Edit tour

Windows Analysis Report
rise2406.exe

Overview

General Information

Sample name:	rise2406.exe
Analysis ID:	1462857
MD5:	c6c9f27d335d4e47b5ea12653e806be6
SHA1:	e53242d463e2c94383ec646e7e04504b96b4d176
SHA256:	514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Machine Learning detection for sample

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

rise2406.exe (PID: 3180 cmdline: "C:\Users\user\Desktop\rise2406.exe" MD5: C6C9F27D335D4E47B5EA12653E806BE6)

conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 2520 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2516 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 2700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 140 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RegAsm.exe PID: 2516	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.7

Timestamp:	06/26/24-08:59:32.465846
SID:	2046267
Source Port:	50500
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.7 - Destination IP: 5.42.67.8

Timestamp:	06/26/24-08:59:36.929586
SID:	2046269
Source Port:	49701
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.7 - Destination IP: 5.42.67.8

Timestamp:	06/26/24-08:57:45.307172
SID:	2049060
Source Port:	49701
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.7

Timestamp:	06/26/24-08:57:45.857539
SID:	2046266
Source Port:	50500
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: rise2406.exe	ReversingLabs: Detection: 87%
Source: rise2406.exe	Virustotal: Detection: 78%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rise2406.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

4_2_004C6B00

Source: rise2406.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49721 version: TLS 1.2

Source: rise2406.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0053C8CD FindFirstFileExW,	0_2_0053C8CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	4_2_004C6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00432022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	4_2_00432022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	4_2_004E6770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	4_2_004938D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493B60 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,lstrlenA,	4_2_00493B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044FC2F FindFirstFileExW,	4_2_0044FC2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	4_2_004DFF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	4_2_00431F9C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.7:49701 -> 5.42.67.8:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.7:49701
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49701 -> 5.42.67.8:50500
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.67.8:50500 -> 192.168.2.7:49701

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 5.42.67.8:50500

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 172.67.75.166 172.67.75.166
Source: Joe Sandbox View	IP Address: 5.42.67.8 5.42.67.8

Source: Joe Sandbox View

ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00409280 recv,GetProcAddress,GetModuleHandleA,GetProcAddress,WSASend,

4_2_00409280

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2546153992.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/q
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2546153992.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33:
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RegAsm.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49721 version: TLS 1.2

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_005409FC	0_2_005409FC
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00532C20	0_2_00532C20
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0053BC92	0_2_0053BC92
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00540DD4	0_2_00540DD4
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0052FF04	0_2_0052FF04
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00537782	0_2_00537782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004E4BD0	4_2_004E4BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044002D	4_2_0044002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_005220D0	4_2_005220D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F60E0	4_2_004F60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004D70F0	4_2_004D70F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493080	4_2_00493080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004EE170	4_2_004EE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00508120	4_2_00508120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004371A0	4_2_004371A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_005031A0	4_2_005031A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00512260	4_2_00512260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A2C0	4_2_0040A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0050A2B0	4_2_0050A2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044036F	4_2_0044036F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004A4320	4_2_004A4320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00490440	4_2_00490440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F0450	4_2_004F0450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004DE430	4_2_004DE430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004FA480	4_2_004FA480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00514550	4_2_00514550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0053F550	4_2_0053F550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F85F0	4_2_004F85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042F580	4_2_0042F580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0048F590	4_2_0048F590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00452610	4_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004A3610	4_2_004A3610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_005486C0	4_2_005486C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00547760	4_2_00547760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F7730	4_2_004F7730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004E77E0	4_2_004E77E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_005397B0	4_2_005397B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004547BF	4_2_004547BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F2820	4_2_004F2820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0043C960	4_2_0043C960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00546970	4_2_00546970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F7960	4_2_004F7960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0043A928	4_2_0043A928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004FA930	4_2_004FA930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004EF9A0	4_2_004EF9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044DA86	4_2_0044DA86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F8B40	4_2_004F8B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493B60	4_2_00493B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0051DBB0	4_2_0051DBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00500BA0	4_2_00500BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00458BB0	4_2_00458BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004EFC40	4_2_004EFC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004EEC40	4_2_004EEC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F7C00	4_2_004F7C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00503CC0	4_2_00503CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409C90	4_2_00409C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00534D40	4_2_00534D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F9D70	4_2_004F9D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F7D00	4_2_004F7D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004FAD00	4_2_004FAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00546D20	4_2_00546D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00545DE0	4_2_00545DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0053AE20	4_2_0053AE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00458E30	4_2_00458E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00506EA0	4_2_00506EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00516EA0	4_2_00516EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004DFF00	4_2_004DFF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00541F00	4_2_00541F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004ECF20	4_2_004ECF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F2FD0	4_2_004F2FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00501FE0	4_2_00501FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004FFFA0	4_2_004FFFA0

Source: C:\Users\user\Desktop\rise2406.exe	Code function: String function: 0052A0C0 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00547510 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00434380 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041ACE0 appears 52 times

Source: C:\Users\user\Desktop\rise2406.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 140

Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamedotnet.exe6 vs rise2406.exe

Source: rise2406.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rise2406.exe

Static PE information: Section: .data ZLIB complexity 0.9968365897495362

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/6@2/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00545050 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,

4_2_00545050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00544A40 GetDiskFreeSpaceW,GetDiskFreeSpaceA,

4_2_00544A40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0048F070 CreateDirectoryA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_0048F070

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3180

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user~1\AppData\Local\Temp\trixyuIHtL4lTJ8ci

Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: rise2406.exe	ReversingLabs: Detection: 87%
Source: rise2406.exe	Virustotal: Detection: 78%

Source: RegAsm.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Process created: C:\Users\user\Desktop\rise2406.exe "C:\Users\user\Desktop\rise2406.exe"
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 140
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior

Source: rise2406.exe

Static file information: File size 1870848 > 1048576

Source: rise2406.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x194400

Source: rise2406.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: rise2406.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

4_2_004CF280

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00529AAF push ecx; ret		0_2_00529AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00433F59 push ecx; ret		4_2_00433F6C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004EE170 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_004EE170

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_4-69899

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_4-69900

Found stalling execution ending in API Sleep call

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-70391

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

4_2_0045DB00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3303			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6588			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_4-70413

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_4-70426

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 5.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2052	Thread sleep count: 3303 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2052	Thread sleep time: -333603s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2052	Thread sleep count: 6588 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2052	Thread sleep time: -665388s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_005449B0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 005449F1h

4_2_005449B0

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0053C8CD FindFirstFileExW,	0_2_0053C8CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	4_2_004C6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00432022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	4_2_00432022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	4_2_004E6770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	4_2_004938D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493B60 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,lstrlenA,	4_2_00493B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044FC2F FindFirstFileExW,	4_2_0044FC2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	4_2_004DFF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	4_2_00431F9C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004580D8 VirtualQuery,GetSystemInfo,

4_2_004580D8

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\rise2406.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_0052DED3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0052DED3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_004CF280

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00533A8C mov ecx, dword ptr fs:[00000030h]	0_2_00533A8C
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_005385C5 mov eax, dword ptr fs:[00000030h]	0_2_005385C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0045DB00 mov eax, dword ptr fs:[00000030h]	4_2_0045DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0045DB00 mov eax, dword ptr fs:[00000030h]	4_2_0045DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004D6280 mov eax, dword ptr fs:[00000030h]	4_2_004D6280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493B60 mov eax, dword ptr fs:[00000030h]	4_2_00493B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004D2DC0 mov ecx, dword ptr fs:[00000030h]	4_2_004D2DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004C6D80 mov eax, dword ptr fs:[00000030h]	4_2_004C6D80

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_0053DAB5 GetProcessHeap,

0_2_0053DAB5

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0052A04B SetUnhandledExceptionFilter,	0_2_0052A04B
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0052A105 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0052A105
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0052DED3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0052DED3
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00529EEF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00529EEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00434184 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00434184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00434311 SetUnhandledExceptionFilter,	4_2_00434311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0043451D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00438A64

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\rise2406.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_007A018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_007A018D

Contains functionality to inject threads in other processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_004CF280

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rise2406.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 55D000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 585000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58A000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58C000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 821008	Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_00529C95 cpuid

0_2_00529C95

Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00540033
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,	0_2_0053F8CA
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,	0_2_005370FB
Source: C:\Users\user\Desktop\rise2406.exe	Code function: EnumSystemLocalesW,	0_2_0053F971
Source: C:\Users\user\Desktop\rise2406.exe	Code function: EnumSystemLocalesW,	0_2_0053F9BC
Source: C:\Users\user\Desktop\rise2406.exe	Code function: EnumSystemLocalesW,	0_2_0053FA57
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0053FAE2
Source: C:\Users\user\Desktop\rise2406.exe	Code function: EnumSystemLocalesW,	0_2_00536BD5
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,	0_2_0053FD35
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0053FE5E
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0053F6CF
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,	0_2_0053FF64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_004531CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_0044B1B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_004532F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_004533F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_004534CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_0044B734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_00452B5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_00452D5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoEx,FormatMessageA,	4_2_00431D94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_00452E51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_00452E06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_00452EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00452F77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	4_2_004DFF00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_0052A302 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0052A302

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

4_2_004DFF00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0044D130 GetTimeZoneInformation,

4_2_0044D130

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00545050 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,

4_2_00545050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2516, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	511 Process Injection	12 Virtualization/Sandbox Evasion	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	511 Process Injection	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 File and Directory Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	36 System Information Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rise2406.exe	88%	ReversingLabs	Win32.Trojan.LummaStealer
rise2406.exe	79%	Virustotal		Browse
rise2406.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://ipinfo.io/	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.winimage.com/zLibDll	0%	Avira URL Cloud	safe
https://ipinfo.io:443/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://db-ip.com/	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.33J	0%	Avira URL Cloud	safe
https://ipinfo.io/q	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://ipinfo.io/Mozilla/5.0	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		unknown
db-ip.com	172.67.75.166	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/	false	URL Reputation: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://db-ip.com:443/demo/home.php?s=8.46.123.33J	RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/8.46.123.33	RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/q	RegAsm.exe, 00000004.00000002.2546153992.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	RegAsm.exe	false	Avira URL Cloud: safe	unknown
https://db-ip.com/	RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	RegAsm.exe, 00000004.00000002.2546153992.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/Mozilla/5.0	RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33:	RegAsm.exe, 00000004.00000002.2546153992.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false
5.42.67.8	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1462857
Start date and time:	2024-06-26 08:56:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rise2406.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/6@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 79% Number of executed functions: 29 Number of non-executed functions: 159
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:57:58	API Interceptor	1x Sleep call for process: WerFault.exe modified
04:11:36	API Interceptor	261810x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
172.67.75.166	http://luxury-sherbet-tk1111-10e1b5.netlify.app/form.html	Get hash	malicious	Unknown	Browse
	https://cn10.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	https://curious-kringle-id4964-024b3b3.netlify.app/form.html	Get hash	malicious	Unknown	Browse
	4Ip0IVHqJ3.exe	Get hash	malicious	RisePro Stealer	Browse
	https://gacw-no-reply-restriction-appeal-case.netlify.app/feedback_id_38258467296/	Get hash	malicious	Unknown	Browse
	http://rules-prohibiting-violative-advertisi.netlify.app/appeal_case_ID_78234127826/	Get hash	malicious	Unknown	Browse
5.42.67.8	1kBeqS7E3z.exe	Get hash	malicious	LummaC, RisePro Stealer, Vidar	Browse
	BY1Fwf74x3.exe	Get hash	malicious	RisePro Stealer, Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	WaGiUWSpyO.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	http://telegravm.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrarl.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegraem.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrema.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrram.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrmaw.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrnal.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrma.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
db-ip.com	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	http://luxury-sherbet-tk1111-10e1b5.netlify.app/form.html	Get hash	malicious	Unknown	Browse	172.67.75.166
	https://le-2vr.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://e23-c5p.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://ml5-94x.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://cn10.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	172.67.75.166
	https://verify-infraction-messages.netlify.app/appeal_case_id_561597519/	Get hash	malicious	Unknown	Browse	104.26.5.15
	90ZF1EDs9h.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	file.exe	Get hash	malicious	Unknown	Browse	5.42.66.10
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	adbf66605a6b569b3b4e915ad9cdf271c0889a14fc59b70233b2c966fca1dc93_dump.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	DqnftBv2b9.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	5.42.104.211
	1kBeqS7E3z.exe	Get hash	malicious	LummaC, RisePro Stealer, Vidar	Browse	5.42.65.116
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	5.42.65.92
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://riprogramma.consegna.3-79-47-0.cprapid.com/brt/update.php?%276	Get hash	malicious	Unknown	Browse	34.117.77.79
	http://3-79-47-0.cprapid.com/brt/update.php?%2704bd392f228f637be355	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://opposite-grandiose-flock.glitch.me/public/digitalapps.navyfederal.org.html	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
	Authorization code - SO10552124.PDF	Get hash	malicious	Unknown	Browse	34.117.77.79
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://eex2ujl43dm.larksuite.com/wiki/Ui6DwyQ8kilW7qkvx66uyYsusXb?from=from_copylink	Get hash	malicious	HTMLPhisher	Browse	34.117.97.41
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	http://telegravm.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrarl.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegraem.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
CLOUDFLARENETUS	_Account Receipt.PDF.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ORDEN DE COMPRA OI1597.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	288292021 ABB.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	GG017077 TAE.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	0Z0CbhhLet.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	txJO1YslwA.rtf	Get hash	malicious	Unknown	Browse	188.114.96.3
	GOoY5QBqvC.elf	Get hash	malicious	Mirai, Moobot	Browse	104.16.167.29
	clamav-26507ecba954172bdcc6c436a16c6d66.tmp	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://nekofile.eu.org/d7e69ef7da63a0b454230diaj	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://nekofile.eu.org/f8e2cb54931bf39d6c12eo5nc	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	qoe1X4ig0N.exe	Get hash	malicious	LummaC, AsyncRAT, DarkTortilla, LummaC Stealer, Njrat, SmokeLoader, StormKitty	Browse	34.117.186.192 172.67.75.166
	proof.cmd	Get hash	malicious	DBatLoader, Remcos	Browse	34.117.186.192 172.67.75.166
	pmrD6U8p5z.xls	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	file.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	Techno_PO LV12406-003211.xla.xlsx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	PO LV12406-00390.xla.xlsx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	BlockIps.Docx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	Purchase Order.bat	Get hash	malicious	DBatLoader	Browse	34.117.186.192 172.67.75.166
	7rBFEWNRqy.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	34.117.186.192 172.67.75.166

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rise2406.exe_a2fa92cb97a2b320a08f8e64ea523b20ebb5f8f1_8f97a443_dd428d2d-1b53-456e-afc5-446050e7694b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7007062601030464
Encrypted:	false
SSDEEP:	96:jP4FOH/usAhqjoOyDqGQXIDcQZc68cE+cw3Jqe+HbHg/PB6HeaOy1FhZAX/d5FMv:j4gH/u8t0H4UcjG1zuiFyZ24IO8KL
MD5:	4F7B153356A21D0E0F145E4132E37263
SHA1:	9BA233E6AB5F2F017293B2A2EEF35782D3BACD24
SHA-256:	29378ECA28488E4BA5D22B072C57A113873FBEB2A82A10C303F1BA0892DFFB2F
SHA-512:	AA3C3D716D22D39545A8727309F3A6F67E4140A0455D8F76AA37F0AE9D4EBA55DED431A96789FC2D15C9DD67A7720DAB6CCBDB3DC21414634BFF5637D403BFBC
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.8.5.8.6.6.4.0.8.2.5.7.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.8.5.8.6.6.4.6.7.6.3.2.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.4.2.8.d.2.d.-.1.b.5.3.-.4.5.6.e.-.a.f.c.5.-.4.4.6.0.5.0.e.7.6.9.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.d.0.d.a.3.f.-.5.1.d.a.-.4.b.b.5.-.a.a.7.9.-.b.8.3.c.f.6.2.5.5.f.0.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.i.s.e.2.4.0.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.6.c.-.0.0.0.1.-.0.0.1.4.-.5.e.9.0.-.3.4.2.4.9.6.c.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.9.f.7.8.3.5.9.1.1.b.e.9.f.c.a.f.b.8.f.c.5.b.7.b.0.d.c.0.f.f.3.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.3.2.4.2.d.4.6.3.e.2.c.9.4.3.8.3.e.c.6.4.6.e.7.e.0.4.5.0.4.b.9.6.b.4.d.1.7.6.!.r.i.s.e.2.4.0.6...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E75.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 26 06:57:44 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	47100
Entropy (8bit):	1.8252727652124974
Encrypted:	false
SSDEEP:	192:mykqBVV9OMvskaBktKYUd4kD2yE1WdlVQ5LM:F5wMvskaBktKYI2yE12lVQ5
MD5:	BBD9295B206DABE992F3C66CBFBB9C79
SHA1:	69893A4AB3B9A1122F4863F0F9EB55BF376BA346
SHA-256:	3D6DAA050E5FA8AD4025CADC6EF3081DD6B8CBB4A64FD139081CB2C6CEFC9ABF
SHA-512:	4731ECECFAAF5C055037E53BA2D14051DF9CE5EFEDC764EB855461C2E5D62BFCBC80C5298EA094284E7927FF86A186403867E1382525AE90ACED335E42CAF48B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........{f........................X...............N#..........T.......8...........T...........@...............T...........@...............................................................................eJ..............GenuineIntel............T.......l....{f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F7F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.7039735507651863
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+W606YN1SUHQgmfvJ2Xyprr89boMsfJ4m:R6lXJP606YvSUHQgmfvJ2LoffD
MD5:	F4E60215C8F423BDB047EB40142F28A6
SHA1:	DC99EBC00D009FE23795FE8A91FCFA1830E85C4F
SHA-256:	52F2ADE8FA5579441E043B494D8697CA21C6B212C7692D3A23534ED23EA68E6D
SHA-512:	68B6371DDDA400177012A768E063E4C313375F192ABF870356A1EFCDBB4E4037F29AF6FFA6263D716C23BCB9F4C894F7693061F3EC354602E0043FE046DD6AC6
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FAF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4625
Entropy (8bit):	4.493182411741148
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9JiTWpW8VYMYm8M4JHVFl+q8TMhkKWBSad:uIjfQI7Si7VwJV3kKWkad
MD5:	BD57B6DFB4823B8CAE63139D142F06EB
SHA1:	C02B4B67C4B49A0F8268B7F4D6A08552737B7524
SHA-256:	F5D61207F9616815B42EC173AE223B372C55824E2F5988DB69BF147481B9F982
SHA-512:	08C1A8B85C62EF3B5BFDBB7DD43ACF79A4B97523CCD1C708DF4F77F4FDB9FDE7C84D32229232529359B246C01E3D7759ED85ACBC32036D906C2C32A758DE259B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="384360" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4166480132445125
Encrypted:	false
SSDEEP:	6144:fcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN95+5:Ei58oSWIZBk2MM6AFBDo5
MD5:	0E19D08FE18D8BD9DE175F332BD75147
SHA1:	A743943723D85AA0D0F2181FA2026053489E95E1
SHA-256:	9541293C1501798039581F86A203B769D3739667EABF080E5E54C62CA8CB13BC
SHA-512:	611318A3E6CD7C0C02F95154D3095C20AA2F2C72B4DE8B8D5A6978C9F048B2429F3D09E8EB0F5E29C00E6A7034A21B01BD0058087D9BC298A027612867935173
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.3.$............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\rise2406.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.3248629576173565
Encrypted:	false
SSDEEP:	3:oJCVNV:o8/V
MD5:	2C34338A8C340C46983875A53A889FC3
SHA1:	5EF486E22F88756BE456209030D46D3D94C21952
SHA-256:	511FF7ADE84BB22C9B35B62A64FC4100A1958E8D20CB795031199748A926E507
SHA-512:	61A221F599A577BC988C6CFF3319F214A62F066B5086C7D8841E8B88BC9FB6CC4F93E8E48E25382BB8148C8F26D045AD15A927ACF0742E69E24923A4659FF633
Malicious:	false
Reputation:	low
Preview:	Illkjmuueghu 0

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.948024837182058
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rise2406.exe
File size:	1'870'848 bytes
MD5:	c6c9f27d335d4e47b5ea12653e806be6
SHA1:	e53242d463e2c94383ec646e7e04504b96b4d176
SHA256:	514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769
SHA512:	7e00bdac39c89821b776dda372693d29e0e7188f8ef747037b971461af79545908f8fc8c9bbf7a30f1b0cc4ceea45632e91c1093e784002994808c19bd2a7347
SSDEEP:	49152:KWPLwXMkW4itwCBDtixjSzceiLYtV25Mm8eEMMd:tPLPkW4IwcOj6iLYtV+Mw8
TLSH:	6C852300F4908073C562167706E4DFB69A7EB9714B725CDB6BA44FBF4F306C09632A6A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.}.@.}.@.}...~.Q.}...x...}...y.V.}..sy.R.}...\|.G.}.@.\|...}..sx...}..s~.X.}..px.A.}..p..A.}.Rich@.}.................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x409aa5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66789839 [Sun Jun 23 21:48:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e4019b337e6aa53400bb9378be49b858

