 ref: 0041096B
RegDeleteKeyA.ADVAPI32(00000000), ref: 00410978

Strings

@, xrefs: 0041099A

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Delete$CloseEnumOpen_vsnprintf
String ID: @
API String ID: 3258335120-2766056989
Opcode ID: c5fee486713a1e3e413a08c522e5d7fe8b5e1595fa91894b84a89dceef684568
Instruction ID: 9d604c6237a7cde6d8c47273939e6e17ca47206dd9184e21b4ed585c08607efa
Opcode Fuzzy Hash: c5fee486713a1e3e413a08c522e5d7fe8b5e1595fa91894b84a89dceef684568
Instruction Fuzzy Hash: FB31D2F04087059EE710EF26C59839FFBE4AF84748F00891EE4D897251D3B985898F9B

Function 00407E8C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00407E9F
fread.MSVCRT ref: 00407EC7
fclose.MSVCRT ref: 00407ED4
fclose.MSVCRT ref: 00407EDD

Strings

X/B, xrefs: 00407E94
MZ, xrefs: 00407EE2

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: fclose$fopenfread
String ID: MZ$X/B
API String ID: 3873288765-3080073419
Opcode ID: d06aedc7c9e3b3293a92e1f957aa7035d759f161265d28a36525d5ec09abe733
Instruction ID: ae9e81fbcb7ca7b9316dc1c6fd5e5dd7cb62ebbbae1f2b5c39490275c7812f42
Opcode Fuzzy Hash: d06aedc7c9e3b3293a92e1f957aa7035d759f161265d28a36525d5ec09abe733
Instruction Fuzzy Hash: 81F0FEB55097419BDB00FFA6C5C515EB6E4AB44304F508C3EE49497281D778D8898B5B

Function 0041C87B Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 427COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 0041C9C4

Part of subcall function 00415FC6: localtime.MSVCRT ref: 00415FDA

_assert.MSVCRT ref: 0041CBC3

Strings

K, xrefs: 0041CE78
P, xrefs: 0041CE70
FB, xrefs: 0041CBB4

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assertlocaltimetime
String ID: FB$K$P
API String ID: 239888755-1627385504
Opcode ID: cd97700670ffc604625be893ed21d500fd9a320e9f0d6e3cdad60bc31f370bed
Instruction ID: 8e089169dfaa1868ebee7eec05d644c009e56557b81e72ef4d504278135b65ea
Opcode Fuzzy Hash: cd97700670ffc604625be893ed21d500fd9a320e9f0d6e3cdad60bc31f370bed
Instruction Fuzzy Hash: 9222BF7494D3818FD720CF29C58579BBBE1BF88704F14892EE89887351E7B8E885CB46

Function 004059D3 Relevance: 9.2, APIs: 6, Instructions: 166networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00405A55
connect.WS2_32 ref: 00405A70

Part of subcall function 00405999: shutdown.WS2_32 ref: 004059B6
Part of subcall function 00405999: closesocket.WS2_32(00000000), ref: 004059C2

Part of subcall function 004051B5: gethostbyname.WS2_32 ref: 004051C5
Part of subcall function 004051B5: htons.WS2_32 ref: 00405202

socket.WS2_32 ref: 00405B97
connect.WS2_32 ref: 00405BB2
socket.WS2_32 ref: 00405C34
connect.WS2_32 ref: 00405C54

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: connectsocket$closesocketgethostbynamehtonsshutdown
String ID:
API String ID: 4225652895-0
Opcode ID: 257ab1642c2ba7176df9333284737b40def127f22e375dc60ae8d0ec264ec92a
Instruction ID: dc7f80c90ba20af356347f24dd4de35e54817c060e921352895bdcebc13e1e4f
Opcode Fuzzy Hash: 257ab1642c2ba7176df9333284737b40def127f22e375dc60ae8d0ec264ec92a
Instruction Fuzzy Hash: 7D71B7B0508B059FD710EF29D58465BBBE0FF84354F54893EE88897392D778A4468F4A

Function 004106BD Relevance: 9.1, APIs: 6, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00408ECF), ref: 004106EF
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410728
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410765
RegQueryValueExA.ADVAPI32 ref: 004107A0
RegQueryValueExA.ADVAPI32 ref: 004107DD
RegCloseKey.ADVAPI32 ref: 004107F3

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: QueryValue$Open$Close
String ID:
API String ID: 2855150075-0
Opcode ID: 7acb46318583f52b162adab98c30d4c4b02cafbce71d0fe327e00207db92c82c
Instruction ID: b9298c354bfd1ad9ab6003ea3d07812b51851590691558723ca7996c5ddaa5d6
Opcode Fuzzy Hash: 7acb46318583f52b162adab98c30d4c4b02cafbce71d0fe327e00207db92c82c
Instruction Fuzzy Hash: 8331C3B55083059BD300AF6AC54435BFBE4BB84758F40892EF89897351D7B8EA898F86

Function 00401DD8 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 58stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401DDF
strcpy.MSVCRT ref: 00401E60
strcpy.MSVCRT ref: 00401E6C
strcat.MSVCRT ref: 00401E8E

Part of subcall function 0041E44C: malloc.MSVCRT ref: 0041E48F
Part of subcall function 0041E44C: free.MSVCRT ref: 0041E510