Entrypoint Preview

Instruction
call 00007F238CDFCE3Ah
jmp 00007F238CDFC409h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F238CDFC2F5h
jmp 00007F238CDFC572h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C69C0h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C69C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C69C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33594	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ca000	0x21f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x30a68	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x30ac0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x309a8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28000	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x251c2	0x25200	ad92eac1a3518c94a50c469e832eda52	False	0.5649134574915825	data	6.636592053866142	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.BSs	0x27000	0xe1d	0x1000	74293e678f0de25bb463c0dccc7904d8	False	0.583740234375	data	6.002868469254389	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x28000	0xbe86	0xc000	b0aa40c4aa7dfc2011d6ffe63826f1cd	False	0.41448974609375	data	4.98810951337647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34000	0x19534c	0x194400	4d397285c775cfc4554c7ce0ca0071fc	False	0.9968365897495362	data	7.999224560090972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1ca000	0x21f0	0x2200	f4f8da3f2dfcb44938435d58d7a1d96f	False	0.7734375	data	6.553528678280142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	Polyline, RectVisible
USER32.dll	OffsetRect
KERNEL32.dll	CreateFileW, HeapSize, SetStdHandle, WaitForSingleObject, CreateThread, VirtualAlloc, FreeConsole, RaiseException, InitOnceBeginInitialize, InitOnceComplete, CloseHandle, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, GetProcessHeap, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, WriteConsoleW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/26/24-08:59:32.465846	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	50500	49701	5.42.67.8	192.168.2.7
06/26/24-08:59:36.929586	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49701	50500	192.168.2.7	5.42.67.8
06/26/24-08:57:45.307172	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49701	50500	192.168.2.7	5.42.67.8
06/26/24-08:57:45.857539	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49701	5.42.67.8	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2024 08:57:45.297755003 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:45.304011106 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:57:45.304169893 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:45.307172060 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:45.311940908 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:57:45.857538939 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:57:45.897598028 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:48.976103067 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:48.981566906 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:20.319787979 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:20.324636936 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:39.116864920 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:39.121699095 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:48.507325888 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:48.512460947 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:51.632371902 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:51.637187958 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:54.773797989 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:54.778863907 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:57.898468971 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:57.903498888 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:01.023139000 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:01.028254986 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:04.163611889 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:04.168463945 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:07.288690090 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:07.353250980 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:10.429568052 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:10.549530983 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:13.569916964 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:13.576683044 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:16.710654974 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:16.715524912 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:19.851167917 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:19.856040955 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:22.992151022 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:22.997278929 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:26.116830111 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:26.183959007 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:29.242022038 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:29.247180939 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:32.382481098 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:32.433741093 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:32.435168982 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:32.465846062 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:32.465996027 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:32.549282074 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:32.549349070 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:32.549700022 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:32.553071976 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:32.553092957 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.008507013 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.008841038 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.016993999 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.017016888 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.017276049 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.069917917 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.075551987 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.120506048 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.204579115 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.204700947 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.204777002 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.207257986 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.207257986 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.207282066 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.207292080 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.227814913 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.227871895 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.227955103 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.228293896 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.228312016 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.689722061 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.689811945 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.693711042 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.693731070 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.694144964 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.698007107 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.744504929 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.797836065 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:33.851438999 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:33.897752047 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.897984028 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.898348093 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.900158882 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.900192022 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.900362015 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.900371075 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.901794910 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:33.949876070 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:36.929585934 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:36.934513092 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:38.961268902 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:39.007390022 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:46.685332060 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:46.741777897 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:48.365884066 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:48.413897991 CEST	49701	50500	192.168.2.7	5.42.67.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2024 08:59:32.535058022 CEST	63121	53	192.168.2.7	1.1.1.1
Jun 26, 2024 08:59:32.542617083 CEST	53	63121	1.1.1.1	192.168.2.7
Jun 26, 2024 08:59:33.210113049 CEST	63581	53	192.168.2.7	1.1.1.1
Jun 26, 2024 08:59:33.226600885 CEST	53	63581	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 26, 2024 08:59:32.535058022 CEST	192.168.2.7	1.1.1.1	0x1ba0	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Jun 26, 2024 08:59:33.210113049 CEST	192.168.2.7	1.1.1.1	0xb2b6	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 26, 2024 08:59:32.542617083 CEST	1.1.1.1	192.168.2.7	0x1ba0	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Jun 26, 2024 08:59:33.226600885 CEST	1.1.1.1	192.168.2.7	0xb2b6	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
Jun 26, 2024 08:59:33.226600885 CEST	1.1.1.1	192.168.2.7	0xb2b6	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false
Jun 26, 2024 08:59:33.226600885 CEST	1.1.1.1	192.168.2.7	0xb2b6	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

https:

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.7	49700	34.117.186.192	443

Timestamp	Bytes transferred	Direction	Data
2024-06-26 06:57:37 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-06-26 06:57:37 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Wed, 26 Jun 2024 06:57:37 GMT content-type: application/json; charset=utf-8 Content-Length: 319 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-26 06:57:37 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49720	34.117.186.192	443	2516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-26 06:59:33 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-26 06:59:33 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Wed, 26 Jun 2024 06:59:33 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-26 06:59:33 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-26 06:59:33 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49721	172.67.75.166	443	2516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-26 06:59:33 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-26 06:59:33 UTC	665	IN	HTTP/1.1 200 OK Date: Wed, 26 Jun 2024 06:59:33 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466F7F:9CA2_93878F2E:0050_667BBC55_15DB0975:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dxI4ToxjZw9q7QF94cxCc0W%2Flhon%2FcwjswI43%2F%2FN%2FRRSnUORQOEnriRS2ngRG1aa1GoK90MxS4hSo%2FfQCvUW7StzpCfuug%2F9ELHmTdOyAJ0zUo9FX0MAt%2FE2CA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 899b50b8199e1839-EWR alt-svc: h3=":443"; ma=86400
2024-06-26 06:59:33 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-26 06:59:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:57:42
Start date:	26/06/2024
Path:	C:\Users\user\Desktop\rise2406.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rise2406.exe"
Imagebase:	0x520000
File size:	1'870'848 bytes
MD5 hash:	C6C9F27D335D4E47B5EA12653E806BE6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:57:42
Start date:	26/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:57:43
Start date:	26/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x260000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:57:43
Start date:	26/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x620000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:57:43
Start date:	26/06/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 140
Imagebase:	0x40000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	47

Executed Functions

Function 007A018D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,007A00FF,007A00EF), ref: 007A02FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 007A030F
Wow64GetThreadContext.KERNEL32(00000130,00000000), ref: 007A032D
ReadProcessMemory.KERNELBASE(0000012C,?,007A0143,00000004,00000000), ref: 007A0351
VirtualAllocEx.KERNELBASE(0000012C,?,?,00003000,00000040), ref: 007A037C
TerminateProcess.KERNELBASE(0000012C,00000000), ref: 007A039B
WriteProcessMemory.KERNELBASE(0000012C,00000000,?,?,00000000,?), ref: 007A03D4
WriteProcessMemory.KERNELBASE(0000012C,00400000,?,?,00000000,?,00000028), ref: 007A041F
WriteProcessMemory.KERNELBASE(0000012C,?,?,00000004,00000000), ref: 007A045D
Wow64SetThreadContext.KERNEL32(00000130,007D0000), ref: 007A0499
ResumeThread.KERNELBASE(00000130), ref: 007A04A8

Strings

CreateProcessA, xrefs: 007A0241
Load, xrefs: 007A01CB
GetThreadContext, xrefs: 007A0267
TerminateProcess, xrefs: 007A038B
GetP, xrefs: 007A020F
ress, xrefs: 007A0217
aryA, xrefs: 007A01D3
WriteProcessMemory, xrefs: 007A02A0
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 007A02FB
SetThreadContext, xrefs: 007A02B3
VirtualAllocEx, xrefs: 007A028D
ReadProcessMemory, xrefs: 007A027A
ResumeThread, xrefs: 007A02C9
VirtualAlloc, xrefs: 007A0254

Memory Dump Source

Source File: 00000000.00000002.1446451759.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_rise2406.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction ID: 94d2544db2dcf14e7deb5fccae4f007d013abbd52beeb77c932c08cccaf34fe0
Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction Fuzzy Hash: 49B1E67664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB341D774FA518B94

Function 005475D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OffsetRect.USER32(00000000,00000000,00000000), ref: 00547718
Polyline.GDI32(00000000,00000000,00000000), ref: 00547739

Strings

size of vector, xrefs: 00547645
regwgrrwr, xrefs: 005476A3
dsdsww, xrefs: 00547630

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: OffsetPolylineRect
String ID: dsdsww$regwgrrwr$size of vector
API String ID: 1418762327-435021585
Opcode ID: dc4fe3801c7476f02fd6a64f58c948936ebe2eeb6b6e56d99cbf21f071db0a69
Instruction ID: 55a3f51da157deb4659d3d6420139a6befd5f2996e841f0ee82ad0ca59d4f4fa
Opcode Fuzzy Hash: dc4fe3801c7476f02fd6a64f58c948936ebe2eeb6b6e56d99cbf21f071db0a69
Instruction Fuzzy Hash: B071BA712093915BD314AF28D899B6FBFE0BFC9308F180A6DF59987292C7799508CB52

Function 00547AB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,00547C30,00000000,00000000,00000000), ref: 00547C1F
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00547C28

Strings

4, xrefs: 00547B5F
Own head, xrefs: 00547AF2
Earth, xrefs: 00547B12

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID: 4$Earth$Own head
API String ID: 1891408510-3926490352
Opcode ID: c35976d47c9ecf2b06bff28d85418e335433130c7e23bfb9e95c2e99df05a793
Instruction ID: 782a1f421d95000733ea66137e58ebf217d53a13bfa4a8ee9f64c3724b1411d8
Opcode Fuzzy Hash: c35976d47c9ecf2b06bff28d85418e335433130c7e23bfb9e95c2e99df05a793
Instruction Fuzzy Hash: BD415B316043916BCB109F388C89B9FBFE1BFCA708F644A58F4949B1C6D734EA448756

Function 00528522 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-lR, xrefs: 005285BA

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID:
String ID: -lR
API String ID: 0-2214140114
Opcode ID: 110a8ab1c36114e3631bfe4406143cdf1de7d0f7df094fb1b6159f7af64dd40e
Instruction ID: 788a02fc8d80e6ef2b9c832fe6c97ae337503ddbeee7b21a9e23b3a8962b999b
Opcode Fuzzy Hash: 110a8ab1c36114e3631bfe4406143cdf1de7d0f7df094fb1b6159f7af64dd40e
Instruction Fuzzy Hash: 1031687290252AAFCF14CFA4E8849FDBBB9BF1A310B144556E501A77D1DB31F944CBA0

Function 00547D50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE(00000000,0000001F), ref: 00547D8A

Strings

Illkjmuueghu %d, xrefs: 00547D7D

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ConsoleFree
String ID: Illkjmuueghu %d
API String ID: 771614528-1805681028
Opcode ID: b9c4047ba4c9a4900976330c42bc2bdf06cade384b12d2928016a6339003eab7
Instruction ID: 919ca706f4815fa1c77523774bfaf8c1754e2ada9ea37d52111c07f61feaf82f
Opcode Fuzzy Hash: b9c4047ba4c9a4900976330c42bc2bdf06cade384b12d2928016a6339003eab7
Instruction Fuzzy Hash: 8A01DB75E04249ABDB109B699C0ABEEBFE8FB49728F000A25F915D73C2EB7295044691

Function 0053A2F4 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00539A3E: GetConsoleOutputCP.KERNEL32(BDD10849,00000000,00000000,00000000), ref: 00539AA1

WriteFile.KERNEL32(?,00000000,00000000,00531810,00000000,00000000,00000000,00000000,00000000,?,00531810,00000000,?,00553088,00000010,00000000), ref: 0053A45D
GetLastError.KERNEL32(?,00531810,00000000,?,00553088,00000010,00000000,00000000,00000000,00000000,00000000), ref: 0053A467

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 7aee9661956af60d6d3fe7d01a2336362c9cf1552a83ff79c027780633a5143d
Instruction ID: 57239d2b09bbc685de222b94023f5fca2a0a5ad5bb8966675855fb91de28628d
Opcode Fuzzy Hash: 7aee9661956af60d6d3fe7d01a2336362c9cf1552a83ff79c027780633a5143d
Instruction Fuzzy Hash: 8361C5B1D04259AFDF11CFA8C888EEEBFB9BF49304F144455E890AB252E371D905CB62

Function 00539EF6 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,0053A443,?,00000000,00000000,00000000,00000000,00000000), ref: 00539F92
GetLastError.KERNEL32(?,0053A443,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00531810,00000000,?,00553088,00000010), ref: 00539FB8

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 4017831e56e32fb9be00624ee9852c1ebfd3d5cce3c92a78ef14a439ba607a28
Instruction ID: d63aafc065a81e45fabe409092e0c778fad33437e0e9c7f39d5d6f6799ceb9f5
Opcode Fuzzy Hash: 4017831e56e32fb9be00624ee9852c1ebfd3d5cce3c92a78ef14a439ba607a28
Instruction Fuzzy Hash: 5A21A375A002199BCF16CF29DC809EDBBB9FF89305F1484A9E90AD7251D670DE46CFA0

Function 005374F3 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0053753F
GetFileType.KERNELBASE(00000000), ref: 00537551

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 0eeba1e469c89990dd7d910846c9c879c795b3dfb954e6a793af7797961ab28c
Instruction ID: 07a643a5e8991f55d6d082fabf94174fad6d74a97b60ad867b1fb0aaf2db47d8
Opcode Fuzzy Hash: 0eeba1e469c89990dd7d910846c9c879c795b3dfb954e6a793af7797961ab28c
Instruction Fuzzy Hash: 8B1190B190C74947D7384E3E9C886266F95B75E330F380B5DD0B69A1F1C630D985D651

Function 0053663B Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,0053E6B3,?,00000000,?,?,0053E954,?,00000007,?,?,0053EE4D,?,?), ref: 00536651
GetLastError.KERNEL32(?,?,0053E6B3,?,00000000,?,?,0053E954,?,00000007,?,?,0053EE4D,?,?), ref: 0053665C

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 75ce134565930e85ab3765c84e87b1bb44deeb229315c64a4dca56c2c4f12476
Instruction ID: 4ff0bd1f6fe91ba5b21dbe333fa30b98869c2a31abe16609d131c2c53f0ac139
Opcode Fuzzy Hash: 75ce134565930e85ab3765c84e87b1bb44deeb229315c64a4dca56c2c4f12476
Instruction Fuzzy Hash: 66E08C32100614ABCB112FA0EC0DBEA3F68BB91799F044025F60CDA4A0CA308985E798

Function 00547C30 Relevance: 1.3, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040), ref: 00547CC0

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3ec0135f9e63189a7543f440eb4ec7fff1fe1e5bd6f48f4e365a56d1ba6d6889
Instruction ID: 373d2248df7aadb7bc21b0df9741ba22b6102a4f6755bb5711e4d25d8606bb73
Opcode Fuzzy Hash: 3ec0135f9e63189a7543f440eb4ec7fff1fe1e5bd6f48f4e365a56d1ba6d6889
Instruction Fuzzy Hash: 2631C971E002596BD700AF64DC89BEDBBB4BF5D304F144259F50477282EB746A848764

Non-executed Functions

Function 005409FC Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1428COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00540BE0

Strings

1#IND, xrefs: 00540B01
1#SNAN, xrefs: 00540B08
1#QNAN, xrefs: 00540B0F
1#INF, xrefs: 00540B32

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a4ab409d50cc4c0a993de20da37aed43e472218471b8bd3eb9c7f689164b8ec3
Instruction ID: 0ebec2e4b60e6efa2da155aafcde379d45558a3aab6ebe1f63007aae4f46e1f9
Opcode Fuzzy Hash: a4ab409d50cc4c0a993de20da37aed43e472218471b8bd3eb9c7f689164b8ec3
Instruction Fuzzy Hash: E6D22871E086298FDB65CE28DD447EABBB5FB84308F1445EAD40DE7240EB74AE858F44

Function 0053FE5E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0054017C,00000002,00000000,?,?,?,0054017C,?,00000000), ref: 0053FEF7
GetLocaleInfoW.KERNEL32(?,20001004,0054017C,00000002,00000000,?,?,?,0054017C,?,00000000), ref: 0053FF20
GetACP.KERNEL32(?,?,0054017C,?,00000000), ref: 0053FF35

Strings

ACP, xrefs: 0053FE7C
OCP, xrefs: 0053FEB2

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 5765764b3ab6ebf60e14b0dbb3c0ac2e5216daebac23baca4380c54d7bdd335b
Instruction ID: 27a340db9414e7e07bde61ef09da24503adb5fb237c5f97bd365ea337db1dc2e
Opcode Fuzzy Hash: 5765764b3ab6ebf60e14b0dbb3c0ac2e5216daebac23baca4380c54d7bdd335b
Instruction Fuzzy Hash: AB21D732E00101AADB70CF64D905AAB7BAAFF55B54F568834FD0AD7221E732DD41E350

Function 00540033 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00536350: GetLastError.KERNEL32(?,00000008,0053694F), ref: 00536354
Part of subcall function 00536350: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 005363F6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0054013F
IsValidCodePage.KERNEL32(00000000), ref: 00540188
IsValidLocale.KERNEL32(?,00000001), ref: 00540197
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 005401DF
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 005401FE

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 5a9b694ccad1606557900b6d483f9d7d1c23a9eb2e06e4125614d4bfbc40980b
Instruction ID: c61a550058ed985a65643d47b61fbe094fcfb863a5898c7457cc3f5d6e4e3566
Opcode Fuzzy Hash: 5a9b694ccad1606557900b6d483f9d7d1c23a9eb2e06e4125614d4bfbc40980b
Instruction Fuzzy Hash: 0F518172A0020AABDB10DFA4CC45BFE7BB8BF59704F245429EA14EB190DB70D944DB61

Function 0053F6CF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00536350: GetLastError.KERNEL32(?,00000008,0053694F), ref: 00536354
Part of subcall function 00536350: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 005363F6

GetACP.KERNEL32(?,?,?,?,?,?,00534EF0,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0053F790
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00534EF0,?,?,?,00000055,?,-00000050,?,?), ref: 0053F7BB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0053F91E

Strings

utf8, xrefs: 0053F88D

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: fc298077b545e6d3742210103c8b2c4bed37c5513cec2fada783f90e07c561bf
Instruction ID: 89354b0d75ce7061685ce710a26d2a2b55f5320fb72756926cfffd3521ed9358
Opcode Fuzzy Hash: fc298077b545e6d3742210103c8b2c4bed37c5513cec2fada783f90e07c561bf
Instruction Fuzzy Hash: A271B972E00206AAEB28AB74CC4AFA6BBA8FF45744F14447AF505D7181EB74DD45C760

Function 00537782 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0053780F

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c6eacb7953bbba39f711a7e71ff673c16b34cf1b21946f2f6922c52105c3e655
Instruction ID: d9a54762d13fda3415daa393eb86967f1ea8d6fb0327e96f1e86201dff470b1f
Opcode Fuzzy Hash: c6eacb7953bbba39f711a7e71ff673c16b34cf1b21946f2f6922c52105c3e655
Instruction Fuzzy Hash: 78B149B2E0865A9FDB25CF68C881BEEBFA5FF5D310F14456AE405AB242D2349D01C7A0

Function 00529EEF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00529EFB
IsDebuggerPresent.KERNEL32 ref: 00529FC7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00529FE0
UnhandledExceptionFilter.KERNEL32(?), ref: 00529FEA

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 14b7dd27583396d27d01840b3b462f8946b0ca49b1f7105b2293d17d4b0fda4e
Instruction ID: 81346fbeca86a7ba87d272e2e846866d2f4ed73f2d929a09d532ce2dfba7ee8c
Opcode Fuzzy Hash: 14b7dd27583396d27d01840b3b462f8946b0ca49b1f7105b2293d17d4b0fda4e
Instruction Fuzzy Hash: FC311A75C013299BDB21DF64D84D7CDBBB8BF59300F10419AE50DA7290EB719A889F45

Function 0053FAE2 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00536350: GetLastError.KERNEL32(?,00000008,0053694F), ref: 00536354
Part of subcall function 00536350: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 005363F6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0053FB36
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0053FB80
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0053FC46