Strings

w, xrefs: 00401E93
.zip, xrefs: 00401E83

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: mallocstrcpy$freestrcat
String ID: .zip$w
API String ID: 50812093-307292267
Opcode ID: 78a7903171cc4c998d85c30a50b5e5ab6e43e4baaabce3d6850bd829c4cc1e8a
Instruction ID: b1c1002ecfc918ecf1bb7e30c12c5e9030ce2ae0e5289fadf73960591331f9fa
Opcode Fuzzy Hash: 78a7903171cc4c998d85c30a50b5e5ab6e43e4baaabce3d6850bd829c4cc1e8a
Instruction Fuzzy Hash: 3421FCF05087059FD310AF25D18839EBBE0BB84758F11CD2EE4DC87291D7BD84899B4A

Function 0040C2DB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040C2F3

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

fopen.MSVCRT ref: 0040C330
fgets.MSVCRT ref: 0040C35E
fclose.MSVCRT ref: 0040C455

Strings

x3B, xrefs: 0040C325

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _vsnprintffclosefgetsfopengetenv
String ID: x3B
API String ID: 3106633423-3373966710
Opcode ID: f5b2f3e6b188a2a81523bee3868d1dc16278d61a1535bb2d55c529db898f20e7
Instruction ID: 6048a10f2db6f6121dbf09b1e91f7eeb88fe885a8aaa66a3f769cde923567c5e
Opcode Fuzzy Hash: f5b2f3e6b188a2a81523bee3868d1dc16278d61a1535bb2d55c529db898f20e7
Instruction Fuzzy Hash: EC41D8B0408311DAD310AF25D58526EBAF4BF84758F50CA2FE4D897381D77C8585DB5B

Function 00405328 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004051B5: gethostbyname.WS2_32 ref: 004051C5
Part of subcall function 004051B5: htons.WS2_32 ref: 00405202

send.WS2_32 ref: 004053DF
select.WS2_32 ref: 0040543E
__WSAFDIsSet.WS2_32 ref: 00405455
recv.WS2_32 ref: 0040547B

Strings

Z, xrefs: 00405497

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: gethostbynamehtonsrecvselectsend
String ID: Z
API String ID: 3406712544-1505515367
Opcode ID: 449d4b15f80a29c733a493597063cfde938150944d976ecd7df47141a1def0a6
Instruction ID: 23d78d97f939ce5eec82cec168d6e0a92f1c2ef35d1e3e5c2e22ff38ea37f4dc
Opcode Fuzzy Hash: 449d4b15f80a29c733a493597063cfde938150944d976ecd7df47141a1def0a6
Instruction Fuzzy Hash: 7941D3B0419740AEE750EF25C58439FBBE4EF84748F409C2EF8D897241D3BA85888B57

Function 004109D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410A0F
RegEnumKeyExA.ADVAPI32 ref: 00410A66
RegCloseKey.ADVAPI32 ref: 00410AC5

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

@, xrefs: 00410A85
@, xrefs: 00410AB1

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen_vsnprintf
String ID: @$@
API String ID: 2247870055-149943524
Opcode ID: 4af8ef1c9b8c2e1b679c7896dbdc8660dbd74620ed8b4f8cb5af9a0fd6401769
Instruction ID: 60464b3a6ff270cdd1110ed30ec9e4aee9a85b9f4642497f56cba53994ffc826
Opcode Fuzzy Hash: 4af8ef1c9b8c2e1b679c7896dbdc8660dbd74620ed8b4f8cb5af9a0fd6401769
Instruction Fuzzy Hash: A321E3B45083019FD310EF6AC18479BBBE4BF98358F40892EE5D893340D7B895898F97

Function 00407BA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00407BD8
MultiByteToWideChar.KERNEL32 ref: 00407C04
SHFileOperationW.SHELL32 ref: 00407C4E

Part of subcall function 0040729C: MultiByteToWideChar.KERNEL32 ref: 004072D5
Part of subcall function 0040729C: GetFileAttributesW.KERNEL32 ref: 004072E0

Strings

b/B, xrefs: 00407C24
b/B, xrefs: 00407C46

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWide$AttributesOperationstrcpy
String ID: b/B$b/B
API String ID: 1429716934-3141599630
Opcode ID: 81200923591543ee51a94f846a27d562b6fb7f64c7317926669ce86d985d9e29
Instruction ID: 9f716be5a706bacff7abee470f2f70c9786abf008b7cce54c5bda874f4371efe
Opcode Fuzzy Hash: 81200923591543ee51a94f846a27d562b6fb7f64c7317926669ce86d985d9e29
Instruction Fuzzy Hash: ED1125B14083109AE310EF25D48935BBBF5EFC4318F40892EF4A49B281D7BA96498B97

Function 00406D22 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32 ref: 00406DD4
CloseHandle.KERNEL32 ref: 00406DE7
CloseHandle.KERNEL32(00000000), ref: 00406DF4

Strings

D, xrefs: 00406D31
D, xrefs: 00406D51

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: D$D
API String ID: 2922976086-143366177
Opcode ID: 210b95e98878966edea71671788c2c7d13693a52d3674cbc12837110b92085ad
Instruction ID: 1d5ca1a389bb095c29e0a852d1ac0a4b0f4293584b711be652509fdf01780871
Opcode Fuzzy Hash: 210b95e98878966edea71671788c2c7d13693a52d3674cbc12837110b92085ad
Instruction Fuzzy Hash: 4311A2B05087409EE710EF25C59875BBBE4BF85708F01881EF5D897291C3BA95898B87