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: fed83b30cc917216bf1a61870a8a879cfe94e8c61bec6b188426e16158ae2c11
Instruction ID: eca11557a6fb1f082b8b2bb733639b98515e5e682b9826dba10d97c717bbde60
Opcode Fuzzy Hash: fed83b30cc917216bf1a61870a8a879cfe94e8c61bec6b188426e16158ae2c11
Instruction Fuzzy Hash: A561AD7194420B9FEB289F28DC86BBABBA8FF04304F20447AED05C6585EB34DD91DB50

Function 0052DED3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 0052DFCB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 0052DFD5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 0052DFE2

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d07e35309131663fa57df10d1ceceaaf8c28754d46d3d1b3e9dfa511d0683b67
Instruction ID: 45735a7e193b4f077de27ca6f61c252e0282ec6a8db80b6e928b04e9cd804236
Opcode Fuzzy Hash: d07e35309131663fa57df10d1ceceaaf8c28754d46d3d1b3e9dfa511d0683b67
Instruction Fuzzy Hash: E731D47490122DABCB21DF24DC88BDDBBB8BF59310F5041DAE41CA7291EB309B858F55

Function 005370FB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00535A56,?,20001004,00000000,00000002,?,?,00535058), ref: 0053712F

Strings

-lR, xrefs: 0053711A

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: InfoLocale
String ID: -lR
API String ID: 2299586839-2214140114
Opcode ID: 36b555a1b658dfc772ace3c6df1dbae6e1fcd7a243bf35ec6d105bd863bd1517
Instruction ID: 4ba4deef10dcba80f3078637a53be66297250d8fbf29e13a0a322c0f1fdb38fb
Opcode Fuzzy Hash: 36b555a1b658dfc772ace3c6df1dbae6e1fcd7a243bf35ec6d105bd863bd1517
Instruction Fuzzy Hash: BFE01A7694421DBBCB222F61DC09AAE7F25FB59761F044011FC05661608B318D21EAD0

Function 00532C20 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2692ef2465f7c715e646551b9f84a9b96eae746530df55d46b013212d61f18f7
Instruction ID: fd3f4a59c0c85e4b3474320be6282f4cc0d94c9218c4464ddcef7112d8467056
Opcode Fuzzy Hash: 2692ef2465f7c715e646551b9f84a9b96eae746530df55d46b013212d61f18f7
Instruction Fuzzy Hash: 83F13E71E006199FDF18CF68C8846ADBBB1FF88314F158269E815EB395D731AE45CB90

Function 0053BC92 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0053BC8D,?,?,00000008,?,?,00544202,00000000), ref: 0053BEBF

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6928190ff74c186704e969a4af716cde2ba39427cc8e3dd48169d6a84ba3509b
Instruction ID: 6e7c1f77c019a60f31b52e1aafd6fc0eb13906211894a3c374c660f67373ae2c
Opcode Fuzzy Hash: 6928190ff74c186704e969a4af716cde2ba39427cc8e3dd48169d6a84ba3509b
Instruction Fuzzy Hash: 92B11A35610609DFEB15CF2CC486BA57FA0FF45364F298658EA9ACF2A1C335E991CB40

Function 00529C95 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00529CAB

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: bc3a05ca9057ddc936142ec1374b37c2e0a995d19cda3e0e5a13ef27f079f35e
Instruction ID: ff5673b8f92f9712fa0be9dd9ec54394c955b728e2e68bb4d15da656cb03463f
Opcode Fuzzy Hash: bc3a05ca9057ddc936142ec1374b37c2e0a995d19cda3e0e5a13ef27f079f35e
Instruction Fuzzy Hash: 55517AB1A103598FEB14CF69E8C57AABBF9FB49310F14842AD819EB3A0D7759904CF50

Function 0053C8CD Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a56c14251f2176ed564e858b9a0c9924faca1bed559dfacb45f5f09b5cd704
Instruction ID: 86bc40386b0332dd27c2620667f98879d518312e8aa093c1e5bbd01fb4ec54f9
Opcode Fuzzy Hash: 75a56c14251f2176ed564e858b9a0c9924faca1bed559dfacb45f5f09b5cd704
Instruction Fuzzy Hash: 2041A47680421DAEDB20DF69CC89AEABFB9FF85304F1442D9E419E3201DA359E458F10

Function 0053FD35 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00536350: GetLastError.KERNEL32(?,00000008,0053694F), ref: 00536354
Part of subcall function 00536350: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 005363F6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0053FD89

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: a4f6739c5385c9e2f051907e825022fecbbf4e0adaf149d30b62faeec1308424
Instruction ID: 28648b2bf310a538952371534e28dd5dd36279d2b24bd3f8e552b51b884e99c9
Opcode Fuzzy Hash: a4f6739c5385c9e2f051907e825022fecbbf4e0adaf149d30b62faeec1308424
Instruction Fuzzy Hash: DF21B072A10207ABDB289E24DC4AEBA7BA8FF55305F10447AFD02DB141EB35ED44CB50

Function 0052FF04 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 0053008E

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cd625ae76308d19fbeeb198155a63df799f76d820ed7533acb3f104a3ac2da33
Instruction ID: 0dc8f2d659d4482ce8951545cf4eb657db6d6683b662733fbf9060eb2b90c95b
Opcode Fuzzy Hash: cd625ae76308d19fbeeb198155a63df799f76d820ed7533acb3f104a3ac2da33
Instruction Fuzzy Hash: 7AB1E57090071A8BCB28CF68DAA96BFBFB1BF46300F14192AE456D72D1D731A946CB51

Function 0053F9BC Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00536350: GetLastError.KERNEL32(?,00000008,0053694F), ref: 00536354
Part of subcall function 00536350: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 005363F6

EnumSystemLocalesW.KERNEL32(0053FAE2,00000001,00000000,?,-00000050,?,00540113,00000000,?,?,?,00000055,?), ref: 0053FA2E

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d8cfc478d418cfdda9cd61983864e7c533a2c55c2bb723c61bf4fa261a717cbf
Instruction ID: c589061378720036e4c732193ac87a63ae01f850a59e1319fa611de356ae0b67
Opcode Fuzzy Hash: d8cfc478d418cfdda9cd61983864e7c533a2c55c2bb723c61bf4fa261a717cbf
Instruction Fuzzy Hash: A611E9376007019FDB189F39C8956BABBD1FF84359F14443DE98A47B40E7716942C740

Function 0053FF64 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00536350: GetLastError.KERNEL32(?,00000008,0053694F), ref: 00536354
Part of subcall function 00536350: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 005363F6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0053FDDF,00000000,00000000,?), ref: 0053FF90

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b2674a5d5cb6f7b2d9e197e08590812bcd191872f4818cd861ea1a234c2fac0d
Instruction ID: ab703c91021a1415aa915798f4ae90577f6063cd215c3640b474254bd91a9f39
Opcode Fuzzy Hash: b2674a5d5cb6f7b2d9e197e08590812bcd191872f4818cd861ea1a234c2fac0d
Instruction Fuzzy Hash: C4F0A936E101227BDB289724C805ABA7F54FB41758F154839ED16E3180DB74FD41C790

Function 0053F8CA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00536350: GetLastError.KERNEL32(?,00000008,0053694F), ref: 00536354
Part of subcall function 00536350: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 005363F6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0053F91E

Strings

utf8, xrefs: 0053F88D

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 4ca2b281868e0bef51069f8386dd4c6ddc8e41c05136a9709934d2044bcc4abe
Instruction ID: b9030e896b0cd823f10e0d7a14250d2fb2ccda8b49bfd120bbb97475fc77c124
Opcode Fuzzy Hash: 4ca2b281868e0bef51069f8386dd4c6ddc8e41c05136a9709934d2044bcc4abe
Instruction Fuzzy Hash: 2DF0A432A0010AABD714AB34DC4AEFE77A8EF85715F15407AB606D7281EA74AD059790

Function 0053FA57 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00536350: GetLastError.KERNEL32(?,00000008,0053694F), ref: 00536354
Part of subcall function 00536350: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 005363F6

EnumSystemLocalesW.KERNEL32(0053FD35,00000001,?,?,-00000050,?,005400D7,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0053FAA1

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c9dba276dddaa2aa909e92efdb0986688b3848a6c0c20701eea0c14958d3a507
Instruction ID: 3a9d438e35afb44e2045dd779c3a03e9005c1a7d0d58e80ab829fccee92b3a46
Opcode Fuzzy Hash: c9dba276dddaa2aa909e92efdb0986688b3848a6c0c20701eea0c14958d3a507
Instruction Fuzzy Hash: DFF0F6366003055FDB249F75D885A7A7FD1FF80368F05443DFA4A8B680CA719C02C750

Function 00536BD5 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00530CB9: EnterCriticalSection.KERNEL32(?,?,0053369F,00000000,005531C8,0000000C,00533666,?,?,00536B9E,?,?,005364EE,00000001,00000364,?), ref: 00530CC8

EnumSystemLocalesW.KERNEL32(00536BC8,00000001,005533B8,0000000C,00536FF7,00000000), ref: 00536C0D

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 38c0265d7702e4a1916ca4b5cf7b4f4deca2d58873603f544c2347a11436aed2
Instruction ID: 24165dff06239e3a7fb77b8678d978fc5a9777baaf62bb6b7a11d3f6ffb3b2a0
Opcode Fuzzy Hash: 38c0265d7702e4a1916ca4b5cf7b4f4deca2d58873603f544c2347a11436aed2
Instruction Fuzzy Hash: 20F01932A00305EFD700EF58E856B98BBE1FB45725F10516AF8159B2A1CA754A08CB90

Function 0053F971 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00536350: GetLastError.KERNEL32(?,00000008,0053694F), ref: 00536354
Part of subcall function 00536350: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 005363F6

EnumSystemLocalesW.KERNEL32(0053F8CA,00000001,?,?,?,00540135,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0053F9A8

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 56cfabcb718522590e151585aee150a337b13c1ce182c7518880520a1d2db25a
Instruction ID: f323a9ade250c72479ad97f52067bacc71af73599e017d78283f8f76e0783363
Opcode Fuzzy Hash: 56cfabcb718522590e151585aee150a337b13c1ce182c7518880520a1d2db25a
Instruction Fuzzy Hash: 4FF0E53A70020567CB089F35D8557BABF94FFC6754F4A406DEA098B250C6719843C790

Function 0052A04B Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000A057,00529916), ref: 0052A050

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a0e1e4ecbb2359faa34755ce4fb1c1d08d8febdd70931a8bef25eaf6dbc252b7
Instruction ID: 8861a4819c5f5fae0f16db4e3250a82d0cb29fee0d2c1e2154bdf7262eaca06a
Opcode Fuzzy Hash: a0e1e4ecbb2359faa34755ce4fb1c1d08d8febdd70931a8bef25eaf6dbc252b7
Instruction Fuzzy Hash:

Function 0053DAB5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0053DAB5

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1715ef7f1c3d2340d97ba1f4c852e4370662c7a8b8ded6b2e2d187cf409290b2
Instruction ID: c827f2e46ecd2f77f8e3fd0d4072a9f2f958b0108f1c3a93780d7cf1461a8ecb
Opcode Fuzzy Hash: 1715ef7f1c3d2340d97ba1f4c852e4370662c7a8b8ded6b2e2d187cf409290b2
Instruction Fuzzy Hash: 74A012301003008B53004F315D8828C36E5590268030400549008C5070DA30408C7644

Function 00540DD4 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc171e892d3061e58fa2661b4fe82ab51c16a148d9ca4a8156c81c687042340a
Instruction ID: 8d4c94566003ada41dd83bb63b5771626a7de3eadb219d3ee823049eee2422e0
Opcode Fuzzy Hash: fc171e892d3061e58fa2661b4fe82ab51c16a148d9ca4a8156c81c687042340a
Instruction Fuzzy Hash: 72D11971E086298FDB25CE28DC807E9BBB5FB85358F1445EAD40DE7240DB78AE858F44

Function 005385C5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913097a76a2aa3f9716249509b8196a2f4b16ccbac58342a843d0fa289859693
Instruction ID: c63e321deb9560ab25937fa99d57d3812009fbe7ab7cfd7cbc4506e7ddca4725
Opcode Fuzzy Hash: 913097a76a2aa3f9716249509b8196a2f4b16ccbac58342a843d0fa289859693
Instruction Fuzzy Hash: BBE04632911228EBCB29DB88C90899ABBACFB85B00F11409AB501D3100C670DE00D7D0

Function 00533A8C Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2e9a7be51ed71085fad7bcd48806db607c783d97970506649736f56e1902a2
Instruction ID: 2dbe0eac85a2e8d184ff8ee4651d23280d2d6bad96f5f14f206e5837da5926d3
Opcode Fuzzy Hash: ad2e9a7be51ed71085fad7bcd48806db607c783d97970506649736f56e1902a2
Instruction Fuzzy Hash: 0DC08C35021E0046CF29891082B13B437F4B3D1782F80048CC4430B682CA1E9D83DA00

Function 00522090 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005220A5
std::_Lockit::_Lockit.LIBCPMT ref: 005220BF
std::_Lockit::~_Lockit.LIBCPMT ref: 005220E0
std::_Lockit::~_Lockit.LIBCPMT ref: 00522138
std::_Lockit::_Lockit.LIBCPMT ref: 0052217D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005221CE
__Getctype.LIBCPMT ref: 005221E5
std::_Facet_Register.LIBCPMT ref: 0052220F
std::_Lockit::~_Lockit.LIBCPMT ref: 00522228

Strings

bad locale name, xrefs: 00522237

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
String ID: bad locale name
API String ID: 2236780835-1405518554
Opcode ID: 17b8267484b78603201674d1caf385fdb1386055106bba40cec7184af2189e76
Instruction ID: c056cc8386133068516d69b006f6449b09e3f29eb1a296195ad781fd8bfcaec3
Opcode Fuzzy Hash: 17b8267484b78603201674d1caf385fdb1386055106bba40cec7184af2189e76
Instruction Fuzzy Hash: 4041DF395043A19FC311DF58E884B5ABFE1BFD6710F14495CF8889B291DB31E94ACB92

Function 0052944A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00529450
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0052945E
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0052946F
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00529480

Strings

kernel32.dll, xrefs: 0052944B
GetSystemTimePreciseAsFileTime, xrefs: 00529464
GetTempPath2W, xrefs: 00529475
GetCurrentPackageId, xrefs: 00529458

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 5c768cc590e025e5a0307baabdf4c914b770cc1c80ea28886e8b74ae20a9f8e4
Instruction ID: 8ba30ddf2667da61eefa2ebda48aa7cea683cb0cd84828f4cd8c7f0f7e13d712
Opcode Fuzzy Hash: 5c768cc590e025e5a0307baabdf4c914b770cc1c80ea28886e8b74ae20a9f8e4
Instruction Fuzzy Hash: 39E08CB5960360AF87019F74BC0E8DE3FAAFE2A71D3204012F61CD3220DE7004089BA0

Function 0052CE32 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0052CF51
___TypeMatch.LIBVCRUNTIME ref: 0052D05F
_UnwindNestedFrames.LIBCMT ref: 0052D1B1
CallUnexpected.LIBVCRUNTIME ref: 0052D1CC

Strings

csm, xrefs: 0052CE6F
csm, xrefs: 0052CF88
csm, xrefs: 0052CEDC

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 45ab5721b43d1c61d622b3cc0804e56312e71258e63118875eb75bec1dbb87ca
Instruction ID: 07fbbc29f97eee7bd3a3a15a1327f3c120aaf737c579bc3eaf5ccca668b98072
Opcode Fuzzy Hash: 45ab5721b43d1c61d622b3cc0804e56312e71258e63118875eb75bec1dbb87ca
Instruction Fuzzy Hash: 7BB1BE3180022ADFCF19DFA4E9859AEBFB5FF56310F14415AE8016B292D731DA61CFA1

Function 0053B294 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0053B50D

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 1fdb346767efe49b9b0cd11e84885f8a5295f58cf86569405216c85c0554aa07
Instruction ID: bd0a11fff86b8664f836a4781a78aec6e4e26f74966fca3ca1b6112bee7f5aa9
Opcode Fuzzy Hash: 1fdb346767efe49b9b0cd11e84885f8a5295f58cf86569405216c85c0554aa07
Instruction Fuzzy Hash: 2DB104B0A0034AAFEF11DF99C895BBDBFB2BF95314F144158E604AB292D7709D42CB61

Function 0052C900 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0052C937
___except_validate_context_record.LIBVCRUNTIME ref: 0052C93F
_ValidateLocalCookies.LIBCMT ref: 0052C9C8
__IsNonwritableInCurrentImage.LIBCMT ref: 0052C9F3
_ValidateLocalCookies.LIBCMT ref: 0052CA48

Strings

csm, xrefs: 0052C9DD
-lR, xrefs: 0052CA0C

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: -lR$csm
API String ID: 1170836740-1122130300
Opcode ID: addd2846a48b5a2b7777b227c2a41dc32c5a2eac45db6097d566fb551667fb74
Instruction ID: 74ed3646371fed90ee3565e0294dab5b3e0cb91a23aec1038157904e54934935
Opcode Fuzzy Hash: addd2846a48b5a2b7777b227c2a41dc32c5a2eac45db6097d566fb551667fb74
Instruction Fuzzy Hash: 6141D635A002299FCF10DF68E885AAEBFB5BF46324F148055E8156B3D3D731EA55CB90

Function 00544514 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00A44788,00A44788,?,7FFFFFFF,?,005447E4,00A44788,00A44788,?,00A44788,?,?,?,?,00A44788,?), ref: 005445BA
__alloca_probe_16.LIBCMT ref: 00544675
__alloca_probe_16.LIBCMT ref: 00544704
__freea.LIBCMT ref: 0054474F
__freea.LIBCMT ref: 00544755
__freea.LIBCMT ref: 0054478B
__freea.LIBCMT ref: 00544791
__freea.LIBCMT ref: 005447A1

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 969cae86715de58dca9bb9d6a8b4459a844839048890c42d88c51ea417237d32
Instruction ID: 44baedd1c915efd17654c704f9735244c3a1fc5ef2bfebe220e6715f09367a79
Opcode Fuzzy Hash: 969cae86715de58dca9bb9d6a8b4459a844839048890c42d88c51ea417237d32
Instruction Fuzzy Hash: FD71D772940256AFDF219F949C85BEE7FB9FF86318F150459E904B7281D7359C028F90

Function 00529120 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00529169
__alloca_probe_16.LIBCMT ref: 00529195
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 005291D4
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005291F1
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00529230
__alloca_probe_16.LIBCMT ref: 0052924D
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0052928F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 005292B2

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: a7d2eb1820b0f6e99b403a66256c9c74cc9a9a7109eec62d703708f7badee12e
Instruction ID: 00bd8b7cd2f636a8a8c7a20c9d627a9f23f59e66e11754f5d03330ae6f753ae8
Opcode Fuzzy Hash: a7d2eb1820b0f6e99b403a66256c9c74cc9a9a7109eec62d703708f7badee12e
Instruction Fuzzy Hash: 7C51AE7650022AFBEF205F61EC49FAA7FA9FF86750F154425F914E6290DB309C14DBA0

Function 00536D9E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BDD10849,?,00536EAB,?,?,?,00000000), ref: 00536E5F

Strings

api-ms-, xrefs: 00536DF5
ext-ms-, xrefs: 00536E09

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 80cc86c8306bb875bcf0bc44b33d2011e04f154de9d15d8427bafa95f7a2c3b8
Instruction ID: bde3cdc9a3f74f1c9e5898e20313de93c81c04dfce1e2a544f1450c7113d3925
Opcode Fuzzy Hash: 80cc86c8306bb875bcf0bc44b33d2011e04f154de9d15d8427bafa95f7a2c3b8
Instruction Fuzzy Hash: D4213079600210BBC7219B64DC44AAF3F5DFF92764F254115E906AB2D0EB70ED09E5E0

Function 00527C88 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00527C8F
std::_Lockit::_Lockit.LIBCPMT ref: 00527C99

Part of subcall function 005233F0: std::_Lockit::_Lockit.LIBCPMT ref: 005233FF
Part of subcall function 005233F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0052341A

codecvt.LIBCPMT ref: 00527CD3
std::_Facet_Register.LIBCPMT ref: 00527CEA
std::_Lockit::~_Lockit.LIBCPMT ref: 00527D0A

Strings

-lR, xrefs: 00527CF7

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID: -lR
API String ID: 712880209-2214140114
Opcode ID: 48fb33c1536a8f736d3ae38d8f6811942b5c772352fa88cfa8323d780c040269
Instruction ID: 36d3d3f8fb9fa95c34fac7fddb12a56d9df3e90bde5361fac08de6810ef6977d
Opcode Fuzzy Hash: 48fb33c1536a8f736d3ae38d8f6811942b5c772352fa88cfa8323d780c040269
Instruction Fuzzy Hash: E911AF7190026A9FCB05EB68E84A5AEBFB5BF96320F140909E405A73C1EF709E00CB91

Function 00527586 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0052758D
std::_Lockit::_Lockit.LIBCPMT ref: 00527598
std::_Lockit::~_Lockit.LIBCPMT ref: 00527606