Function 0040E9B6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 0040EB64
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040EB74
strcmp.MSVCRT ref: 0040EB80

Strings

0, xrefs: 0040ED3C
5B, xrefs: 0040EC46

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: strcmpstrcpystrncpy
String ID: 0$5B
API String ID: 2448526034-2982329479
Opcode ID: 462bf65ad2594f2168f17dfdeb5058b5c81af0c365ae975b7d05b17481ebe7e2
Instruction ID: 1815abc7d942603e6bf714ecb897f5d3e1623bfaa8687e7908f6a9e0f2ae8c78
Opcode Fuzzy Hash: 462bf65ad2594f2168f17dfdeb5058b5c81af0c365ae975b7d05b17481ebe7e2
Instruction Fuzzy Hash: 63B1BBB45093459FC750EF29C18469FBBE0FF88348F408D2EE4D897291E7B9D9898B46

Function 0040567B Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 004056B5
recv.WS2_32 ref: 00405703
htons.WS2_32 ref: 00405774
send.WS2_32 ref: 004057B1
recv.WS2_32 ref: 004057DB

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: recvsend$htons
String ID:
API String ID: 2448738288-0
Opcode ID: 13adfa5ec2ebdb7ed79ded53f4b099e9918976a4c5f06ce693c8d3bcc2d3ec54
Instruction ID: a3ad6d79acf2e53900b9dd159f4be09f546f61b4e8b2614ee158af40ae1285e8
Opcode Fuzzy Hash: 13adfa5ec2ebdb7ed79ded53f4b099e9918976a4c5f06ce693c8d3bcc2d3ec54
Instruction Fuzzy Hash: 8A410BB141C7819AD710AF25C54939FBFE0AF94308F458D2EE4D897282D3B99688CF97

Function 00410520 Relevance: 7.6, APIs: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410558
RegQueryValueExA.ADVAPI32 ref: 00410596
malloc.MSVCRT ref: 004105A9
RegQueryValueExA.ADVAPI32 ref: 004105D9
RegCloseKey.ADVAPI32 ref: 004105F8

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpenmalloc
String ID:
API String ID: 3087825141-0
Opcode ID: bee71e2c12d8eb0ab75ad6922a777cc37da6db6440ffe5c328c79abb1217a5d5
Instruction ID: dddce03a098769392e7a375fb59deb789f7659c2eda9270703039da878427773
Opcode Fuzzy Hash: bee71e2c12d8eb0ab75ad6922a777cc37da6db6440ffe5c328c79abb1217a5d5
Instruction Fuzzy Hash: EC21A3B05083019FD700EF29D58465BBBE4BF88748F00892EF8C893201E778DA888F86

Function 00421320 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 0042152C
_assert.MSVCRT ref: 00421551

Strings

, xrefs: 004213B0
c, xrefs: 0042153A

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: $c
API String ID: 1222420520-3797896886
Opcode ID: 8a585c7f6f4847e6cdab404632b1628f0989679c9260e782601c46f9716b7191
Instruction ID: 595662ab794f8c563696035dacf2dbdab12226766188b8df76e1304a900497cc
Opcode Fuzzy Hash: 8a585c7f6f4847e6cdab404632b1628f0989679c9260e782601c46f9716b7191
Instruction Fuzzy Hash: 1E71DDB5A083199FDB00EF69D48859EBBE0EF88354F01C92EF89997351C3389854CF96

Function 00420700 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00420850
_assert.MSVCRT ref: 004208AD

Strings

HjB, xrefs: 0042089E
M, xrefs: 00420896

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: HjB$M
API String ID: 1222420520-1889629911
Opcode ID: 389ade0749032fac037805b9abc3480a8171c3f13d13cda5c72ac285551c0497
Instruction ID: 88b4d72e3a3b074a803e33dc480ae7ecbd49f2114936249b734713bf6416a905
Opcode Fuzzy Hash: 389ade0749032fac037805b9abc3480a8171c3f13d13cda5c72ac285551c0497
Instruction Fuzzy Hash: 0951BB716083A28FC300CF28E59052BBBF1BFCA310F048A1EE69087645D335EA19CF92

Function 00406B2B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wfopen.MSVCRT ref: 00406B69
fread.MSVCRT ref: 00406BA2
fclose.MSVCRT ref: 00406C1A

Strings

D/B, xrefs: 00406B5E

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _wfopenfclosefread
String ID: D/B
API String ID: 506435840-35448031
Opcode ID: 6e29f1c7595fdd67799a25fafd9a4aaf63ccba13522d3f48157b685555bab8a5
Instruction ID: deb419f91eb23376f6420ea6a160b5129c3192077bfb07f8c7133106a8e0e032
Opcode Fuzzy Hash: 6e29f1c7595fdd67799a25fafd9a4aaf63ccba13522d3f48157b685555bab8a5
Instruction Fuzzy Hash: 3D21A3701087508FD720EF29C5847AEBBE0EF85318F41892EE8D887392D7789499CB47

Function 0040B016 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040B056
fread.MSVCRT ref: 0040B080
fclose.MSVCRT ref: 0040B0F3

Strings

z3B, xrefs: 0040B091

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: fclosefopenfread
String ID: z3B
API String ID: 2679521937-3399381272
Opcode ID: e2600f1d5f8662e9c392fe55e0e07e3544c7b57ce058911e094c9610cb459c02
Instruction ID: 2438fad20f86bae77410323f418e8e562921bdaa67428cf1c8451c05b399b209
Opcode Fuzzy Hash: e2600f1d5f8662e9c392fe55e0e07e3544c7b57ce058911e094c9610cb459c02
Instruction Fuzzy Hash: 9B213EB05493459ED310AF65C5843AFBBE0EF80348F01883EE8E887341D77C8589DB4A

Function 0040B105 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040B145
fread.MSVCRT ref: 0040B16F
fclose.MSVCRT ref: 0040B1E2

Strings

x3B, xrefs: 0040B13A

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: fclosefopenfread
String ID: x3B
API String ID: 2679521937-3373966710
Opcode ID: cef17687d92d9b4a792fbe74fccce4ea79b1ff820fbda775a6627d7b36aa9cc9
Instruction ID: 8e46bd977f0b38dff8dfac3cdc2039ee507d5f54b24c6ee619e1854a5548e2c2
Opcode Fuzzy Hash: cef17687d92d9b4a792fbe74fccce4ea79b1ff820fbda775a6627d7b36aa9cc9
Instruction Fuzzy Hash: 85213EB05493059ED320AF65C59879FBBE0EF84358F00882EE8D887251D77C8588DB4A

Function 00414470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Part of subcall function 00407E8C: fopen.MSVCRT ref: 00407E9F
Part of subcall function 00407E8C: fread.MSVCRT ref: 00407EC7
Part of subcall function 00407E8C: fclose.MSVCRT ref: 00407ED4

CreateProcessA.KERNEL32 ref: 0041451B

Part of subcall function 00408AF3: ReleaseMutex.KERNEL32(?,?,?,?,?,?,0041452C), ref: 00408B02
Part of subcall function 00408AF3: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0041452C), ref: 00408B10

Part of subcall function 00405999: shutdown.WS2_32 ref: 004059B6
Part of subcall function 00405999: closesocket.WS2_32(00000000), ref: 004059C2

ResumeThread.KERNEL32 ref: 00414542
ExitProcess.KERNEL32 ref: 00414552

Strings

D, xrefs: 004144A8

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Process$AttributesByteCharCloseCreateExitFileHandleMultiMutexReleaseResumeThreadWideclosesocketfclosefopenfreadshutdown
String ID: D
API String ID: 3751753202-2746444292
Opcode ID: c255f5552f9746074c148be93691e2b4ce4c54ed22f108db594dde55dd1560b6
Instruction ID: 067f5d9187edf2fa4930e283bd60014924ca834b1665164d65a9df55d347b5cc
Opcode Fuzzy Hash: c255f5552f9746074c148be93691e2b4ce4c54ed22f108db594dde55dd1560b6
Instruction Fuzzy Hash: C721B0B05087419AD710AF66C59976FBBE0BF80348F01881EE5D85B382D7BD8489CF9B

Function 00401261 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401268
getenv.MSVCRT ref: 00401329

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Part of subcall function 00407F08: _beginthreadex.MSVCRT ref: 00407F3A
Part of subcall function 00407F08: CloseHandle.KERNEL32 ref: 00407F48

Strings

TEMP, xrefs: 00401322
%6\%6.dfd, xrefs: 0040132E

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CloseHandle_beginthreadex_vsnprintfgetenvmalloc
String ID: %6\%6.dfd$TEMP
API String ID: 32720251-3655689890
Opcode ID: 85d489d399a94b7e68c76b87893543c8b6f3c77dc7d3058bc08f74d1328ce92f
Instruction ID: 095e309c488b84dd6e8baa1bc898f34efff603a6fbd504479eb7308a9430591a
Opcode Fuzzy Hash: 85d489d399a94b7e68c76b87893543c8b6f3c77dc7d3058bc08f74d1328ce92f
Instruction Fuzzy Hash: 78218EF05087419FD310AF6AD18839AFBE0BF84358F00892EE1E987291D7BD95899F46

Function 00410608 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00410656
RegSetValueExA.ADVAPI32 ref: 0041069B
RegCloseKey.ADVAPI32 ref: 004106AF

Strings

?, xrefs: 00410623

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: 6f10c2fad66fb56d8a876a767705c0936c225fc18a07eb6d3c35cb31e2597923
Instruction ID: d7b5c200bfe116dfd6f132702afe2373019979046eeb2612c7d3539b4a1fd506
Opcode Fuzzy Hash: 6f10c2fad66fb56d8a876a767705c0936c225fc18a07eb6d3c35cb31e2597923
Instruction Fuzzy Hash: 6111B0B45083419FD340EF69D59475BFBE0BB88354F40892EF89883351E7B9D5898F86

Function 0041ED42 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON

Download Yara Rule

APIs

_stat.MSVCRT ref: 0041ED8F
fopen.MSVCRT ref: 0041EDC6
fread.MSVCRT ref: 0041EDE8
fclose.MSVCRT ref: 0041EE0F

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _statfclosefopenfread
String ID:
API String ID: 804335959-0
Opcode ID: e49dcea1558de36b6d26133dc736d865fdae275fbb071cb261454f55feb63192
Instruction ID: c86c0b954f8f68680828bf3fb845d0a681b1f2494741e4076b806c5f4ecabbb7
Opcode Fuzzy Hash: e49dcea1558de36b6d26133dc736d865fdae275fbb071cb261454f55feb63192
Instruction Fuzzy Hash: 68216F746083058ED760AF2AD48039BBBE4EF88754F00893EEDACC7381D67984C58B5A