Part of subcall function 005276E9: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00527701

std::locale::_Setgloballocale.LIBCPMT ref: 005275B3
_Yarn.LIBCPMT ref: 005275C9

Strings

-lR, xrefs: 005275D5, 005275F9

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID: -lR
API String ID: 1088826258-2214140114
Opcode ID: 1c839aafee4e539a8606e04a8898924a64f1e323d31385d98dbc18c6fef45c87
Instruction ID: f84f25a4142d3245ec9f449509424bafe755c2d17ee4793af3a2d79bd35500f1
Opcode Fuzzy Hash: 1c839aafee4e539a8606e04a8898924a64f1e323d31385d98dbc18c6fef45c87
Instruction Fuzzy Hash: 26017C75A056269BC706EF60E88A9BD7F66BFCA340B180049E806573C1DF34AE06CBD1

Function 00533AAE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BDD10849,?,?,00000000,00545E79,000000FF,?,00533A3E,?,?,00533A12,00000016), ref: 00533AE3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00533AF5
FreeLibrary.KERNEL32(00000000,?,00000000,00545E79,000000FF,?,00533A3E,?,?,00533A12,00000016), ref: 00533B17

Strings

CorExitProcess, xrefs: 00533AED
mscoree.dll, xrefs: 00533ADC
-lR, xrefs: 00533B06

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: -lR$CorExitProcess$mscoree.dll
API String ID: 4061214504-112635629
Opcode ID: 2583c458e598e1f9ece4b4df4d18cbdd5b8bbbe868ab56e0dd81f2e44c9ae486
Instruction ID: 097b592b410a1b38dbfbed2aab66080c8b85dd8f5aeeb31d420d093ae9bb79f0
Opcode Fuzzy Hash: 2583c458e598e1f9ece4b4df4d18cbdd5b8bbbe868ab56e0dd81f2e44c9ae486
Instruction Fuzzy Hash: 4401D635A10619EFDB119F50CC09FFEBFB8FB04B58F000126F812A22A0DB749904CA50

Function 0052CAC4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0052CABB,0052B083,00526E89,BDD10849,?,?,?,00000000,00545C52,000000FF,?,005257DE,?,?), ref: 0052CAD2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0052CAE0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0052CAF9
SetLastError.KERNEL32(00000000,?,0052CABB,0052B083,00526E89,BDD10849,?,?,?,00000000,00545C52,000000FF,?,005257DE,?,?), ref: 0052CB4B

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7ea544592eeb423077e34246fa6f0baa80cc9d0bf516ddc896b605c4f74df185
Instruction ID: da7bc90c90d7f994778e1fed911e73b58945f820b4d43611875d42d6599b6d4e
Opcode Fuzzy Hash: 7ea544592eeb423077e34246fa6f0baa80cc9d0bf516ddc896b605c4f74df185
Instruction Fuzzy Hash: D60124326297326EE7242B78BC8F96E2F95FF637B5720023AF111640E2EF510C00A594

Function 0052CBDB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0052CCA2
___AdjustPointer.LIBCMT ref: 0052CCC5
___AdjustPointer.LIBCMT ref: 0052CD61

Strings

-lR, xrefs: 0052CC3A

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: AdjustPointer
String ID: -lR
API String ID: 1740715915-2214140114
Opcode ID: 3958e5afc9be9e3715c6b5321cfe6259c8e90303971f02d8509db9ae53f9ab2d
Instruction ID: 4f3987b482847a2698796db02e8cd9b3d3049c5d0cc671c4895ac8c0f657891f
Opcode Fuzzy Hash: 3958e5afc9be9e3715c6b5321cfe6259c8e90303971f02d8509db9ae53f9ab2d
Instruction Fuzzy Hash: 0851D1726046629FDB298F14F845BAE7FA4FF46310F244539E819972D2E731AC80CB90

Function 00539475 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 005394FC
__alloca_probe_16.LIBCMT ref: 005395BD
__freea.LIBCMT ref: 00539624

Part of subcall function 0053762F: HeapAlloc.KERNEL32(00000000,?,?,?,005294FE,?,?,0052193D,?,?,00547C5E,?,?), ref: 00537661

__freea.LIBCMT ref: 00539639
__freea.LIBCMT ref: 00539649

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: f4ef57bf97c65fab3b8144759152d3ae3acbe1aa51e7f62b3d2131bd3490b8ab
Instruction ID: 82794490fdffeeb3a4273156dee6b92d90dcaffa34eaed52fbb0c8acb1338665
Opcode Fuzzy Hash: f4ef57bf97c65fab3b8144759152d3ae3acbe1aa51e7f62b3d2131bd3490b8ab
Instruction Fuzzy Hash: 265180B2A01116AFEB219EA4DC86DEB7FA9FF84350F150528FC05D6250E6B1CD5097A0

Function 00527072 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00527086
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,?,005253D4,?,?,?,?,?), ref: 005270A5
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,005253D4,?,?,?,?,?), ref: 005270D3
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,005253D4,?,?,?,?,?), ref: 0052712E
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,005253D4,?,?,?,?,?), ref: 00527145

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: f755866bf60a3a1586afea738bb5c41dc0db3a7c36ccb16ad9ce11d5d0e84a0b
Instruction ID: 653fa25be927f85d19278186cb128155c1c2b9aefb85c4fa302f020b3f828be9
Opcode Fuzzy Hash: f755866bf60a3a1586afea738bb5c41dc0db3a7c36ccb16ad9ce11d5d0e84a0b
Instruction Fuzzy Hash: B3417C3190862ADFCB20DF25E8859AABBF9FF0F350B104919D446D76C0E730E959CB51

Function 0052DBC7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0052DB78,?,?,00000000,?,?,?,0052DCA2,00000002,FlsGetValue,0054A0D0,FlsGetValue), ref: 0052DBD4
GetLastError.KERNEL32(?,0052DB78,?,?,00000000,?,?,?,0052DCA2,00000002,FlsGetValue,0054A0D0,FlsGetValue,?,?,0052CAE5), ref: 0052DBDE
LoadLibraryExW.KERNEL32(?,00000000,00000000,00552844,ios_base::failbit set,00000000), ref: 0052DC06

Strings

api-ms-, xrefs: 0052DBEB

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fd2001dd1a43953ae5d179e6b96a28c5475178c9fe26c9838cd4827180a14fe8
Instruction ID: 53f73c9d52a0fe7a10051129b78fd4e98482033e2cc8bee751b452ca82de6145
Opcode Fuzzy Hash: fd2001dd1a43953ae5d179e6b96a28c5475178c9fe26c9838cd4827180a14fe8
Instruction Fuzzy Hash: ACE01270690208F6EE101B61ED0AB6D3F69BF11B55F104420F90DB40E1DBA2D9589964

Function 00539A3E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BDD10849,00000000,00000000,00000000), ref: 00539AA1

Part of subcall function 0053C3CA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0053961A,?,00000000,-00000008), ref: 0053C476

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00539CFC
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00539D44
GetLastError.KERNEL32 ref: 00539DE7

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ee83f8375c98246ffc3b1b4b4447044c5ae522c90590606465137a1807cd2582
Instruction ID: e043f8593a8616d21d4f09aab2a1acfbe299d7c931ac8f7e7b339e5d50bc033b
Opcode Fuzzy Hash: ee83f8375c98246ffc3b1b4b4447044c5ae522c90590606465137a1807cd2582
Instruction Fuzzy Hash: BBD198B5E002589FCB05CFA8D885AEDBFB5FF49310F18452AE816EB352E770A941CB50

Function 00524740 Relevance: 6.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 005247F6
std::_Throw_Cpp_error.LIBCPMT ref: 00524801
std::_Throw_Cpp_error.LIBCPMT ref: 00524905
std::_Throw_Cpp_error.LIBCPMT ref: 00524910

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 5aa551c2e007ad71110fac8a0eca4de03544fd426d23c165351cf009ee830d3b
Instruction ID: 4a6432a3b517517063507767de77dbe9f934024c1812cf1f2777ed82d5697dd9
Opcode Fuzzy Hash: 5aa551c2e007ad71110fac8a0eca4de03544fd426d23c165351cf009ee830d3b
Instruction Fuzzy Hash: 6E51F2718047A56BD724EA70B80A76ABFE8BF93300F044D1DF996025D2D7B1A54CCBA3

Function 00525B50 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32(006E82A4,00000000,?,00000000,00000000,?,00000000), ref: 00525B61
InitOnceComplete.KERNEL32(006E82A4,00000000,00000000), ref: 00525B84

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: InitOnce$BeginCompleteInitialize
String ID:
API String ID: 51270584-0
Opcode ID: ed759c3ae39e9458795d50c43d71fa3859849347c55541c3dad3443c06b0e0c8
Instruction ID: eb3153adf7b6cf3b25add60b40519991921087f7054c66dfe4c5ab9d96a55209
Opcode Fuzzy Hash: ed759c3ae39e9458795d50c43d71fa3859849347c55541c3dad3443c06b0e0c8
Instruction Fuzzy Hash: D8310771A00719EFD710EF54EC4AB5ABBA4FF46710F10466AFA19972C0EB31A908CF91

Function 0053C68A Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0053C3CA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0053961A,?,00000000,-00000008), ref: 0053C476

GetLastError.KERNEL32 ref: 0053C6EE
__dosmaperr.LIBCMT ref: 0053C6F5
GetLastError.KERNEL32(?,?,?,?), ref: 0053C72F
__dosmaperr.LIBCMT ref: 0053C736

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 96ad46b4c3b9fcc4c9bd85b1e66744485e4dd16e29f33a06a5458c8ffac8d57a
Instruction ID: 45913d8d195c287a85af365b808f7c72a5b162b9bc9de53565a6c4068de08a3b
Opcode Fuzzy Hash: 96ad46b4c3b9fcc4c9bd85b1e66744485e4dd16e29f33a06a5458c8ffac8d57a
Instruction Fuzzy Hash: B821B371600616AF9B10AF698889D6BBFA8FF40364F10891DF919A7511DB30EC109B90

Function 005331C4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3a38a3e4c69cd2bd36415bcdde27b05bd9dd74f998368cd6c55e4aa275f01d
Instruction ID: 1aae6960b1e1502d5304b8fa124fe4565dad375ac9292ea643149e228455b65e
Opcode Fuzzy Hash: eb3a38a3e4c69cd2bd36415bcdde27b05bd9dd74f998368cd6c55e4aa275f01d
Instruction Fuzzy Hash: 0521D579600206AFCB11AF65CC85D6BBFA9FF40368F108928F919D7140DB31EE00CBA0

Function 0053D620 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0053D628

Part of subcall function 0053C3CA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0053961A,?,00000000,-00000008), ref: 0053C476

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0053D660
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0053D680

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4a14aec9d67689654ad6874788e82ee8025ad39cba881e85bbb284454c6dfecd
Instruction ID: 3dde76b96c72331079b9a3f3057b5183ae3d68ff2d1fe4ae3e0f59b2eca4f9fd
Opcode Fuzzy Hash: 4a14aec9d67689654ad6874788e82ee8025ad39cba881e85bbb284454c6dfecd
Instruction Fuzzy Hash: 5A1161F65016167F661127B6AC8FCBF6F7CFE96398F200419F816A2101EA249D019575

Function 00544349 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00542B84,00000000,00000001,00000000,00000000,?,00539E3B,00000000,00000000,00000000), ref: 00544360
GetLastError.KERNEL32(?,00542B84,00000000,00000001,00000000,00000000,?,00539E3B,00000000,00000000,00000000,00000000,00000000,?,0053A3C2,?), ref: 0054436C

Part of subcall function 00544332: CloseHandle.KERNEL32(FFFFFFFE,0054437C,?,00542B84,00000000,00000001,00000000,00000000,?,00539E3B,00000000,00000000,00000000,00000000,00000000), ref: 00544342

___initconout.LIBCMT ref: 0054437C

Part of subcall function 005442F4: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00544323,00542B71,00000000,?,00539E3B,00000000,00000000,00000000,00000000), ref: 00544307

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00542B84,00000000,00000001,00000000,00000000,?,00539E3B,00000000,00000000,00000000,00000000), ref: 00544391

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 736014c420e65740ba72912d653ceb245cb690194b62f518968c951b29b4b270
Instruction ID: d21b3f11222e55576800af8fb055754e5ff4d474c05e5fc837a03867635b68b4
Opcode Fuzzy Hash: 736014c420e65740ba72912d653ceb245cb690194b62f518968c951b29b4b270
Instruction Fuzzy Hash: 91F01C3A040215FBCF226FD5EC08ADD3F66FF597A8B045414FA1886130DA328861FF91

Function 0053ECB6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0053663B: RtlFreeHeap.NTDLL(00000000,00000000,?,0053E6B3,?,00000000,?,?,0053E954,?,00000007,?,?,0053EE4D,?,?), ref: 00536651
Part of subcall function 0053663B: GetLastError.KERNEL32(?,?,0053E6B3,?,00000000,?,?,0053E954,?,00000007,?,?,0053EE4D,?,?), ref: 0053665C

___free_lconv_mon.LIBCMT ref: 0053ECFA

Strings

8ln, xrefs: 0053EDA2
dkn, xrefs: 0053ECCC

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ErrorFreeHeapLast___free_lconv_mon
String ID: 8ln$dkn
API String ID: 4068849827-324638688
Opcode ID: 1ef4d4644bce16ac8d2b49dd27dc6988d5608955552f8cdbe3fc1248059450d5
Instruction ID: 05eddf4d93d163511aeddbe855243ed3063c1defe47917b9ebb6c9bc4bc2b60d
Opcode Fuzzy Hash: 1ef4d4644bce16ac8d2b49dd27dc6988d5608955552f8cdbe3fc1248059450d5
Instruction Fuzzy Hash: 7C312A71600602AFEB21AAB9D94BB5A7BE9BF90390F248C1DF055D71E1DB31AC408B24

Function 0052D1D7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0052D1FC

Strings

MOC, xrefs: 0052D20E
RCC, xrefs: 0052D216

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: c255f4c417332b660d2c455e70e70417b464dbe3727a2c486b3033939c8daaba
Instruction ID: 76e22d7376d4da2cb62daf7633bc89094c61108412911cd7075656794b2237b7
Opcode Fuzzy Hash: c255f4c417332b660d2c455e70e70417b464dbe3727a2c486b3033939c8daaba
Instruction Fuzzy Hash: 92416875900129EFCF16CF98E881AAEBFB5FF4A304F188059F904A6291D335E950DB61

Function 00526F4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00526FD2
RaiseException.KERNEL32(?,?,?,?,00000000,00000000), ref: 00526FF7

Part of subcall function 0052A530: RaiseException.KERNEL32(E06D7363,00000001,00000003,00529EDD,?,?,?,?,00529EDD,?,0055273C), ref: 0052A590

Part of subcall function 0052E14B: IsProcessorFeaturePresent.KERNEL32(00000017,0052DED2,?,0052DE41,00000001,00000016,0052E050,?,?,?,?,?,00000000), ref: 0052E167

Strings

csm, xrefs: 00526F86

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: df49bb7044719f9c68af482a9ba01aece48cf95a967145db78b401f4b9432197
Instruction ID: 2242e02b10b27c49a451a0bf55d43d171d5ce04c1dc2323e485c8525c5c22539
Opcode Fuzzy Hash: df49bb7044719f9c68af482a9ba01aece48cf95a967145db78b401f4b9432197
Instruction Fuzzy Hash: CA216035D002289BCF25DF94F949AAEBFB9BF86710F540019E405AB294D770ED49CB81

Function 00527613 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0052761F
std::_Lockit::~_Lockit.LIBCPMT ref: 0052767B

Strings

-lR, xrefs: 00527646, 00527660

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: -lR
API String ID: 593203224-2214140114
Opcode ID: 7965115942a42729fdb604570a41448da5dd0c9ee8fd3cf72c96703c76aa80bc
Instruction ID: e11c6746dac82e18e902329388e7f5b42251100d24aedc2150ee00867c351553
Opcode Fuzzy Hash: 7965115942a42729fdb604570a41448da5dd0c9ee8fd3cf72c96703c76aa80bc
Instruction Fuzzy Hash: D8019E35600A29EFCB04DB18D889EAD7BB8FF86754B140099E4019B3A1DF70FE45CB60

Function 00525280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 005252E6
std::_Throw_Cpp_error.LIBCPMT ref: 005252F1

Part of subcall function 00527054: ReleaseSRWLockExclusive.KERNEL32(005254A2,?,005254AA,00000000,?,?,?,00000006,?,?,?), ref: 00527068

Strings

vn, xrefs: 00525300

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID: vn
API String ID: 3666349979-342035933
Opcode ID: 81100ccba26ae77ad6c8fae295a8ad6332583df0cb044b36fcbe9c483d048960
Instruction ID: 2ed25a423af52313c2cb15b95c7ab1bd193f1f7547b8c2b19e141f0d8c9f8d57
Opcode Fuzzy Hash: 81100ccba26ae77ad6c8fae295a8ad6332583df0cb044b36fcbe9c483d048960
Instruction Fuzzy Hash: 9C01F935504652AFD710DB28E80974BBFD5BFAA310F10481DF558871D1E770E859CF52

Function 005223C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005223C5
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0052240A

Part of subcall function 00527684: _Yarn.LIBCPMT ref: 005276A3
Part of subcall function 00527684: _Yarn.LIBCPMT ref: 005276C7

Strings

bad locale name, xrefs: 00522418

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: e33e907576e6f44c41c0aa01bcb90349f41e9433f4218010a05e81ef78cdf540
Instruction ID: a8ef3a3762a6da384073fe934b1e9c9483a9d9ac7803fd1a45fb99e831846ff9
Opcode Fuzzy Hash: e33e907576e6f44c41c0aa01bcb90349f41e9433f4218010a05e81ef78cdf540
Instruction Fuzzy Hash: BAF0F470505B918ED370DF399808747BEE0BF2A714F048E1DE58AC7A82E375E5088BA6

Function 0052948F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00529057,?,00000000,00000000,?,00529016,?,?,?,?,005270FC,?,?), ref: 005294C7
GetSystemTimeAsFileTime.KERNEL32(?,BDD10849,?,?,00545E5C,000000FF,?,00529057,?,00000000,00000000,?,00529016,?,?), ref: 005294CB

Strings

-lR, xrefs: 005294C1

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: -lR
API String ID: 743729956-2214140114
Opcode ID: af1d684d51938dccf513381899501350259db7a9b9cddc45d4398e274a0ef06e
Instruction ID: d373883f8fbf939dead0c01b56d94d5a93ffdd8c9a3d64b1610f1e4e3d974055
Opcode Fuzzy Hash: af1d684d51938dccf513381899501350259db7a9b9cddc45d4398e274a0ef06e
Instruction Fuzzy Hash: 8CF06536904A68EFCB019F54DC45B9DBBA9FB49B14F00452AE81697790DB356904CBD0

Function 00537176 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 005371B6

Strings

InitializeCriticalSectionEx, xrefs: 00537186
-lR, xrefs: 005371A6

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: -lR$InitializeCriticalSectionEx
API String ID: 2593887523-3079937702
Opcode ID: 599694b193830ec2c72ab51ce988dbcc447b7715b068312d9b9100da74156afe
Instruction ID: 93dd35c1b72892ff05ca2473f19186c95629469bf46f439467d85859198d1468
Opcode Fuzzy Hash: 599694b193830ec2c72ab51ce988dbcc447b7715b068312d9b9100da74156afe
Instruction Fuzzy Hash: FAE0DF3A68421CB7CB212F91DC0AEDE7F15FB84B64F008412FD0825161DBB28820EBE0

Function 00536FFC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00537030

Strings

FlsAlloc, xrefs: 0053700C
-lR, xrefs: 00537026

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: Alloc
String ID: -lR$FlsAlloc
API String ID: 2773662609-2287682372
Opcode ID: 5c8674cfd7fba78cf4f665d60c23cb245891f4629874499a82a08fa06837f7eb
Instruction ID: 55a6c60e7818849f9f7266b6effbb179c27ab9004737b30535bca3626b1bc2e8
Opcode Fuzzy Hash: 5c8674cfd7fba78cf4f665d60c23cb245891f4629874499a82a08fa06837f7eb
Instruction Fuzzy Hash: 1BE0C239AC122C73863436D19D0EEEE7F04FB94BBAF044021FF08211408DE10804A6E6

Function 0052106D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00521074

Strings

<in, xrefs: 00521079
hn, xrefs: 0052107E

Memory Dump Source

Source File: 00000000.00000002.1446193832.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1446176514.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446218826.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446354737.00000000006EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_rise2406.jbxd