Function 00405214 Relevance: 6.1, APIs: 4, Instructions: 59networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00405245
setsockopt.WS2_32 ref: 00405281
WSAIoctl.WS2_32 ref: 004052E4
setsockopt.WS2_32 ref: 00405319

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: setsockopt$Ioctlioctlsocket
String ID:
API String ID: 1196899187-0
Opcode ID: 4a1ab85cae5512115fe274dc8068c955a42f4f93045ec413a8af8eb2ccab6f2b
Instruction ID: 20f5eab9ee5944eb72183824eaa05ad15d37d7ba85e5585d89411a70b12a9a58
Opcode Fuzzy Hash: 4a1ab85cae5512115fe274dc8068c955a42f4f93045ec413a8af8eb2ccab6f2b
Instruction Fuzzy Hash: 0221A7B1409741AED340EF59D18835BFFE0AF84748F80992EF89457251D3B999888F87

Function 0041C5A7 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0041C5C3
fseek.MSVCRT ref: 0041C5E1
ftell.MSVCRT ref: 0041C5ED
fclose.MSVCRT ref: 0041C604

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: fclosefopenfseekftell
String ID:
API String ID: 256789196-0
Opcode ID: fbcd7f8cca2f724e403eeb8c4da471501aa33c75eb168f4f61c33f7ffa932136
Instruction ID: bcb064d2d33ab52115c011aa6cdc5be578be0ddba1a55773f7ee6e5998b39b7e
Opcode Fuzzy Hash: fbcd7f8cca2f724e403eeb8c4da471501aa33c75eb168f4f61c33f7ffa932136
Instruction Fuzzy Hash: F211A9B09083008FC710BF2AC9C439ABAE4EF44358F45547EE884CB306E779C8858B9A

Function 00407FC3 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

fgetpos.MSVCRT ref: 00407FE9
fflush.MSVCRT ref: 00408009
_filelengthi64.MSVCRT ref: 00408014
fsetpos.MSVCRT ref: 00408036

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _filelengthi64fflushfgetposfsetpos
String ID:
API String ID: 3378604764-0
Opcode ID: 5f1deec734a469d50075acdb6f3c09bf06809ba4cbfcd9c78d95f8229e1196b0
Instruction ID: 7f20a3f538c1e1996cb4a193f62903fdb6249973c6c490497f882466bb09f182
Opcode Fuzzy Hash: 5f1deec734a469d50075acdb6f3c09bf06809ba4cbfcd9c78d95f8229e1196b0
Instruction Fuzzy Hash: 5A010CB18087128BC710EF25958045BBBE4BE94364F51093FF8D0D3381E638D8899B97

Function 00406E04 Relevance: 6.0, APIs: 4, Instructions: 32fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00406E3D
GetFileAttributesW.KERNEL32 ref: 00406E48
SetFileAttributesW.KERNEL32 ref: 00406E62
DeleteFileW.KERNEL32 ref: 00406E6C

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: File$Attributes$ByteCharDeleteMultiWide
String ID:
API String ID: 2001991581-0
Opcode ID: fd15abdbbf5f5b452ff235cde9c5fc4b4f27e3640605faa86648c091e64618a3
Instruction ID: e573b4bf2d7f4f29660dffdf4fc2874ff46e14c0fdf453928647ba00820039fc
Opcode Fuzzy Hash: fd15abdbbf5f5b452ff235cde9c5fc4b4f27e3640605faa86648c091e64618a3
Instruction Fuzzy Hash: E1F062F00093029AD710BF39C88525FBFE4AF40354F40892EF5D456282D73C85998B57

Function 004049CF Relevance: 5.5, APIs: 4, Instructions: 475COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00404A2F
malloc.MSVCRT ref: 00404A5E
malloc.MSVCRT ref: 00404BBE
malloc.MSVCRT ref: 00404C36

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d646359c60a4fd60cf4ab61131ae816c9032caada655f49a32e68425a94bf0cf
Instruction ID: 218a957fe30f9a24676f57bd5ffca8317da6b6ab60db8c5874b423959f2b8a8b
Opcode Fuzzy Hash: d646359c60a4fd60cf4ab61131ae816c9032caada655f49a32e68425a94bf0cf
Instruction Fuzzy Hash: F01260B05087608EC711AF62D84523ABBE0AFD5308F45497EE6D49B392EB7C8581CF5E

Function 00408FE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00407C77: GetModuleFileNameW.KERNEL32 ref: 00407CA2
Part of subcall function 00407C77: WideCharToMultiByte.KERNEL32 ref: 00407CE3

Part of subcall function 00412D73: getenv.MSVCRT ref: 00412ECA

ExitProcess.KERNEL32 ref: 00409134
fopen.MSVCRT ref: 00409237

Part of subcall function 00406E04: MultiByteToWideChar.KERNEL32 ref: 00406E3D
Part of subcall function 00406E04: GetFileAttributesW.KERNEL32 ref: 00406E48
Part of subcall function 00406E04: SetFileAttributesW.KERNEL32 ref: 00406E62
Part of subcall function 00406E04: DeleteFileW.KERNEL32 ref: 00406E6C

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Part of subcall function 00407EF4: Sleep.KERNEL32 ref: 00407EFE

Strings

r0B, xrefs: 004090AB

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: File$AttributesByteCharMultiWide$DeleteExitModuleNameProcessSleepfopengetenv
String ID: r0B
API String ID: 3425440891-4020269923
Opcode ID: 37d0ce1561ee6bb9c701f51db275a61bfccac64f15fe3377825e8940e65bb3af
Instruction ID: cf1332e757baf714fb04fabdc2a14f291af18396ddc48b811abeeedaa7cc8274
Opcode Fuzzy Hash: 37d0ce1561ee6bb9c701f51db275a61bfccac64f15fe3377825e8940e65bb3af
Instruction Fuzzy Hash: 4D61C7B04087119AD710BF61D64536EBBE1AF81348F41C86EE4C86B383CBBD8985DB5B

Function 00413748 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004130E8: GetUserNameW.ADVAPI32 ref: 00413112
Part of subcall function 004130E8: WideCharToMultiByte.KERNEL32 ref: 00413154

Part of subcall function 00413040: GetComputerNameW.KERNEL32 ref: 0041307E
Part of subcall function 00413040: WideCharToMultiByte.KERNEL32 ref: 004130C0

Part of subcall function 004134FD: GetTickCount.KERNEL32 ref: 0041352F

Part of subcall function 00407C77: GetModuleFileNameW.KERNEL32 ref: 00407CA2
Part of subcall function 00407C77: WideCharToMultiByte.KERNEL32 ref: 00407CE3

getenv.MSVCRT ref: 00413879
getenv.MSVCRT ref: 00413887

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

Strings

xEB, xrefs: 00413965

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: ByteCharMultiNameWide$CriticalSectiongetenv$ComputerCountEnterFileLeaveModuleTickUser
String ID: xEB
API String ID: 195117172-2961144582
Opcode ID: fb62eb59387f53985bd42543a62e6c15600361e8d5d43dfcff879b8f1a2c93cb
Instruction ID: 88353113fceb9506f3b36d61bfde8eef9921c9a466ae1bfd82caa565229af05a
Opcode Fuzzy Hash: fb62eb59387f53985bd42543a62e6c15600361e8d5d43dfcff879b8f1a2c93cb
Instruction Fuzzy Hash: A2619CB49087849BD720EF65C18469EFBE0BF89348F408D2EE8D887351E7789548CF5A

Function 0041DD3F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

P, xrefs: 0041DE36
K, xrefs: 0041DE3B

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID:
String ID: K$P
API String ID: 0-420285281
Opcode ID: 8a69464f70444901d772828418eb0133d86c5c4489e010a0a704677ec8438a85
Instruction ID: 76b3f71e46e7dd39d433d4e4d553b0a2d3546f8e99cb6a452508f90fdc663846
Opcode Fuzzy Hash: 8a69464f70444901d772828418eb0133d86c5c4489e010a0a704677ec8438a85
Instruction Fuzzy Hash: 3F51C0B09083449FCB50CF29C58468BBBE1AF98318F54892EF8988B351E379D985CF46

Function 0040D420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D290: CryptAcquireContextA.ADVAPI32 ref: 0040D2E2
Part of subcall function 0040D290: CryptCreateHash.ADVAPI32 ref: 0040D31C
Part of subcall function 0040D290: CryptHashData.ADVAPI32 ref: 0040D34B
Part of subcall function 0040D290: CryptGetHashParam.ADVAPI32 ref: 0040D38A

Part of subcall function 00407F7A: LoadLibraryA.KERNEL32 ref: 00407F84

Part of subcall function 00407F8E: GetProcAddress.KERNEL32 ref: 00407FA0

RegQueryValueExA.ADVAPI32 ref: 0040D4EC
LocalFree.KERNEL32 ref: 0040D5B8

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

8B, xrefs: 0040D58B

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$AcquireAddressContextCreateDataFreeLibraryLoadLocalParamProcQueryValue_vsnprintf
String ID: 8B
API String ID: 2081058215-1803290843
Opcode ID: 5a86b60eb7b24f86e885ff524fb9dc5150f0e0451a94be218f3f5f5105dd560d
Instruction ID: 3ebc2064e8f7268df4b8e6a934d6e56f21a9b96c1547cc96c36b4704c4ff52fe
Opcode Fuzzy Hash: 5a86b60eb7b24f86e885ff524fb9dc5150f0e0451a94be218f3f5f5105dd560d
Instruction Fuzzy Hash: 78419CB4A083419FD710EF69C58465AFBF0BF85358F00892EE8C897351EB79D588CB86

Function 004211C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00421315

Strings

pjB, xrefs: 00421306
8, xrefs: 004212FE

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: 8$pjB
API String ID: 1222420520-722663410
Opcode ID: d0b8bfb88443995b5d46237e8dd2c2796db4cd98f11c714f3134454e1f713599
Instruction ID: 89e7217bd13c7babcd5adc9bb28dc37eee23235c195977e0ffb5d0d95595f474
Opcode Fuzzy Hash: d0b8bfb88443995b5d46237e8dd2c2796db4cd98f11c714f3134454e1f713599
Instruction Fuzzy Hash: E74127707082B14BE3188F1D989413EBFE1ABD6201FCA4AAFF4C5C7252D539D518CB65