Similarity

API ID: H_prolog3
String ID: <in$hn
API String ID: 431132790-2199986705
Opcode ID: a1c50f119cdb051e5e8b4379206db1fedbde429cc292ea6239e686a17fe2477a
Instruction ID: 7f7edbcc17f00b7b1eb32c7115bbbfa83c53499502f7fa85583eed4f1d04ad7e
Opcode Fuzzy Hash: a1c50f119cdb051e5e8b4379206db1fedbde429cc292ea6239e686a17fe2477a
Instruction Fuzzy Hash: 97E09270D8135ADBC700AF91CD0E39D3DA1FF42344F904114B020663C2D7B60A049761

Analysis Process: RegAsm.exePID: 2516, Parent PID: 3180COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.1%
Total number of Nodes:	771
Total number of Limit Nodes:	15

Executed Functions

Function 004E4BD0 Relevance: 12.7, APIs: 8, Instructions: 714
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E71E0: GetCurrentProcess.KERNEL32(?), ref: 004E71EF
Part of subcall function 004E71E0: IsWow64Process.KERNEL32(00000000), ref: 004E71F6

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,-005A5B4A,00000000,?,?,00000000,-00585B31), ref: 004E4DF5
RegQueryValueExA.KERNELBASE(00000000,?,00000000,00020019,?,00000400), ref: 004E4EB2
RegCloseKey.ADVAPI32(00000000), ref: 004E4EE1
GetCurrentHwProfileA.ADVAPI32(?), ref: 004E4FCE
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 004E562F
MultiByteToWideChar.KERNEL32(0000000F,00000000,?,000000FF,00000000,0000000F), ref: 004E5664
WideCharToMultiByte.KERNEL32(000004E3,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 004E568B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 004E56B9

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$CurrentProcess$CloseOpenProfileQueryValueWow64
String ID:
API String ID: 1646947450-0
Opcode ID: ae4292a958d13f34842306830b16d1fa5ccb16088a57fb5a98bfde5e58442c07
Instruction ID: c0aba00e6514ac26363e67ac76cfd5322cd72c6070033efa120dba6d155bc681
Opcode Fuzzy Hash: ae4292a958d13f34842306830b16d1fa5ccb16088a57fb5a98bfde5e58442c07
Instruction Fuzzy Hash: 4E7255B0C042599BDB24CFA9C985BEEBBB1BF08304F204199E449B7291DB745B84CFA5

Function 0045DB00 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 0045DB13
GetCursorPos.USER32(?), ref: 0045DB19
Sleep.KERNELBASE(000003E9), ref: 0045DBC8
GetCursorPos.USER32(?), ref: 0045DBCE
Sleep.KERNELBASE(00000001), ref: 0045DC7A

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Cursor$Sleep
String ID:
API String ID: 1847515627-0
Opcode ID: 64e1b3b3cfd2bc4f7f18a9e387635337b0495f42438516b07fc99cf1f27a474a
Instruction ID: ab3f96cd0466869246e3b632190b9ed1b666d42f9e689fec286df2e29c35159e
Opcode Fuzzy Hash: 64e1b3b3cfd2bc4f7f18a9e387635337b0495f42438516b07fc99cf1f27a474a
Instruction Fuzzy Hash: E651BB35A04215CFCB25CF58C4D0EAAB7B2EF89705B2A809AD945AF352D735FD49CB80

Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,0054D15C,00000000,75CA23A0,-00589880), ref: 004096A6
GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0054D15C,00000000,75CA23A0,-00589880), ref: 004096C9

Strings

Ws2_32.dll, xrefs: 0040969A

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: Ws2_32.dll
API String ID: 2819740048-3093949381
Opcode ID: d946741ea927b9b060335f299eec8efad25939578b4ebaaa967d5c79e73c84d4
Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
Opcode Fuzzy Hash: d946741ea927b9b060335f299eec8efad25939578b4ebaaa967d5c79e73c84d4
Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96

Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000334,0000FFFF,00001006,?,00000008), ref: 004C7BA6
recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
WSAGetLastError.WS2_32 ref: 004C7BC5
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
recv.WS2_32(00000000,?,00000008), ref: 004C7D1B

Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
Part of subcall function 004C8590: freeaddrinfo.WS2_32(?,?,?,?,00589328,?,?), ref: 004C868A
Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690

recv.WS2_32(?,00000004,00000008), ref: 004C7E23
__Xtime_get_ticks.LIBCPMT ref: 004C7E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: recv$Sleepsetsockopt$CleanupErrorLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectfreeaddrinfogetaddrinfosocket
String ID:
API String ID: 4125349891-0
Opcode ID: ec38b987ed86a79d9045c84e3f8f5dfa89c2ee10f11fa2c7c1563f7a863ad202
Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
Opcode Fuzzy Hash: ec38b987ed86a79d9045c84e3f8f5dfa89c2ee10f11fa2c7c1563f7a863ad202
Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95

Function 00442CD3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0044298C: CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004429A9

GetLastError.KERNEL32 ref: 00442DE7
__dosmaperr.LIBCMT ref: 00442DEE
GetFileType.KERNELBASE(00000000), ref: 00442DFA
GetLastError.KERNEL32 ref: 00442E04
__dosmaperr.LIBCMT ref: 00442E0D
CloseHandle.KERNEL32(00000000), ref: 00442E2D
CloseHandle.KERNEL32(?), ref: 00442F7A
GetLastError.KERNEL32 ref: 00442FAC
__dosmaperr.LIBCMT ref: 00442FB3

Strings

H, xrefs: 00442F38

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 899e8745e59b9231842c25977fdcfb02482e73fc2f27b2205138a63271f33108
Instruction ID: 5150a9c177428a163fa7fb1c8ad58043a10a64c5935946436f9da82f6cbe0861
Opcode Fuzzy Hash: 899e8745e59b9231842c25977fdcfb02482e73fc2f27b2205138a63271f33108
Instruction Fuzzy Hash: 4EA15832A101149FEF19AF68DC917AE3BB1AB06314F58014EF801EF3A1CB799C56DB59

Function 00448910 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00448B91, 00448B94

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: ad97f608cc39225161418e158f426655df091140c642edc2e343545997d5bee3
Instruction ID: d4d7462daa34083545f9d93f0c5ebf53bf58a01a885379ada905c47cec286c1a
Opcode Fuzzy Hash: ad97f608cc39225161418e158f426655df091140c642edc2e343545997d5bee3
Instruction Fuzzy Hash: E2B1F4B0A00245AFFB11DF99C881BAE7BB1FF55304F14015EE414AB392CB78AD81CB69

Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 004C85BA
getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
socket.WS2_32(?,?,?), ref: 004C865D
connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
closesocket.WS2_32(00000000), ref: 004C867D
freeaddrinfo.WS2_32(?,?,?,?,00589328,?,?), ref: 004C868A
WSACleanup.WS2_32 ref: 004C8690
freeaddrinfo.WS2_32(?,?,?,?,00589328,?,?), ref: 004C86A5

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 58224237-0
Opcode ID: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
Opcode Fuzzy Hash: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7

Function 004E6CA0 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?,?,00000006,00000005,00000005,?), ref: 004E6CFC
GetLastError.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 004E6D07
std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
String ID:
API String ID: 995686243-0
Opcode ID: 3120929ec45ee0086a62fe527d0d8f49284849e7ce8a43a234ec1e7741655826
Instruction ID: 241e2f942859b358e1133ab4bf22632851a161ac9c5554c12c2f2fb0b7350d8e
Opcode Fuzzy Hash: 3120929ec45ee0086a62fe527d0d8f49284849e7ce8a43a234ec1e7741655826
Instruction Fuzzy Hash: DF11CE71A0028496DB205F6A5C08F6A7F60EB22772F64031BD8359B3D4DB3948058759

Function 004E57F0 Relevance: 3.4, APIs: 2, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 004E588F
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004E5B9B

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: DirectoryInformationVolumeWindows
String ID:
API String ID: 3487004747-0
Opcode ID: fc5381cf05f833142fa4c84e4c587fec84fffd8f0e7b5473644403141e6b9742
Instruction ID: 009fea26e280c08ebde66711631a2368a09a7ac58c7b38572a32fddf838a6e16
Opcode Fuzzy Hash: fc5381cf05f833142fa4c84e4c587fec84fffd8f0e7b5473644403141e6b9742
Instruction Fuzzy Hash: 81F157B0D002499BDB14CFA8C9957EEBBB1FF08304F24425EE545BB381DB756A84CBA5

Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E55
GetLastError.KERNEL32(?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E5F

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
Opcode Fuzzy Hash: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D

Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00579E30,00432B5E,00000002,00432B5E,00000000,?,?,?,00442626,00000000,?,00432B5E,00000002,00579E30), ref: 00442558
GetLastError.KERNEL32(00432B5E,?,?,?,00442626,00000000,?,00432B5E,00000002,00579E30,00000000,00432B5E,00000000,00579E30,0000000C,0043D61E), ref: 00442565

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
Opcode Fuzzy Hash: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4

Function 004C77F0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000065), ref: 004C7867

Strings

168, xrefs: 004C782E

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Sleep
String ID: 168
API String ID: 3472027048-2079752030
Opcode ID: fa5cc8b1cfc8c31c07ce7df3b4dee737137f6f3af81e37c80995ee834774c82f
Instruction ID: 1f7e8826813b3d2380bd617aa3bbe7adeb215e0cc6f29ab4b1c79d6fe0be74c1
Opcode Fuzzy Hash: fa5cc8b1cfc8c31c07ce7df3b4dee737137f6f3af81e37c80995ee834774c82f
Instruction Fuzzy Hash: 7601F731E08284AFE721AB599C0AB6B7BE5E741B24F08028EF951273D1CBB91804C7D2

Function 00438E02 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f659cc8a9a49272dc5a8b65b091f37dbf03ca88fa3bd65ce108d20efe530995
Instruction ID: 9663080612542d3e5f9b84a36c3ecf1ef98ea00319430370267f097460dfd66c
Opcode Fuzzy Hash: 9f659cc8a9a49272dc5a8b65b091f37dbf03ca88fa3bd65ce108d20efe530995
Instruction Fuzzy Hash: 2651C670A00204AFDF14DF59C881AAABBA2EF8D328F24915EF8089B352D775DD41CB55

Function 004E7330 Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 004E7483

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 95c2e167186eeb3e7dc9ada3aaf4bef30febac36b32543f012d33ef2061f0272
Instruction ID: 0e53ea78c72a938f7fb02060282791f61ff368934c38134d11baa5cff418869a
Opcode Fuzzy Hash: 95c2e167186eeb3e7dc9ada3aaf4bef30febac36b32543f012d33ef2061f0272
Instruction Fuzzy Hash: BE5159B0D00248DBCB14DF99C981AEEBBB4EF48714F24416DE8047B381D7799E41CBA5

Function 0044AC7F Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 0044ACB9

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8ff9ba0f0c894046871fc86ec0e9a1d79c4c84a1d92275a4dcbeaa53a6bd2b85
Instruction ID: f3143862af3a299983658f939e96efeb3759b05c7c18c303aa6d1d81ce31e1ed
Opcode Fuzzy Hash: 8ff9ba0f0c894046871fc86ec0e9a1d79c4c84a1d92275a4dcbeaa53a6bd2b85
Instruction Fuzzy Hash: 92112A71A0420AAFDF05DF58E94199F7BF5EF48304F04405AF809EB351D670DA25CB69

Function 004E5D00 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SetupDiGetClassDevsA.SETUPAPI(0055D560,00000000,00000000), ref: 004E5D47

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ClassDevsSetup
String ID:
API String ID: 2330331845-0
Opcode ID: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
Instruction ID: 3af1858aaf6aa964ebdd9f4359c5c99147492c850a3065a18f0c0dee6211d041
Opcode Fuzzy Hash: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
Instruction Fuzzy Hash: A0110EB1D04B449BE3208F28DD0A757BBF0EB00B28F10471EE850573C1E3BA6A4887E2

Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0040331F

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788

Function 0044B094 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00434B3F,?,?,75CA23A0,?,?,00403522,?,?), ref: 0044B0C6

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
Instruction ID: 07eaf642519ac51a5bd3283dd2addbb445c80e248ae9cef49388ffb333b33e8c
Opcode Fuzzy Hash: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
Instruction Fuzzy Hash: 99E022322006206BFF313AA69C14B5B764CEF413A3F190227EC25A62D1DB3CCC0092EE

Function 0044298C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004429A9

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9c728ddfee9c54fb3e95c04c245e6250a3a2534adf7d99ecf6cfd652071d74be
Instruction ID: d272b26d39d4c1a932e1863db2ccc44a4dabdf9078851b65b676bd57bd2e36c0
Opcode Fuzzy Hash: 9c728ddfee9c54fb3e95c04c245e6250a3a2534adf7d99ecf6cfd652071d74be
Instruction Fuzzy Hash: 7DD06C3200020DBBDF128F84DC06EDA3BAAFB48754F014000BA1856120C736E861EB90

Non-executed Functions

Function 004DFF00 Relevance: 98.4, APIs: 50, Strings: 4, Instructions: 3939registrytimefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004E0556
FindNextFileA.KERNEL32(00000000,?), ref: 004E056C
FindClose.KERNEL32(00000000), ref: 004E057C
GetLastError.KERNEL32 ref: 004E0582
GetLastError.KERNEL32 ref: 004E05A0

Part of subcall function 004E71E0: GetCurrentProcess.KERNEL32(?), ref: 004E71EF
Part of subcall function 004E71E0: IsWow64Process.KERNEL32(00000000), ref: 004E71F6

Part of subcall function 0044196B: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00441980
Part of subcall function 0044196B: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044199F

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,?,00000000,?,?), ref: 004E0D31
RegQueryValueExA.ADVAPI32(00000000,?,00000000,00020019,?,00000400), ref: 004E0DFD
RegCloseKey.ADVAPI32(00000000), ref: 004E0E32
GetCurrentHwProfileA.ADVAPI32(?), ref: 004E0FCA
GetModuleHandleExA.KERNEL32(00000004,Function_000E5FC0,00000000), ref: 004E14CB
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004E14E3
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,?,?), ref: 004E1E96
RegQueryValueExA.ADVAPI32(?,?,00000000,00020019,?,?), ref: 004E1F62
RegCloseKey.ADVAPI32(?), ref: 004E21E1
GetComputerNameA.KERNEL32(?,00000104), ref: 004E2215
GetUserNameA.ADVAPI32(?,00000104), ref: 004E23B3
GetDesktopWindow.USER32 ref: 004E2456
GetWindowRect.USER32(00000000,?), ref: 004E2464
GetUserDefaultLocaleName.KERNEL32(?,00000200), ref: 004E25CF
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 004E2A95
LocalAlloc.KERNEL32(00000040), ref: 004E2AA7
GetKeyboardLayoutList.USER32(?,00000000), ref: 004E2AC2
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004E2AED
LocalFree.KERNEL32(?), ref: 004E2CB0
GetLocalTime.KERNEL32(?), ref: 004E2CC7
GetSystemTime.KERNEL32(?), ref: 004E2EDD
GetTimeZoneInformation.KERNEL32(?), ref: 004E2F00
TzSpecificLocalTimeToSystemTime.KERNEL32(?,?,?), ref: 004E2F25
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,00000000), ref: 004E333F
RegQueryValueExA.ADVAPI32(00000000,?,00000000,00020019,?,00000400), ref: 004E3491
RegCloseKey.ADVAPI32(00000000), ref: 004E3542
GetSystemInfo.KERNEL32(?), ref: 004E356A
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 004E361D
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004E3731
EnumDisplayDevicesA.USER32(00000000,00000001,?,00000001), ref: 004E3B14
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004E3C53
Process32First.KERNEL32(00000000,00000128), ref: 004E3C6B
Process32Next.KERNEL32(00000000,00000128), ref: 004E3C81
Process32Next.KERNEL32(00000000,?), ref: 004E3D53
CloseHandle.KERNEL32(00000000), ref: 004E3D62
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 004E40D6
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004E410D
wsprintfA.USER32 ref: 004E41F0
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 004E4213
RegQueryValueExA.ADVAPI32(?,?,00000000,000F003F,?,00000400), ref: 004E4312
RegQueryValueExA.ADVAPI32(?,?,00000000,000F003F,?,00000400), ref: 004E4409
RegCloseKey.ADVAPI32(?), ref: 004E44E5
RegCloseKey.ADVAPI32(00000000), ref: 004E4500

Strings

2.0, xrefs: 004E09C7, 004E0A58
;Yb., xrefs: 004E402D
3"A, xrefs: 004DFFC6, 004E0690, 004E0174, 004E0179, 004E0183
default24_2, xrefs: 004E0924, 004E09AE

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CloseTime$FileOpenQueryValue$LocalNameSystem$EnumFindNextProcess32$CreateCurrentDevicesDisplayErrorFirstHandleInfoKeyboardLastLayoutListLocaleModuleProcessUserWindow$AllocComputerCopyDefaultDesktopDirectoryFreeGlobalInformationMemoryProfileRectSnapshotSpecificStatusToolhelp32Unothrow_t@std@@@Wow64Zone__ehfuncinfo$??2@wsprintf
String ID: 2.0$3"A$;Yb.$default24_2
API String ID: 3185416054-1980780263
Opcode ID: d0af5a0cb8ecae2268df48b861a61db0f84c987e998769c91adf604f708e9bf9
Instruction ID: 762722eee12899a3fad9018c2ab51fc1fd94b4ba954c9d0aaa9e31c72487c533
Opcode Fuzzy Hash: d0af5a0cb8ecae2268df48b861a61db0f84c987e998769c91adf604f708e9bf9
Instruction Fuzzy Hash: BFB3EFB4D0426D8BDB25CF99C981AEEBBB1FF48300F1041AAD949B7351DB345A81CFA5

Function 004E6770 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
CreateDirectoryA.KERNEL32(?,00000000,00000005,?), ref: 004E6C55
std::_Throw_Cpp_error.LIBCPMT ref: 004E6C84
std::_Throw_Cpp_error.LIBCPMT ref: 004E6C95

Strings

\*.*, xrefs: 004E6834

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CreateDirectory
String ID: \*.*
API String ID: 2715195259-1173974218
Opcode ID: ecc08acd5409bd2d2f2bd3c22b3b6aa0d6264b67c78a209e8d4e4319e9b1ebb3
Instruction ID: b2be1bc9108cd25bcd87be18baf4e69fd7455a47ff8891d9a14199d40660ba90
Opcode Fuzzy Hash: ecc08acd5409bd2d2f2bd3c22b3b6aa0d6264b67c78a209e8d4e4319e9b1ebb3
Instruction Fuzzy Hash: 7AE10470C00388DFDB10DFA9C9487EEBBB0FF25315F20425AE454AB292D7746A49DB65

Function 004CF280 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 240injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040,?,00000000), ref: 004CF2F1
WriteProcessMemory.KERNEL32(00000000,00000000,004C81DD,?,00000000), ref: 004CF30D
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004CF342
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004CF36B
WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000,?,?,?,00589328), ref: 004CF50F
WriteProcessMemory.KERNEL32(?,00000218,004CF5E0,-00000010,00000000,?,?,?,00589328), ref: 004CF531
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 004CF544
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,00589328), ref: 004CF54D

Strings

%s|%s, xrefs: 004CF4EF
168, xrefs: 004CF4D3, 004CF4E3

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
String ID: %s|%s$168
API String ID: 2137838514-1703702481
Opcode ID: b88fb1ed2ebfd2a655c4879da0ce9de7ec8f2c0603ef1b71525654192dd42d6d
Instruction ID: 2ab717f03d3c912496b66fb944616d360f792c6fe5d042a247d22025e7d5b78f
Opcode Fuzzy Hash: b88fb1ed2ebfd2a655c4879da0ce9de7ec8f2c0603ef1b71525654192dd42d6d
Instruction Fuzzy Hash: 36B16BB1D002089FDB14CFA4CC95BAEBBB5FF18300F10426DE905BB291D774A984DBA5

Function 004EE170 Relevance: 15.6, APIs: 10, Instructions: 557libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 004EE20C
GetProcAddress.KERNEL32(00000000,?), ref: 004EE300
GetProcAddress.KERNEL32(00000000,?), ref: 004EE3F4
GetProcAddress.KERNEL32(00000000,?), ref: 004EE4E8
GetProcAddress.KERNEL32(00000000,?), ref: 004EE5DC
GetProcAddress.KERNEL32(00000000,?), ref: 004EE65C
GetProcAddress.KERNEL32(00000000,?), ref: 004EE750
GetProcAddress.KERNEL32(00000000,?), ref: 004EE844
GetProcAddress.KERNEL32(00000000,?), ref: 004EE938
GetProcAddress.KERNEL32(00000000,?), ref: 004EEA2C

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: fba17449efcc4fd35a5932faffef4f0bd4510b269c308ba7fc037d24948359eb
Instruction ID: d080ee8d53740b572b5d589773f2606012d6cd0ef2a87b1da31b43526306bc13
Opcode Fuzzy Hash: fba17449efcc4fd35a5932faffef4f0bd4510b269c308ba7fc037d24948359eb
Instruction Fuzzy Hash: 336233B8D0525CEB8B04CFA8D5819DDFBB1BF58310F24919AE855BB351E7306A82EF44

Function 00432022 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 004320BA
GetLastError.KERNEL32(?,00000000,00000000), ref: 004320C4
FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004320DB
GetLastError.KERNEL32(?,00000000,00000000), ref: 004320E6
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004320F2
___std_fs_open_handle@16.LIBCPMT ref: 004321AB

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
String ID:
API String ID: 2340820627-0
Opcode ID: 399e9fa649e6a34084e5cc74f8c51f104b45a1f2b4104aba3408bb700d2d57cc
Instruction ID: 7e0e21ba57e1066c6160095fdf5a0f96b949db91fc8e8bea8e80148e62c7c079
Opcode Fuzzy Hash: 399e9fa649e6a34084e5cc74f8c51f104b45a1f2b4104aba3408bb700d2d57cc
Instruction Fuzzy Hash: D971D275A007199FCB24CF28CE84BABB3B8BF09310F145296E954E3390D7B49E85CB95

Function 00409C90 Relevance: 13.9, APIs: 9, Instructions: 356libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00409D32
GetProcAddress.KERNEL32(?), ref: 00409E3D
GetProcAddress.KERNEL32(?), ref: 00409F36
GetProcAddress.KERNEL32(?), ref: 00409FBB
GetProcAddress.KERNEL32(?), ref: 0040A055
GetProcAddress.KERNEL32(?), ref: 0040A0EF
GetProcAddress.KERNEL32(?), ref: 0040A189
GetProcAddress.KERNEL32(?), ref: 0040A223
FreeLibrary.KERNEL32 ref: 0040A27B

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID:
API String ID: 2449869053-0
Opcode ID: 52f01a4dfbcb3f59218750f5f3945a65c16e243dd72f162a9732142b51316fa4
Instruction ID: 056e7afbc769c29073d59368404efc94fb89f274a412975777f329f96bf9ec8f
Opcode Fuzzy Hash: 52f01a4dfbcb3f59218750f5f3945a65c16e243dd72f162a9732142b51316fa4
Instruction Fuzzy Hash: 372286B8D05218EBCB15CF98D981AEDBBB1FF58310F2081AAD849B7350D7345A85EF45

Function 004534CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004535D7
IsValidCodePage.KERNEL32(00000000), ref: 00453615
IsValidLocale.KERNEL32(?,00000001), ref: 00453628
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00453670
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0045368B

Strings

*V, xrefs: 00453534

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: *V
API String ID: 415426439-2897881622
Opcode ID: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
Instruction ID: 4a54d826d8e8e5dc964d84ffa3ac1e49b68ae0fe58eca9cd8e7cd24ca5604c7d
Opcode Fuzzy Hash: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
Instruction Fuzzy Hash: 4E517471A00209AFDB20DFA5CC41ABF77B8AF05743F14446AED01E7252EB74DA48DB65

Function 00545050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00545061
GetVersionExA.KERNEL32(?), ref: 00545085
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 005450B7
LocalFree.KERNEL32(?), ref: 005450CE
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00545106

Part of subcall function 00545B50: AreFileApisANSI.KERNEL32(00000000,00000000,?,?,?,005448A5), ref: 00545B5C
Part of subcall function 00545B50: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,?,?,005448A5), ref: 00545B71
Part of subcall function 00545B50: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00545B97

Strings

OsError 0x%x (%u), xrefs: 00545121

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharFormatMessageMultiWide$ApisErrorFileFreeLastLocalVersion
String ID: OsError 0x%x (%u)
API String ID: 807219750-2664311388
Opcode ID: 0d4010ca04ec75710d5123f11d165840ae7251f1f65bebee6710aad968807722
Instruction ID: 40d3e820988b70ea56f320253a2c5dfb69695040fa1f8efb038979f2cda04def
Opcode Fuzzy Hash: 0d4010ca04ec75710d5123f11d165840ae7251f1f65bebee6710aad968807722
Instruction Fuzzy Hash: 9621A476A00308BBDB20AB719C4AFDE7FB8FB55795F1000A5F909E3291E7709E05D661

Function 00452B5A Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetACP.KERNEL32(?,?,?,?,?,?,00447300,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00452C19
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00447300,?,?,?,00000055,?,-00000050,?,?), ref: 00452C50
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00452DB3

Strings

utf8, xrefs: 00452D22
*V, xrefs: 00452B98

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: *V$utf8
API String ID: 607553120-210452255
Opcode ID: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
Instruction ID: 742b11dcb7ff0b0bfa38c284345f0d68b4d7ce619a9ba0daefdf44cafbbca61f
Opcode Fuzzy Hash: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
Instruction Fuzzy Hash: F071FA32600602A6D725AF75CD45B6B73A8EF16705F10042FFD05D7283EBF8E94C9699

Function 004532F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00453605,00000002,00000000,?,?,?,00453605,?,00000000), ref: 0045338C
GetLocaleInfoW.KERNEL32(?,20001004,00453605,00000002,00000000,?,?,?,00453605,?,00000000), ref: 004533B5
GetACP.KERNEL32(?,?,00453605,?,00000000), ref: 004533CA

Strings

ACP, xrefs: 00453311
OCP, xrefs: 00453347

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
Instruction ID: 0023b8279c9b3e3643c8ce07df61025d6c2b7e12d2ffc4f7461f6cfcb2a1a3ae
Opcode Fuzzy Hash: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
Instruction Fuzzy Hash: 8021C432600100A7DB308F54C900A9BB3A6AF50FD3B568466EC06D7312EF36EF49D358

Function 0043C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 01dad5c531b3804b6668612822d9feb5b6f7af541a2af8c3bc89036eeee974e8
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: DA023A71E002199BDF14CFA9D9C06AEFBB1FF48314F24926AE919B7380D735A9418B94

Function 0048F070 Relevance: 6.3, APIs: 4, Instructions: 334processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0048F19C
Process32First.KERNEL32(00000000,?), ref: 0048F1C2
Process32Next.KERNEL32(00000000,00000128), ref: 0048F211
CloseHandle.KERNEL32(00000000), ref: 0048F227

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0d951179c317006dddf831d143819256e2710197f3f27043bc004d2e793115e6
Instruction ID: fbe0c60eb3c239f6b217fe84070aebb3c7b1e9daf40031a0165cf74cf1030098
Opcode Fuzzy Hash: 0d951179c317006dddf831d143819256e2710197f3f27043bc004d2e793115e6
Instruction Fuzzy Hash: ADD1BF71D002098BDB14DFA8C9857EEFBF5EF44304F24456AD805A7381E779AE88CBA5

Function 004938D0 Relevance: 6.2, APIs: 4, Instructions: 207fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,00565EFC,00565EFC,00000002,?,00000001), ref: 0049396F
FindNextFileA.KERNEL32(00000000,00000010), ref: 00493ACF
GetLastError.KERNEL32 ref: 00493ADD
FindClose.KERNEL32(00000000), ref: 00493AED

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Find$File$CloseErrorFirstLastNext
String ID:
API String ID: 819619735-0
Opcode ID: 5c5bfb243b718b9e397d986a5abe0b9450da5460a2542200edb8a3b95439bd0e
Instruction ID: 59bca9142b2f43e85d8f64eb9617364e40f7e337b3faf31c9dfe380ec3e76daa
Opcode Fuzzy Hash: 5c5bfb243b718b9e397d986a5abe0b9450da5460a2542200edb8a3b95439bd0e
Instruction Fuzzy Hash: 817124719002448BCF10CF64C8957FEBFB5AB56305F1442AAE441AB382D77A9F89CB64

Function 00434184 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00434190
IsDebuggerPresent.KERNEL32 ref: 0043425C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00434275
UnhandledExceptionFilter.KERNEL32(?), ref: 0043427F

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5e995d56bca3090024ce11201d33d294d56103379e56bdf134d89c0665374a9e
Instruction ID: cc34265599f2dec34f964c3269ec222ae3e40e25564db7ad72de3f36d20b351d
Opcode Fuzzy Hash: 5e995d56bca3090024ce11201d33d294d56103379e56bdf134d89c0665374a9e
Instruction Fuzzy Hash: BB31F6B5D053189BDB20EFA5D9497CDBBB8AF08304F1041AAE40CAB250EB759A84CF59

Function 005449B0 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 005449CA
GetCurrentProcessId.KERNEL32 ref: 005449E5
GetTickCount.KERNEL32 ref: 005449FA
QueryPerformanceCounter.KERNEL32(?), ref: 00544A11

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4122616988-0
Opcode ID: 2761748a9af697217c0ec141a17cdb9775b7d53fbeab25e478c1a4390fc4254b
Instruction ID: a8b0bf13f8b3a5775aebc3e00f45f95b893848271c39c3c1d8b2d1e40acf56c4
Opcode Fuzzy Hash: 2761748a9af697217c0ec141a17cdb9775b7d53fbeab25e478c1a4390fc4254b
Instruction Fuzzy Hash: 8A110432A007298BDB118FA9DC885EAFBF9FF49225B404536EC49D7215D631A481CBE0

Function 004580D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 004580E9
GetSystemInfo.KERNEL32(?), ref: 00458104

Strings

D, xrefs: 004580F8

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 53f2c066bf0a3f036097ffc709ce78bf8807582e756120d0ec3c2933d4a49f04
Instruction ID: 15e633f26279e9839b0c5b245ad8314628d4ede9c042647a00b0634ca8b556b4
Opcode Fuzzy Hash: 53f2c066bf0a3f036097ffc709ce78bf8807582e756120d0ec3c2933d4a49f04
Instruction Fuzzy Hash: 7201F7336005096BDB24DE29DC05BDE7BBAAFD4325F0CC125ED59E7291EE38D90A8790

Function 00431D94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,00403E16), ref: 00431DA8
FormatMessageA.KERNEL32(00001300,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00403E16), ref: 00431DCF

Strings

!x-sys-default-locale, xrefs: 00431DA3

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: fcdca3659bb1d2a61432e1cd2d8e2713532a4f3d4bfe03f6844bae0cf60f700d
Instruction ID: 5533b84c20dc3ebd942ff18ae9bc369b32e0f46532b4feac63eb50df4c9c1bd4
Opcode Fuzzy Hash: fcdca3659bb1d2a61432e1cd2d8e2713532a4f3d4bfe03f6844bae0cf60f700d
Instruction Fuzzy Hash: 05F03076210104BFEB189B94DC1ADEB7ABCEB0A395F00411ABA02D6150E2B0AE0097B5

Function 004C6B00 Relevance: 4.7, APIs: 3, Instructions: 204encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004C6B57
LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000,005599AF,000000FF,?,?,00000005), ref: 004C6B86
LocalFree.KERNEL32(?,?), ref: 004C6C82

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLocal$CryptDataUnprotect
String ID:
API String ID: 2835072361-0
Opcode ID: d7d82cbe380403d495b2fd6a7e2a6d2e7fbb054e7ac70c00a231221df97a0296
Instruction ID: 90b6470924ea9a925c498959a8113d32d71e754cc84c5268c76d6fdb8e080973
Opcode Fuzzy Hash: d7d82cbe380403d495b2fd6a7e2a6d2e7fbb054e7ac70c00a231221df97a0296
Instruction Fuzzy Hash: A271A171C002489BDB00DFA8C945BEEFBB4EF14314F14826EE855B3391EB786A45DBA5

Function 00544A40 Relevance: 3.1, APIs: 2, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00544B20: GetVersionExA.KERNEL32(?), ref: 00544B51
Part of subcall function 00544B20: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00544B76
Part of subcall function 00544B20: GetFullPathNameW.KERNEL32(00000000,00000003,00000000,00000000), ref: 00544B96

Part of subcall function 00545330: GetVersionExA.KERNEL32(?), ref: 00545356

Part of subcall function 00545D90: GetVersionExA.KERNEL32(?), ref: 00545DB4

GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?), ref: 00544AC9
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?), ref: 00544AF6

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Version$DiskFreeFullNamePathSpace
String ID:
API String ID: 4112908208-0
Opcode ID: becd6c03501c24d27a43ccdd940953d2523818c8f4bbaac0c2ad00c18d494839
Instruction ID: f10753ebb869b3640b9ac64d1dc3f7217fc16a68dafdf90303c08a5a8463592c
Opcode Fuzzy Hash: becd6c03501c24d27a43ccdd940953d2523818c8f4bbaac0c2ad00c18d494839
Instruction Fuzzy Hash: 0C21257A980108ABDB21DB699844BFB7BBDFF00308F1400A6E941D7101FB31CE46CBA5

Function 0044D130 Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0044D575,00000000,00000000,00000000), ref: 0044D434

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 86e5d885c4d35228b47254165b32bc93c4fcf0139348273eeba2c017ff9bca0a
Instruction ID: 995cd6d02630714d132d55606a96056be67725e06db18ab92a0eb750c7361116
Opcode Fuzzy Hash: 86e5d885c4d35228b47254165b32bc93c4fcf0139348273eeba2c017ff9bca0a
Instruction Fuzzy Hash: C1C12472D00215ABEB20AF659C42ABF7BB9EF04714F54405BFD05EB291EB389E41C798

Function 004E90C0 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 423libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,771AE010,?), ref: 004E92A0
GetProcAddress.KERNEL32(00000000,?), ref: 004E92B0
GetModuleHandleA.KERNEL32(?), ref: 004E93C8
GetProcAddress.KERNEL32(00000000,?), ref: 004E93D2
OpenProcess.KERNEL32(00000040,00000000,?), ref: 004E93DE
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000), ref: 004E944D
CloseHandle.KERNEL32(00000000), ref: 004E9480
CloseHandle.KERNEL32(00000000), ref: 004E94A6
CloseHandle.KERNEL32(00000000), ref: 004E94C6
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 004E9668
ResetEvent.KERNEL32(00000000), ref: 004E9671
CreateThread.KERNEL32(00000000,00000000,004E97A0,?,00000000,00000000), ref: 004E9695
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 004E96A1
RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 004E96E7
CloseHandle.KERNEL32(00000000), ref: 004E9728
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000001), ref: 004E9734
CloseHandle.KERNEL32(00000000), ref: 004E9753
TerminateThread.KERNEL32(14D846FE,00000000), ref: 004E9781

Strings

File, xrefs: 004E94F0

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Handle$Close$Process$AddressCreateCurrentEventModuleProcStringThread$AnsiObjectOpenResetSingleTerminateUnicodeWait
String ID: File
API String ID: 3681783469-749574446
Opcode ID: 5519d313cc11df224254bb5c2ddb9f42228914f8febfa83a914f2ab3983c68cb
Instruction ID: b9b0c17e31d3cfe0bbc2e9151a178c1e78e3251af3666c5291f23336d4f8ce8a
Opcode Fuzzy Hash: 5519d313cc11df224254bb5c2ddb9f42228914f8febfa83a914f2ab3983c68cb
Instruction Fuzzy Hash: 6322D2B4D042599FDB24CF99D981BEEBBB4BF08310F104199E909B7390E7746A81CFA5

Function 004D6790 Relevance: 19.9, APIs: 13, Instructions: 424fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,00000000), ref: 004D6A20

Part of subcall function 004D6BA0: GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
Part of subcall function 004D6BA0: RmStartSession.RSTRTMGR(?,00000000,?), ref: 004D6C50
Part of subcall function 004D6BA0: RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?), ref: 004D6C91
Part of subcall function 004D6BA0: RmGetList.RSTRTMGR(?,00000000,?,?,?), ref: 004D6CB9

std::_Throw_Cpp_error.LIBCPMT ref: 004D6B84
std::_Throw_Cpp_error.LIBCPMT ref: 004D6B95
RmShutdown.RSTRTMGR(?,00000001,00000000), ref: 004D6CDA
RmEndSession.RSTRTMGR(?), ref: 004D6CF7
SetLastError.KERNEL32(00000000), ref: 004D6CFE
CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D25
GetLastError.KERNEL32(?,?,00000000), ref: 004D6D33
CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D47

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CopyErrorFileLast$Cpp_errorSessionThrow_std::_$ListRegisterResourcesShutdownStart
String ID:
API String ID: 3293558552-0
Opcode ID: 34269084e38b8db14bed7b99909fd434936ce292801c6578ad0428061b37c9c8
Instruction ID: 506ad45c425b60783e5a35b13f18b7e09e4e0bf61d875f697530398146ac6994
Opcode Fuzzy Hash: 34269084e38b8db14bed7b99909fd434936ce292801c6578ad0428061b37c9c8
Instruction Fuzzy Hash: 0102BCB1C00249DBCB10DFA4C955BEEBBB5FF14314F14426AE805B7381EB786A49CBA5

Function 004EEA40 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 148memorystringCOMMON

Download Yara Rule

APIs

CharNextA.USER32 ref: 004EEA65
CharNextA.USER32 ref: 004EEA85
CharNextA.USER32 ref: 004EEAA5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EEAD6
lstrlenA.KERNEL32(?,00000000,00000000,00000003,00000000), ref: 004EEB52
GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000003,00000000), ref: 004EEB6E
HeapAlloc.KERNEL32(00000000), ref: 004EEB71
lstrcpynA.KERNEL32(00000000,?,?), ref: 004EEB7E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004EEBA9
HeapFree.KERNEL32(00000000), ref: 004EEBAC

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36, xrefs: 004EEB8E

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Heap$CharNext$Process$AllocFreeUnothrow_t@std@@@__ehfuncinfo$??2@lstrcpynlstrlen
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
API String ID: 2305228968-2732702261
Opcode ID: 423986ca5e1177f672ef3d58246459128f5a16203a5f76b509fb2a383bcfa813
Instruction ID: 66e08b66e62082d9c79a605ab5b022e87f42821b87c70d6f65fc34b32a61c15c
Opcode Fuzzy Hash: 423986ca5e1177f672ef3d58246459128f5a16203a5f76b509fb2a383bcfa813
Instruction Fuzzy Hash: F1414976D003449FCF10CFAB9C80AAABBB5FF69302B08016BEA05B7351E7755D059B64

Function 004579E3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0045734F), ref: 004579FC

Strings

log10, xrefs: 00457A3E, 00457A4D
sqrt, xrefs: 00457B3B
log, xrefs: 00457A59, 00457A68
pow, xrefs: 00457A9A, 00457B44, 00457B91
exp, xrefs: 00457A7B, 00457AE0
`-@, xrefs: 00457AC6, 00457B70, 00457BB6
acos, xrefs: 00457B32
asin, xrefs: 00457B29

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: DecodePointer
String ID: `-@$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3628989360
Opcode ID: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
Instruction ID: bbf143f63b3841ec77cfacb8c6df481a799db6acf17f433172942b25d65e7ef2
Opcode Fuzzy Hash: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
Instruction Fuzzy Hash: 1651B370808A0ACBCF109F58F84C1BEBFB1FB05309F154166D851A7266C7799A2DCB4D

Function 0041A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0041A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0041A0E7
__Getctype.LIBCPMT ref: 0041A1C5
std::_Facet_Register.LIBCPMT ref: 0041A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0041A223

Strings

PD@, xrefs: 0041A19A
E@, xrefs: 0041A1AE
PG@, xrefs: 0041A1BF

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD@$PG@$E@
API String ID: 1102183713-4120405683
Opcode ID: 495f4126c8959cda1dad90c343e93fba20469dde2e2043d742b69906c970156d
Instruction ID: b372b58ab1bb25eec4b44a09b7f8f3aef2cc67a410616163416d5e42c3dffe19
Opcode Fuzzy Hash: 495f4126c8959cda1dad90c343e93fba20469dde2e2043d742b69906c970156d
Instruction Fuzzy Hash: 6E51BAB0D01245DFCB11CF98C9457AEBBF0FB14714F14825ED855AB391DB78AA88CB92

Function 004E5DB0 Relevance: 15.2, APIs: 10, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000001C), ref: 004E5E2B
SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,00000000), ref: 004E5E3E
LocalAlloc.KERNEL32(00000040,0000001C), ref: 004E5E73
SetupDiEnumDeviceInterfaces.SETUPAPI(?,00000000,0055D560,00000000,00000000), ref: 004E5E91
GetModuleHandleExA.KERNEL32(00000004,004E5FC0,?), ref: 004E5FD6

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AllocDeviceEnumLocalSetup$HandleInfoInterfacesModule
String ID:
API String ID: 2253831631-0
Opcode ID: fadfa1ac60673d3e458d1915a7e98f7ba4584b72fe7d50eb1e1fd26e6b005db2
Instruction ID: 9ece1d8e53d7ac8d60b2bb6ddbf2ef81f89b1d867ae8a09947e2396971ddc2c4
Opcode Fuzzy Hash: fadfa1ac60673d3e458d1915a7e98f7ba4584b72fe7d50eb1e1fd26e6b005db2
Instruction Fuzzy Hash: AB61BCB1900349AFEB10CFA5CD09BAEBFB5FF14305F24025AE90067291D3B96A44DBA5