Function 00408218 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00408255
GetLocalTime.KERNEL32 ref: 0040825C

Strings

%.4d-%.2d-%.2d %.2d:%.2d:%.2d, xrefs: 00408267

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: Time$LocalSystem
String ID: %.4d-%.2d-%.2d %.2d:%.2d:%.2d
API String ID: 1098363292-244208801
Opcode ID: 2c0d27171b227a626090942a01cb7e3bbf324c6d7aa291d0839ae4957e61f002
Instruction ID: 210422b194b1c769db9a9b51ef88a37ee0462c5d8974aa95260b86ae16cdeba8
Opcode Fuzzy Hash: 2c0d27171b227a626090942a01cb7e3bbf324c6d7aa291d0839ae4957e61f002
Instruction Fuzzy Hash: CC11F874809354AAC750DF26C54066FBBE4FB88B54F40882FF8C493241E73C9984DB57

Function 00413040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 0041307E
WideCharToMultiByte.KERNEL32 ref: 004130C0

Strings

@, xrefs: 00413099

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: ByteCharComputerMultiNameWide
String ID: @
API String ID: 4013585866-2766056989
Opcode ID: 75619ece23197e83586e66bb1f33d7f654c3ffc02ea5a6723a4e8ea35ab2e647
Instruction ID: 7c038244dc2cd29586230534efa33881c9182a2f6df97460e627dabf8a714e70
Opcode Fuzzy Hash: 75619ece23197e83586e66bb1f33d7f654c3ffc02ea5a6723a4e8ea35ab2e647
Instruction Fuzzy Hash: 4F01C5B0409301AEE320AF26D99476BFBE4EF94714F10891EF49847291D3B985898B87

Function 004089ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00408A77

Part of subcall function 00410803: RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408A27), ref: 00410830
Part of subcall function 00410803: RegDeleteValueA.ADVAPI32 ref: 0041084B
Part of subcall function 00410803: RegCloseKey.ADVAPI32 ref: 0041085E

Strings

40B, xrefs: 00408A7C
<0B, xrefs: 00408A84

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CloseDeleteOpenValuefclose
String ID: 40B$<0B
API String ID: 3171391837-2730254441
Opcode ID: e80744430c769008ed9aa6cab13524ccc618e940c92f136a1cd14b05883cfc76
Instruction ID: bb4ce6ad198e61c342c208a9868e2ee3a63cf1cfb8a338f91740164746fe8c6d
Opcode Fuzzy Hash: e80744430c769008ed9aa6cab13524ccc618e940c92f136a1cd14b05883cfc76
Instruction Fuzzy Hash: 1101B7B06087119AD700BF65D64526DBBE0AF40348F81C82FE4C86B286DBBD8485DB5F

Function 0040F483 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040F49D

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040F4C5

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Strings

~;B, xrefs: 0040F4CA

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: getenv$AttributesByteCharFileMultiWide_vsnprintf
String ID: ~;B
API String ID: 2228561779-89019340
Opcode ID: 809e396fd2eab3f384f240020dfbce2e1602ed8e0f4d2e0b249a73290c3eb897
Instruction ID: d845c7456769ba672d696a4f857c2cede61afe7a33709c8199a018e4a54c7ca9
Opcode Fuzzy Hash: 809e396fd2eab3f384f240020dfbce2e1602ed8e0f4d2e0b249a73290c3eb897
Instruction Fuzzy Hash: 4B011AB4408311AAC720BF26E54515EBFE0EF90798F51C83EE4D85B282C37C9599CB4B

Function 0040F67B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040F695

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040F6BD

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Strings

y<B, xrefs: 0040F6C2

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: getenv$AttributesByteCharFileMultiWide_vsnprintf
String ID: y<B
API String ID: 2228561779-1329648526
Opcode ID: fc2a22fba373fe480af829fa4f93533cae9eeeedbb52cd41ca872e91a74e92ad
Instruction ID: 8d0cb0fe6a7d44374a24ae0aebfd5b8dc36573b7fc8ec9374f5f00733d0f5b09
Opcode Fuzzy Hash: fc2a22fba373fe480af829fa4f93533cae9eeeedbb52cd41ca872e91a74e92ad
Instruction Fuzzy Hash: DF0108B5408311AAC720BF62E44515EBBE0AF80398F41C83EE4D867282C77C859ACB4B

Function 0040F281 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040F29B

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040F2C3

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Strings

Y:B, xrefs: 0040F2A0

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: getenv$AttributesByteCharFileMultiWide_vsnprintf
String ID: Y:B
API String ID: 2228561779-559362792
Opcode ID: c10aa0f72dc7a85467b9bbaedbd08abfe9db542f1f8a5a634dc962c54ce382e1
Instruction ID: 71a4254163051be47397212b88bd25a6cdd91ad02d264920333697808a15e276
Opcode Fuzzy Hash: c10aa0f72dc7a85467b9bbaedbd08abfe9db542f1f8a5a634dc962c54ce382e1
Instruction Fuzzy Hash: 8E0108F4408311AAC710BF62E44515EBBE0AF80398F51C83EE4D86B282C37C8599CB5A