Function 004D6BA0 Relevance: 15.2, APIs: 10, Instructions: 164fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
RmStartSession.RSTRTMGR(?,00000000,?), ref: 004D6C50
RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?), ref: 004D6C91
RmGetList.RSTRTMGR(?,00000000,?,?,?), ref: 004D6CB9
RmShutdown.RSTRTMGR(?,00000001,00000000), ref: 004D6CDA
RmEndSession.RSTRTMGR(?), ref: 004D6CF7
SetLastError.KERNEL32(00000000), ref: 004D6CFE
CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D25
GetLastError.KERNEL32(?,?,00000000), ref: 004D6D33
CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D47

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLast$CopyFileSession$ListRegisterResourcesShutdownStart
String ID:
API String ID: 304452573-0
Opcode ID: f2e0f649d8c451cb188e662d2111ed80fd4b92e16dc5a70a42fc26eb44908162
Instruction ID: cca443e56f4e81c83c2dc89493b37bcb85ee1d7da0cfa031959f485395bd6110
Opcode Fuzzy Hash: f2e0f649d8c451cb188e662d2111ed80fd4b92e16dc5a70a42fc26eb44908162
Instruction Fuzzy Hash: 6051C172D01219ABCB21CF94DC55BEEBBB8EB04320F10026AE804B3390D7396E05CBA4

Function 004377C6 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

___TypeMatch.LIBVCRUNTIME ref: 004379F3
CatchIt.LIBVCRUNTIME ref: 00437A44
_UnwindNestedFrames.LIBCMT ref: 00437B45
CallUnexpected.LIBVCRUNTIME ref: 00437B60

Strings

csm, xrefs: 00437803
csm, xrefs: 00437870
PU, xrefs: 004378DC
csm, xrefs: 0043791C

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind
String ID: PU$csm$csm$csm
API String ID: 944608866-2352073648
Opcode ID: bfdbdb9048f87fb98bf27686f7ec8788dee97e91e92dadc6c49aef564bf08e9e
Instruction ID: 3ab07074fa5cec17866f911e521d745307128fc3ecc03719d0b843171535b798
Opcode Fuzzy Hash: bfdbdb9048f87fb98bf27686f7ec8788dee97e91e92dadc6c49aef564bf08e9e
Instruction Fuzzy Hash: 2DB18EB1808209DFDF25EFA5C8819AEBB75FF18314F14615BE8406B302D739EA51CB99

Function 004E4720 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 291registryCOMMON

Download Yara Rule

APIs

RegGetValueA.ADVAPI32(80000002,?,?,0001FFFF,00000001,?,00000104,?,?,?), ref: 004E4A70
GetComputerNameExA.KERNEL32(00000002,?,00000104,?,?,?,?,?,?), ref: 004E4ADC
LsaOpenPolicy.ADVAPI32(00000000,00587684,00000001,?), ref: 004E4B35
LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 004E4B48
LsaFreeMemory.ADVAPI32(?), ref: 004E4B76
LsaClose.ADVAPI32(?), ref: 004E4B7F

Strings

;Yb., xrefs: 004E49C7
%wZ, xrefs: 004E4B65

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
String ID: %wZ$;Yb.
API String ID: 762890658-2876608990
Opcode ID: 1f6fa3f1279af543b2d0416b495f84695c810df1c81b970ccc0f6ebddc05bc25
Instruction ID: db120a3af714b361d6db134a28a940fef9e0d4b71911d12d67c4190411436b99
Opcode Fuzzy Hash: 1f6fa3f1279af543b2d0416b495f84695c810df1c81b970ccc0f6ebddc05bc25
Instruction Fuzzy Hash: 1EE101B4D0425A8FDB14CF98C985BEEBBB4BF08304F2041AAE949B7341D7745A85CFA5

Function 0041D260 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041D28A
std::_Lockit::_Lockit.LIBCPMT ref: 0041D2AC
std::_Lockit::~_Lockit.LIBCPMT ref: 0041D2D4
__Getcoll.LIBCPMT ref: 0041D39F
std::_Facet_Register.LIBCPMT ref: 0041D3E4
std::_Lockit::~_Lockit.LIBCPMT ref: 0041D40E

Strings

PD@, xrefs: 0041D385
@A, xrefs: 0041D399

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID: @A$PD@
API String ID: 1184649410-3602166583
Opcode ID: 0bf225a75eb93bfa089e9f157e46b85744d7a7315d20ca7401f03ce5cc574cac
Instruction ID: c0da35fc40401e56e1a2e1b6a9e91288cb6dff343535c30909133d457a6d594b
Opcode Fuzzy Hash: 0bf225a75eb93bfa089e9f157e46b85744d7a7315d20ca7401f03ce5cc574cac
Instruction Fuzzy Hash: DD51BAB1C01209DFDB01DF99C9447AEBBF0FF55318F24805AE8156B381C779AA49CB92

Function 004335D8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004335DE
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 004335EC
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004335FD
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0043360E

Strings

kernel32.dll, xrefs: 004335D9
GetCurrentPackageId, xrefs: 004335E6
GetSystemTimePreciseAsFileTime, xrefs: 004335F2
GetTempPath2W, xrefs: 00433603

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: fa32ac99bed3163b7218575a0872144807cc5232e4a06349f6b146d66b29aa24
Instruction ID: 4ac6349005adf47651da35ec4b9228104ef97a4851d7f02e7f823555ada55313
Opcode Fuzzy Hash: fa32ac99bed3163b7218575a0872144807cc5232e4a06349f6b146d66b29aa24
Instruction Fuzzy Hash: ACE0B672951310ABC7249BB0BC2D9663EB8FA296637404056FC02E21A0EBB05949ABB4

Function 00544CF0 Relevance: 13.6, APIs: 9, Instructions: 88sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00545330: GetVersionExA.KERNEL32(?), ref: 00545356

GetVersionExA.KERNEL32(?), ref: 00544D33
DeleteFileW.KERNEL32(00000000), ref: 00544D52
GetFileAttributesW.KERNEL32(00000000), ref: 00544D59
GetLastError.KERNEL32 ref: 00544D66
Sleep.KERNEL32(00000064), ref: 00544D7C
DeleteFileA.KERNEL32(00000000), ref: 00544D85
GetFileAttributesA.KERNEL32(00000000), ref: 00544D8C
GetLastError.KERNEL32 ref: 00544D99
Sleep.KERNEL32(00000064), ref: 00544DAF

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastSleepVersion
String ID:
API String ID: 1421123951-0
Opcode ID: 644f3411c4d85681ded29085f2f8665f8d90dbdf3f2b9961fa3a9f7b4629f182
Instruction ID: e8ec0c6fce3b273d326ef0f9b2b3730986ab63f4275b785bb0a08d323dc610f1
Opcode Fuzzy Hash: 644f3411c4d85681ded29085f2f8665f8d90dbdf3f2b9961fa3a9f7b4629f182
Instruction Fuzzy Hash: 6221DB32D403149FCB20AB74AC8D6FD7BB4FB69339F100655E91AD31A0EA304985AB52

Function 004372D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437307
___except_validate_context_record.LIBVCRUNTIME ref: 0043730F
_ValidateLocalCookies.LIBCMT ref: 00437398
__IsNonwritableInCurrentImage.LIBCMT ref: 004373C3
_ValidateLocalCookies.LIBCMT ref: 00437418

Strings

`-@, xrefs: 004373DC
csm, xrefs: 004373AD

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-@$csm
API String ID: 1170836740-3738301566
Opcode ID: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
Instruction ID: bde692452db8eba3752ab90a3e7788ac0719a0bf92b2230e47b89eff8dfd02fd
Opcode Fuzzy Hash: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
Instruction Fuzzy Hash: B041F8709042099FCF20DF59C885A9FBBA4BF08328F14905BFC54AB392D739E905DB95

Function 0041C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0041C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0041C4A4
std::_Facet_Register.LIBCPMT ref: 0041C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0041C5C4

Strings

E@, xrefs: 0041C562
PD@, xrefs: 0041C54E

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E@$PD@
API String ID: 459529453-4103272508
Opcode ID: fb94b052f71f665722219136562a8730e5ed9d67761b2a33bc821d4977d05291
Instruction ID: e4bc83ced0ac359faa997fd18d4eeb760fe14de2594101695cc0fd15b6690fbc
Opcode Fuzzy Hash: fb94b052f71f665722219136562a8730e5ed9d67761b2a33bc821d4977d05291
Instruction Fuzzy Hash: C351EFB0900255EFDB11CF58C991BAEBBF0FB10314F24415EE846AB381D7B9AA45CB95

Function 004EDED0 Relevance: 12.2, APIs: 8, Instructions: 165networkCOMMON

Download Yara Rule

APIs

InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 004EDF20
GetLastError.KERNEL32 ref: 004EE015
InternetQueryOptionA.WININET(00000000,0000001F,80000000,?), ref: 004EE040

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: InternetOption$ErrorLastQuery
String ID:
API String ID: 3980908186-0
Opcode ID: a1ac1e88c949714abb61e8a63101dbc767da60d4252146e236756bc9d4aa2743
Instruction ID: 9490229386b8f910ac67b310a4b2a15fa60c532261df57d9535cab47ed46c7f4
Opcode Fuzzy Hash: a1ac1e88c949714abb61e8a63101dbc767da60d4252146e236756bc9d4aa2743
Instruction Fuzzy Hash: B951BE75D40319ABEB20CF95DC8ABEEBBB4EB08B11F14415AEE11BB380D7745A05CB94

Function 00545560 Relevance: 12.1, APIs: 8, Instructions: 141filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(00000000,40000000,00000000,00000001,00000000), ref: 005455C3
Sleep.KERNEL32(00000001), ref: 005455D1
GetLastError.KERNEL32 ref: 005455E8
UnlockFile.KERNEL32(00000000,40000000,00000000,?,00000000), ref: 00545633

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: fe5b5dd74c13ed604590905c3a68f9743d06f085f038e564466f01a9403e7b73
Instruction ID: 85acfabea7dd4ab1116a46d77ec5fdacabbf57290cd153e1b380d28a3a3316b2
Opcode Fuzzy Hash: fe5b5dd74c13ed604590905c3a68f9743d06f085f038e564466f01a9403e7b73
Instruction Fuzzy Hash: 9741D431B01B14ABDB308F24DD957EEBB66FB54729F618125ED08AB392E7719C408BD0

Function 004EDB30 Relevance: 12.1, APIs: 8, Instructions: 128memorystringCOMMON

Download Yara Rule

APIs

CharNextA.USER32 ref: 004EDB55
CharNextA.USER32 ref: 004EDB6C
CharNextA.USER32 ref: 004EDB85
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EDBB6
lstrlenA.KERNEL32(?,00000000,00000000,00000003,00000000), ref: 004EDC32
GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000003,00000000), ref: 004EDC48
HeapAlloc.KERNEL32(00000000), ref: 004EDC4F
lstrcpynA.KERNEL32(00000000,?,?), ref: 004EDC5C

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CharNext$Heap$AllocProcessUnothrow_t@std@@@__ehfuncinfo$??2@lstrcpynlstrlen
String ID:
API String ID: 1659885099-0
Opcode ID: 5902d60186420a28bcfe0593f279e262339d39e86a68ea558966eb630272322d
Instruction ID: 9156e0b6da00d8c97823f7767c754a9362769a51dfd7e715744df6f0419fd9af
Opcode Fuzzy Hash: 5902d60186420a28bcfe0593f279e262339d39e86a68ea558966eb630272322d
Instruction Fuzzy Hash: 9C416A35D007849FCB208F6E9C806AABBF9EF69312B150197E845F7311E7B49C45DB58

Function 0044BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044BBEC

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: d7b9d7273cbfac5d15a556f8c8651b9033d93685d5a38535419dded3191b9e75
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: D5B14672D006559FEB158F24CC81BEBBBA5EF59310F2441ABE904AB382D778D901C7E9

Function 005447E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 005447EB
GetVersionExA.KERNEL32(?), ref: 00544810
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00544843
LocalFree.KERNEL32(?), ref: 0054485A
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00544893

Part of subcall function 00545B50: AreFileApisANSI.KERNEL32(00000000,00000000,?,?,?,005448A5), ref: 00545B5C
Part of subcall function 00545B50: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,?,?,005448A5), ref: 00545B71
Part of subcall function 00545B50: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00545B97

Strings

OsError 0x%x (%u), xrefs: 005448AE

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharFormatMessageMultiWide$ApisErrorFileFreeLastLocalVersion
String ID: OsError 0x%x (%u)
API String ID: 807219750-2664311388
Opcode ID: dd207c85fc94544383a517e30f756156e384ee2b8bcde9e9a95a45159a38d464
Instruction ID: 0c2bef24f6b7c7166f87ec92302cb7117f3d967c30a7bda74ece9fcd541a0daa
Opcode Fuzzy Hash: dd207c85fc94544383a517e30f756156e384ee2b8bcde9e9a95a45159a38d464
Instruction Fuzzy Hash: 0D21C832A40208BBEB209F71DC4AFEE7F78FF94755F1000A9F909A2191E7709A05DB61

Function 0044B37E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0044B48D,?,?,00000000,00000001,?,?,0044B6B7,00000022,FlsSetValue,00561B88,00561B90,00000001), ref: 0044B43F

Strings

ext-ms-, xrefs: 0044B3E9
api-ms-, xrefs: 0044B3D5

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
Instruction ID: e3d7dbf8d3e43151f67a2d3675c4fcd7809fc0c9af6198dcb17880ded4e1cd5b
Opcode Fuzzy Hash: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
Instruction Fuzzy Hash: A2212B36A01220A7E7319F619C45A6B7768EB51761F140112FC06A7392D734ED05D6D9

Function 00458023 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0045809E,00458247), ref: 0045803A
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00458050
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00458065

Strings

ReleaseSRWLockExclusive, xrefs: 0045805A
AcquireSRWLockExclusive, xrefs: 0045804A
KERNEL32.DLL, xrefs: 00458035

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: b8fd12eac23ddbaee97a23d952f9025b2fd48530103b998c3f924386a52c0e98
Instruction ID: 9d8da08feb674b7e1defcd418174b7d342a7e101b9a5f06a55684ee540db6b02
Opcode Fuzzy Hash: b8fd12eac23ddbaee97a23d952f9025b2fd48530103b998c3f924386a52c0e98
Instruction Fuzzy Hash: C6F0A4316807129B5B715E755C9827736DCAA11B53716003EDF01F32E2FE18CC4EA795

Function 00443633 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B2E69B1B,?,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 00443668
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044367A
FreeLibrary.KERNEL32(00000000,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 0044369C

Strings

CorExitProcess, xrefs: 00443672
mscoree.dll, xrefs: 00443661
`-@, xrefs: 0044368B

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$`-@$mscoree.dll
API String ID: 4061214504-3731901874
Opcode ID: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
Instruction ID: 11f561727bfec435161e86ab51d2faaed74d5e09c0b89d0474703e999051cdf2
Opcode Fuzzy Hash: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
Instruction Fuzzy Hash: 5601A232A44715AFDB219F44DC19BAFBBB8FB14B52F014526E812E27E0DB749A04CA94

Function 00455EBC Relevance: 9.2, APIs: 6, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,0045618C,00000000,00000000,?,00000001,?,?,?,?,00000001,?), ref: 00455F62
__freea.LIBCMT ref: 004560F7
__freea.LIBCMT ref: 004560FD
__freea.LIBCMT ref: 00456133
__freea.LIBCMT ref: 00456139
__freea.LIBCMT ref: 00456149

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 409b469f1d6330a2b3e11b37da4d380b72fd609d37741f34fbee2c455fea7f6f
Instruction ID: 72db6a5fbbb72ca24a21522075f010f93cbc1b36e5ad4b1d6eb8cbe60aa301df
Opcode Fuzzy Hash: 409b469f1d6330a2b3e11b37da4d380b72fd609d37741f34fbee2c455fea7f6f
Instruction Fuzzy Hash: D1711572900A05ABDF209F648C51BBFB7B69F49316F66015BED04A7383E63CDC098799

Function 00433369 Relevance: 9.2, APIs: 6, Instructions: 225COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 004333F4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00433480
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004334EB
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00433507
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043356A
CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00433587

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 4a3eeb56bd7ee9fe1909d18e68262bb2fe5fda54b12eb40b7425b1e554b148b6
Instruction ID: 4b04ae3b393bc6533ba77a97e4ab0e5e3051f7f3fd8f9b1f1052972f8d3aefbf
Opcode Fuzzy Hash: 4a3eeb56bd7ee9fe1909d18e68262bb2fe5fda54b12eb40b7425b1e554b148b6
Instruction Fuzzy Hash: 8871C272D00215ABEF219F64CC45BEF7BB5AF1D726F14205BE850A7291D73C9E048BA8

Function 004330A9 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 004330F2
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0043315D
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043317A
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004331B9
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00433218
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0043323B

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 5f4a82ba7d014fa06e8216ae2bfd85b34b40225c1761d69da73e76adef6768e6
Instruction ID: 2e7ff44e5bd3fd254f9cef1b25620d319a510a0ee994d159d64b8617f2502457
Opcode Fuzzy Hash: 5f4a82ba7d014fa06e8216ae2bfd85b34b40225c1761d69da73e76adef6768e6
Instruction Fuzzy Hash: 5E51E172500206ABEF205F65CC45FAB7BB9EF48B46F24456AF910D6250D738CE00DB68

Function 0044520B Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00445385
__freea.LIBCMT ref: 004453A1

Strings

9WD, xrefs: 004455E4
a/p, xrefs: 00445467
am/pm, xrefs: 00445403

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: __freea
String ID: 9WD$a/p$am/pm
API String ID: 240046367-3195321850
Opcode ID: 993a7c91ebcf40b0d6cc240ac8cd178338771267cd0baed5445ca37e2b719f32
Instruction ID: eb6553218dede8ec3b22f7d8591de804fd90c34fa4c0505c2e4821a80c18f7d5
Opcode Fuzzy Hash: 993a7c91ebcf40b0d6cc240ac8cd178338771267cd0baed5445ca37e2b719f32
Instruction Fuzzy Hash: 6BC1EC31900A06EBEF249F68C895ABFB7B1FF05700F55404BE805AB356D3789D42CB9A

Function 004D6D90 Relevance: 9.1, APIs: 6, Instructions: 101COMMON

Download Yara Rule

APIs

RmStartSession.RSTRTMGR(?,00000000,?), ref: 004D6DDE
RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?), ref: 004D6E20
RmGetList.RSTRTMGR(?,?,?,?,?), ref: 004D6E48
RmShutdown.RSTRTMGR(?,00000001,00000000), ref: 004D6E69
RmEndSession.RSTRTMGR(?), ref: 004D6E9C
SetLastError.KERNEL32(00000000), ref: 004D6EA3

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Session$ErrorLastListRegisterResourcesShutdownStart
String ID:
API String ID: 3915309458-0
Opcode ID: 35964b7dd5ed9eaca30dcc906b780c94db694ea61ce3b36c4f9fa18b6ac6bce6
Instruction ID: 29e6430877ba3f7b480c4ad8311182fb53b3682ab34aef7614a715581ba20f86
Opcode Fuzzy Hash: 35964b7dd5ed9eaca30dcc906b780c94db694ea61ce3b36c4f9fa18b6ac6bce6
Instruction Fuzzy Hash: 42316076C01219AFDB21DF94CC55BEFBBB8EF18310F01422AF911A3290DB795A448BE1

Function 00437458 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043744F,0043599C,00434361), ref: 00437466
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437474
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043748D
SetLastError.KERNEL32(00000000,0043744F,0043599C,00434361), ref: 004374DF

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1f7d8f03dc5d5ed9cbe3f3a50d497af2707fd42e27fe0bf67e220eaf0f6c3ecd
Instruction ID: 2a60fb784f2f832ea5b73717e43a0c16eb42b58da7a2c3196cfaa8111b53b8ed
Opcode Fuzzy Hash: 1f7d8f03dc5d5ed9cbe3f3a50d497af2707fd42e27fe0bf67e220eaf0f6c3ecd
Instruction Fuzzy Hash: F401F57210C7116EE63027756C8A6172B84DB693BAF30633FF894512F1FE195C04628C

Function 0043756F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00437636
___AdjustPointer.LIBCMT ref: 00437659
___AdjustPointer.LIBCMT ref: 004376F5

Strings

`-@, xrefs: 004375CE

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AdjustPointer
String ID: `-@
API String ID: 1740715915-3781167437
Opcode ID: 9c49ec1216cd10a1b8dcded1df3eff29d3c2c71fb51b80305b9040516556d7e1
Instruction ID: 05bfd451ac5aa057a102673f7c5ee37241370c5a2d72e881bccf1d550ae62a18
Opcode Fuzzy Hash: 9c49ec1216cd10a1b8dcded1df3eff29d3c2c71fb51b80305b9040516556d7e1
Instruction Fuzzy Hash: CE5125F1608A02AFDB388F19C852BBB77A5EF08324F14542FE881472A1D739EC50CB58