Function 0040F772 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040F78C

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040F7B4

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Strings

=B, xrefs: 0040F7B9

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: getenv$AttributesByteCharFileMultiWide_vsnprintf
String ID: =B
API String ID: 2228561779-94577219
Opcode ID: 6a4f4bd4eafef27ad3c46499d4e109de9b0001956a83309dcbd02ed961f098a6
Instruction ID: 2c5e5b9d49c5aa29139184a809ee8efa52bd93eb3b3edc2fc8ee47fb8fc21b8d
Opcode Fuzzy Hash: 6a4f4bd4eafef27ad3c46499d4e109de9b0001956a83309dcbd02ed961f098a6
Instruction Fuzzy Hash: B4011AB4408311AAD710BF22E54515EBBE0AF80758F41C83FE4D86B282C77C8599CF5B

Function 0041328F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

NetWkstaGetInfo.NETAPI32 ref: 004132B1
NetApiBufferFree.NETAPI32 ref: 004132D8

Strings

f, xrefs: 00413296

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: BufferFreeInfoWksta
String ID: f
API String ID: 773480902-1993550816
Opcode ID: adce9d268615c65e9b031c2403f5ee47e1848614fcce32b1b10be943295c3ccf
Instruction ID: bf6d1e5e530aa92c88c9cb547170410969f3c4ca1d96cbd027a6ecb1b54c6bd2
Opcode Fuzzy Hash: adce9d268615c65e9b031c2403f5ee47e1848614fcce32b1b10be943295c3ccf
Instruction Fuzzy Hash: 19F0F8B45083018FC704EF25C185B5BBBE1BF88304F40886DE88487354D379D58ACB96

Function 0041FB61 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 0041FBC9

Strings

@VB, xrefs: 0041FBBA
Q, xrefs: 0041FBB2

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: @VB$Q
API String ID: 1222420520-3995936320
Opcode ID: 0235047f58187a39db11c12d6489f25d2d41f666815d55729f68459e28030352
Instruction ID: 7f8f61c8df23ecb70e93ec12a44af74537505c36dafaf849a96d6b3a763fb17d
Opcode Fuzzy Hash: 0235047f58187a39db11c12d6489f25d2d41f666815d55729f68459e28030352
Instruction Fuzzy Hash: 07F0D4B060A701AFC740DF24E59461ABBF0BB88354F809D1EF8C887341D378A8889F4B

Function 0041FBD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 0041FC39

Strings

@VB, xrefs: 0041FC2A
[, xrefs: 0041FC22

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: @VB$[
API String ID: 1222420520-251187038
Opcode ID: 343805436fce073f30f9e3772ad0ce55764f1fd40facfd7e41a048709e32d194
Instruction ID: 7522fd779a263ea223225e18d5767f15b5394ac0b58d2b9c3ee1adf97f9dd600
Opcode Fuzzy Hash: 343805436fce073f30f9e3772ad0ce55764f1fd40facfd7e41a048709e32d194
Instruction Fuzzy Hash: 21F0DAB060E301AFC750DF24E58461ABBE0BB84354F809C1EF4C847341D378A8859F47

Function 0041FB00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 0041FB59

Strings

G, xrefs: 0041FB42
@VB, xrefs: 0041FB4A

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: _assert
String ID: @VB$G
API String ID: 1222420520-452563729
Opcode ID: b3a8f99880f7f9beb1147c89cebaa8c77fdad5f330c299cffaa506392bb9eab4
Instruction ID: b6f19dba06b4df6abe6717679b5f2b9c21e239fc99e3fa564f48b7d25df68e10
Opcode Fuzzy Hash: b3a8f99880f7f9beb1147c89cebaa8c77fdad5f330c299cffaa506392bb9eab4
Instruction Fuzzy Hash: 6FF0D4B060A301AFC740DF24E18461EBBF0BB88354F809C1EF8C887341D37898849B47

Function 00408AB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,?,?,?,?,00409119), ref: 00408ACD
GetLastError.KERNEL32 ref: 00408AE0

Strings

d%B, xrefs: 00408AB6

Memory Dump Source

Source File: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2548453764.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548547395.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548694468.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548721031.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548758466.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548819537.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2548839613.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_GdsGKfLRby.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: d%B
API String ID: 1925916568-3233696437
Opcode ID: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
Instruction ID: ad06f29d9f34d8de5c37fb948c6dfac14eb5c16bc83129ba4182c5028b8a9bce
Opcode Fuzzy Hash: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
Instruction Fuzzy Hash: FED05EB4504701AAD714FF2982453993EE05B40308F84843EDC88C3796E3BD81DD8B1B

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GdsGKfLRby.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NetWire

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GdsGKfLRby.exe_47b0a69c1a3a44ac22d8e11787a70ffb2e917_5b85fd9f_eb65cfd7-65d8-4100-8a9c-2d3fd4393bae\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D99.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E46.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E76.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
GdsGKfLRby.exe

Function 00408C65 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 112
COMMON

Function 00405959 Relevance: 4.5, APIs: 3, Instructions: 16
networkCOMMON

Function 00408417 Relevance: 49.3, APIs: 13, Strings: 15, Instructions: 294
libraryloaderCOMMON

Function 00411D8C Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 195
windowCOMMON

Function 00409953 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 210
keyboardCOMMON

Function 0040C4B7 Relevance: 26.9, APIs: 13, Strings: 2, Instructions: 656
registryencryptionCOMMON

Function 0041D049 Relevance: 25.0, APIs: 11, Strings: 3, Instructions: 453
fileCOMMON

Function 0040753D Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 280
fileCOMMON

Function 00406F83 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184
stringfileCOMMON