Function 00545140 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?), ref: 00545190
GetTempPathW.KERNEL32(000000E6,?,?), ref: 005451B9

Strings

%s\etilqs_, xrefs: 0054525A
>, xrefs: 00545298

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: PathTempVersion
String ID: %s\etilqs_$>
API String ID: 261301950-2315843240
Opcode ID: ce0a7f2363ab7b7d7abc17a902d21cc4fb793d200454f9d166eb27a7e0bd6095
Instruction ID: d7a7f50afb807603cb5ab0f28f8cfab7bdc2795ddb654ce58a8a7a184e52c6c9
Opcode Fuzzy Hash: ce0a7f2363ab7b7d7abc17a902d21cc4fb793d200454f9d166eb27a7e0bd6095
Instruction Fuzzy Hash: 8D516B31D086989FE722CB798C457FABFA4BF16308F4809D6D58492083E6B48F85D761

Function 00432729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00432730
std::_Lockit::_Lockit.LIBCPMT ref: 0043273B
std::_Lockit::~_Lockit.LIBCPMT ref: 004327A9

Part of subcall function 0043288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004328A4

std::locale::_Setgloballocale.LIBCPMT ref: 00432756

Strings

`-@, xrefs: 00432778, 0043279C

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-@
API String ID: 677527491-3781167437
Opcode ID: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
Instruction ID: 335728d06f8999c9367bb6f0cb93ad347570f0e44e9dcbef2930aaa8ccdcd417
Opcode Fuzzy Hash: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
Instruction Fuzzy Hash: 9D01FC35A006109BC70AFB20CC5157D7BB0FF98790F44250EE81163391CFB8AE06DB89

Function 00544DE0 Relevance: 7.7, APIs: 5, Instructions: 208fileCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 00544EA3
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,7FFFFFFD,00000000,00000000), ref: 00544ED3
CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,7FFFFFFD,00000000,00000000), ref: 00544EDB

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CreateFile$Version
String ID:
API String ID: 1715692615-0
Opcode ID: e626251a24768bde3cf7646f34f6a4eca0d0342c2a8e3f24f44f168cd5caa3e2
Instruction ID: 79d633e4ecdcec58b4cab98b7c2eef95a221f739213a781545a85cef4e7b8ca8
Opcode Fuzzy Hash: e626251a24768bde3cf7646f34f6a4eca0d0342c2a8e3f24f44f168cd5caa3e2
Instruction Fuzzy Hash: 9961BC75604302AFD720CF24D845BAABBE8FF84318F04492DF999C6291E735C959CB92

Function 004E9A70 Relevance: 7.7, APIs: 5, Instructions: 181memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,771AE010,?), ref: 004E9BEE
GetProcAddress.KERNEL32(00000000,?), ref: 004E9BF9
GetProcessHeap.KERNEL32 ref: 004E9C04
HeapAlloc.KERNEL32(00000000,00000000,00010000), ref: 004E9C1E
HeapAlloc.KERNEL32(?,00000000,00010000), ref: 004E9C57

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Heap$Alloc$AddressHandleModuleProcProcess
String ID:
API String ID: 349456774-0
Opcode ID: 13763fb7ed65d7034848c90db75977a8d0748b960893ffa14e62b2712247cb23
Instruction ID: d3ba1316c3404c5ffc03a5be9701c45b2826e37c75856fc641be7cc60fa5c5e8
Opcode Fuzzy Hash: 13763fb7ed65d7034848c90db75977a8d0748b960893ffa14e62b2712247cb23
Instruction Fuzzy Hash: CF81F0B5D04229ABDB14CF9AD884AAEFBB4FF48311F10856AE924B7350E7746A01CF54

Function 00432BC8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00432BDC
AcquireSRWLockExclusive.KERNEL32(00000008), ref: 00432BFB
AcquireSRWLockExclusive.KERNEL32(00000008,00000000), ref: 00432C29
TryAcquireSRWLockExclusive.KERNEL32(00000008,00000000), ref: 00432C84
TryAcquireSRWLockExclusive.KERNEL32(00000008,00000000), ref: 00432C9B

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
Instruction ID: ee0d2db44a198d3d02c1eb3b1b0ff5a364ec90963e300245c4d31640e9e12550
Opcode Fuzzy Hash: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
Instruction Fuzzy Hash: B2415931900A0ADFCB20DF65CA8096EB3B4FF0C311F20692BD446D7650D7B8E986DB69

Function 00544B20 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00545330: GetVersionExA.KERNEL32(?), ref: 00545356

GetVersionExA.KERNEL32(?), ref: 00544B51
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00544B76
GetFullPathNameW.KERNEL32(00000000,00000003,00000000,00000000), ref: 00544B96
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00544BAF
GetFullPathNameA.KERNEL32(00000000,00000003,00000000,00000000), ref: 00544BE1

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: FullNamePath$Version
String ID:
API String ID: 495861893-0
Opcode ID: def506589b02ed86a2d83c6155d8a90f1111383d037ff91711d2ded9672cc6f4
Instruction ID: d9a042031f5a76925af0b002eaae0799fce7b88889afc6fe8005c9c8c5fb2dd0
Opcode Fuzzy Hash: def506589b02ed86a2d83c6155d8a90f1111383d037ff91711d2ded9672cc6f4
Instruction Fuzzy Hash: 55213FB25406146BEB206F719C86FEF3B68EF51309F000078F90956252EA38DD49C7A6

Function 0048F4D0 Relevance: 7.6, APIs: 5, Instructions: 69processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0048F4E3
Process32First.KERNEL32(00000000,?), ref: 0048F506
Process32Next.KERNEL32(00000000,00000128), ref: 0048F551
CloseHandle.KERNEL32(00000000), ref: 0048F55C
CloseHandle.KERNEL32(00000000), ref: 0048F572

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 6029d90057008e46b8e5c5277aed6df356708134237ca5f417d9c8706b6c6cea
Instruction ID: bc177564cbddbd99672fb84a339279b73cca850227e520494dfef4c47b8580b0
Opcode Fuzzy Hash: 6029d90057008e46b8e5c5277aed6df356708134237ca5f417d9c8706b6c6cea
Instruction Fuzzy Hash: 6411E6326001146BD7306F34AC986BFB7B9EB19325F1405BAE848C3352E7268C4E8765

Function 00406180 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 353COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00406587

Strings

", ", xrefs: 004063D8
: ", xrefs: 004063AE
)@, xrefs: 00406581

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@$", "$: "
API String ID: 4194217158-2520320562
Opcode ID: 8a991d6cc43cc05af2141aeae52dd0db046d74c20a293c61a820b5870d9df492
Instruction ID: 193815703dc37f45cda184aa0d75e7307a57ae547af4f9c577389d6cf834964f
Opcode Fuzzy Hash: 8a991d6cc43cc05af2141aeae52dd0db046d74c20a293c61a820b5870d9df492
Instruction Fuzzy Hash: 85D1E370D00205DFCB14DFA8C945AAEBBF5FF44304F10462EE456A7381DB78AA55CB99

Function 00407350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040750C
___std_exception_destroy.LIBVCRUNTIME ref: 00407522

Strings

[json.exception., xrefs: 004073A1
)@, xrefs: 00407502, 0040751C

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@$[json.exception.
API String ID: 4194217158-3378332251
Opcode ID: 74f1ced649a80f54c74698f2e3f1ef80366f2fbaef409b1663f26043a5eac72a
Instruction ID: d1fd1ad00dbeab1566b73d8112c34bc80c76f551163e59ed82d928a5322bc1a2
Opcode Fuzzy Hash: 74f1ced649a80f54c74698f2e3f1ef80366f2fbaef409b1663f26043a5eac72a
Instruction Fuzzy Hash: 8C51CFB1C046489BD710DFA8C905B9EBBB4FF15318F14426EE850A73C2E7B86A44C7A5

Function 00407B10 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00407CAC
___std_exception_destroy.LIBVCRUNTIME ref: 00407CC2

Strings

p|@, xrefs: 00407C2A
)@, xrefs: 00407CA2, 00407CBC

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@$p|@
API String ID: 4194217158-2759249158
Opcode ID: fbc67c62691b4d29c16fb41b2f6209782dee4ae52023c44201ea77ed1986cddc
Instruction ID: 2d5fa3d367423be86db8b91485125f203ee18fb15550ca5d49c40f7a3d1822d9
Opcode Fuzzy Hash: fbc67c62691b4d29c16fb41b2f6209782dee4ae52023c44201ea77ed1986cddc
Instruction Fuzzy Hash: 0051D3B1C052489BDB00DF98D9457DEFBF4EF19318F10426EE814A7381E7B96A44C7A5

Function 00437B6B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00437B90
CatchIt.LIBVCRUNTIME ref: 00437C76

Strings

MOC, xrefs: 00437BA2
RCC, xrefs: 00437BAA

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 2197aaef782f375f8d87615206ae6fe603a672c81450030c01d2018f2b0bfa53
Instruction ID: 1ed06b6d49ca92b7e67ab75acb14d1b1cdaab090b09ce00a5d54d3623121de76
Opcode Fuzzy Hash: 2197aaef782f375f8d87615206ae6fe603a672c81450030c01d2018f2b0bfa53
Instruction Fuzzy Hash: C1416AB1900209AFDF25DF94CD81AEEBBB5FF4C304F14A05AF944A7251D339A950DB54

Function 00404900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F

Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,75CA23A0,?,00431D09,?,005799D8,75CA23A0,?,75CA23A0,-00589880), ref: 0043525B

Strings

ios_base::failbit set, xrefs: 00404828, 00404941
ios_base::badbit set, xrefs: 00404937, 00404962
ios_base::eofbit set, xrefs: 00404946

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1903096808-1866435925
Opcode ID: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
Instruction ID: 99c94d1e80f512c720ba00148ae48faeb0acee82eabb402b7e5943aa58dcc262
Opcode Fuzzy Hash: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
Instruction Fuzzy Hash: AC119CF2844644ABCB10DF688C03BAB37C8E744715F04463EFE58972C1EB399800C79A

Function 00438587 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00438538,00000000,?,00588904,?,?,?,004386DB,00000004,InitializeCriticalSectionEx,0055F640,InitializeCriticalSectionEx), ref: 00438594
GetLastError.KERNEL32(?,00438538,00000000,?,00588904,?,?,?,004386DB,00000004,InitializeCriticalSectionEx,0055F640,InitializeCriticalSectionEx,00000000,?,00438322), ref: 0043859E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 004385C6

Strings

api-ms-, xrefs: 004385AB

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c947551068fc5aa78d1c4ecff25818d243fe134ebcecfa929017a310edce328a
Instruction ID: c90ef5146fc35b23aa789d7ef59479731dd43e4d0f257fa83e9710a47c69997d
Opcode Fuzzy Hash: c947551068fc5aa78d1c4ecff25818d243fe134ebcecfa929017a310edce328a
Instruction Fuzzy Hash: 51E0D871280308B7EF301F60DC06B1A7F65AB10B41F100035F90CA85F0EB65E954A959

Function 00425757 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00425787
___std_exception_destroy.LIBVCRUNTIME ref: 0042579E

Strings

)@, xrefs: 00425780, 00425796
l, xrefs: 004257A6

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@$l
API String ID: 4194217158-531593656
Opcode ID: a4528b05e6746526d62e84ebb445939fb61f2aaef993a3223180bb5120b50cba
Instruction ID: 43fda41a344adde0c0e2112745b19999f63c5ee1cff445b37cb15900c05139ed
Opcode Fuzzy Hash: a4528b05e6746526d62e84ebb445939fb61f2aaef993a3223180bb5120b50cba
Instruction Fuzzy Hash: BAF0F9A0C052C8DEDB01CBA8C9557CDBFB56F15308F14409AD444A7282E7B96B0CD763

Function 00425654 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00425680
___std_exception_destroy.LIBVCRUNTIME ref: 00425697

Strings

x, xrefs: 0042569F
)@, xrefs: 00425679, 0042568F

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@$x
API String ID: 4194217158-91598277
Opcode ID: 6c5c37cb81e8ac0a1486ed869cf1e333a176143b923977886202bd8eddd9186c
Instruction ID: 10c3b930f4cf49af9ee2bef6b48737f2413326e6bf4895110f1bc2a9c90c91f1
Opcode Fuzzy Hash: 6c5c37cb81e8ac0a1486ed869cf1e333a176143b923977886202bd8eddd9186c
Instruction Fuzzy Hash: 28F0DAA1C09288E9DF41DBE4C5087CDBFB56F15309F24409AD848A7242E7B8670CD767

Function 00448E9F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(B2E69B1B,00000000,00000000,?), ref: 00448F02

Part of subcall function 0044EC55: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0044A862,?,00000000,-00000008), ref: 0044ECB6

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00449154
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0044919A
GetLastError.KERNEL32 ref: 0044923D

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
Instruction ID: b6f9ea87837ca93654473fd2bae4ec290e60b55bc3ade45d2d9d29a5185f0d60
Opcode Fuzzy Hash: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
Instruction Fuzzy Hash: 70D1BC75D00249AFDF14CFA8C880AAEBBB5FF09304F28456AE856EB351D734AD45CB54

Function 004E97A0 Relevance: 6.2, APIs: 4, Instructions: 161libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 004E98CE
GetProcAddress.KERNEL32(00000000,?), ref: 004E98DA
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 004E9A55
SetEvent.KERNEL32(00000000), ref: 004E9A5C

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Event$AddressCreateHandleModuleProc
String ID:
API String ID: 2341598627-0
Opcode ID: d8f616207016ccd70649815b0a46d34ccb6368db7b539dbf58b9823ea8322156
Instruction ID: 94e94f94aa147367d366308f7bbda68d1ba073eefd2343970e9372381d670d86
Opcode Fuzzy Hash: d8f616207016ccd70649815b0a46d34ccb6368db7b539dbf58b9823ea8322156
Instruction Fuzzy Hash: 88819AB490C3829FC304CF59C48195AFBE5AFA8390F10891EF89587361E775D989CF96

Function 00443A09 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28dd970ee9f985723d01587f791f28dc943c9d51e1efde8fb113aa15fde7f1a
Instruction ID: 3ce7a0f6481a0f72d6256d3f2a6e49e06ee9a16ea2b7f0bfddf77237ab23de3e
Opcode Fuzzy Hash: c28dd970ee9f985723d01587f791f28dc943c9d51e1efde8fb113aa15fde7f1a
Instruction Fuzzy Hash: 8F412872A40744AFF7149F39C841B5ABBA9EB48B11F10812FF051EB381D779EA408788

Function 004E55A0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 004E562F
MultiByteToWideChar.KERNEL32(0000000F,00000000,?,000000FF,00000000,0000000F), ref: 004E5664
WideCharToMultiByte.KERNEL32(000004E3,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 004E568B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 004E56B9

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 667af2e2a61abff60a43f7d208c8c753e65e9722df59284470c0eff5b9583b61
Instruction ID: 1f69569aec08140b5ab3c0a9b620ac8cfa37dccc0484cb5d57b15f637e29afd9
Opcode Fuzzy Hash: 667af2e2a61abff60a43f7d208c8c753e65e9722df59284470c0eff5b9583b61
Instruction Fuzzy Hash: ED41E271900345ABEF218F75CC09FAE7BB4AF45715F10025AF414BB2D1D7B99A04CBA9

Function 0044F9EC Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0044EC55: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0044A862,?,00000000,-00000008), ref: 0044ECB6

GetLastError.KERNEL32 ref: 0044FA50
__dosmaperr.LIBCMT ref: 0044FA57
GetLastError.KERNEL32(?,?,?,?), ref: 0044FA91
__dosmaperr.LIBCMT ref: 0044FA98

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: f69f264f3a3445fa5257163de56fc3005cb7e945df64431326a0965baf165f71
Instruction ID: 175cdc1e371479ca6662e8932d27d2c7f0366fb1f46f3a828fcae8f7a9953d28
Opcode Fuzzy Hash: f69f264f3a3445fa5257163de56fc3005cb7e945df64431326a0965baf165f71
Instruction Fuzzy Hash: 4A21D731A00605AFFB20EF66D88086BB7A9EF54368715843FF81DA7250D738EC598B59

Function 00545330 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 00545356

Part of subcall function 00545D20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,00545385), ref: 00545D36

AreFileApisANSI.KERNEL32 ref: 00545392
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 005453AB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 005453D1

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$ApisFileVersion
String ID:
API String ID: 928063719-0
Opcode ID: cddb1f359b989beb9fa67faf323006f07cde4dd9abd9fb615a423bdc0bd7c05d
Instruction ID: ee91a8a6a0c0fee7022a5c8999e7185e4bdf2e494df521b14be47994331aebc0
Opcode Fuzzy Hash: cddb1f359b989beb9fa67faf323006f07cde4dd9abd9fb615a423bdc0bd7c05d
Instruction Fuzzy Hash: 22113F72E407142BE7305F786C8AFAF37ACEB55769F100265F909E62C1FAB44D489391

Function 00443734 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b057469d9bc5f69e0f8b611fad5c821e03d6bc773c10b2b7f28a1d317aa21b2f
Instruction ID: b5fe3350cd15eea0aaf87c65c2f18f4f52b92c45156554196b4f926f22b003f4
Opcode Fuzzy Hash: b057469d9bc5f69e0f8b611fad5c821e03d6bc773c10b2b7f28a1d317aa21b2f
Instruction Fuzzy Hash: 6621F6F1200205AFFB20AF76CC8186BB7A9FF4076A710C51BF95987250DB39EE518769

Function 00545920 Relevance: 6.1, APIs: 4, Instructions: 76fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,?,00000000), ref: 00545949
GetLastError.KERNEL32 ref: 00545956
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 0054598E
GetLastError.KERNEL32 ref: 005459BF

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorFileLast$PointerWrite
String ID:
API String ID: 2977825765-0
Opcode ID: 1950966d951f8c867560627456bbde13738b7accb01c1cd70c58ef6c62dd0c24
Instruction ID: 582698eb55b2eaae6c7c0c5214501257d254c964c7943da035f428691071258d
Opcode Fuzzy Hash: 1950966d951f8c867560627456bbde13738b7accb01c1cd70c58ef6c62dd0c24
Instruction Fuzzy Hash: 0E219F33600609EBDB208FA8D884BDABBB8FB44375F144166ED18D7281E631DD04DBA0

Function 0045098D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00450995

Part of subcall function 0044EC55: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0044A862,?,00000000,-00000008), ref: 0044ECB6

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004509CD
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004509ED

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 6d6291e591b22f65296549b970deff617d17af2824fd288565b185fb0bbaad7e
Instruction ID: 05a916c6faf25a0682dab3744c632e1b74caa3fe19fc9bf69ed868d66b577761
Opcode Fuzzy Hash: 6d6291e591b22f65296549b970deff617d17af2824fd288565b185fb0bbaad7e
Instruction Fuzzy Hash: EB112BF6901719BF77216BB35C89CBF696CEE6839B710002AF801D1243FB29CD0591B9

Function 005459E0 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 005459FF
GetLastError.KERNEL32 ref: 00545A0A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00545A32
GetLastError.KERNEL32 ref: 00545A3C

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID:
API String ID: 2170121939-0
Opcode ID: 540eb84cac6ede58d3537ff1f38c1a90d22693d8cdf9cf0c6dadd44eecfb50f4
Instruction ID: 6ceb55c3a65a62e15609471827d2f6869488a49b85fb46b58a4ba310ad65ed5c
Opcode Fuzzy Hash: 540eb84cac6ede58d3537ff1f38c1a90d22693d8cdf9cf0c6dadd44eecfb50f4
Instruction Fuzzy Hash: 6D119172600209ABCB108FA9EC45BDABBA8FF14375F004266FD1CC72A0E771D8609BD1

Function 00545770 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000,?), ref: 00545797
LockFileEx.KERNEL32(?,00000001,00000000,000001FE,00000000,?,00000000,?), ref: 005457DB
LockFile.KERNEL32(?,?,00000000,00000001,00000000,00000000,?), ref: 00545818
GetLastError.KERNEL32 ref: 00545824

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: FileLock$ErrorLastVersion
String ID:
API String ID: 1561719237-0
Opcode ID: 47948f3ac46128f688e1d1758b7c43b77088cf2001bc0b658931b0abdcadf5d0
Instruction ID: 771d51dfa285cbb2dd74062f629081d2be7cfc554bc2a81a6f00ae30f739e82a
Opcode Fuzzy Hash: 47948f3ac46128f688e1d1758b7c43b77088cf2001bc0b658931b0abdcadf5d0
Instruction Fuzzy Hash: DB110171A00715EFF7208B64DC0ABAABBB5FF14314F004165F909E72D0EBB49D448B90

Function 00431F0C Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000400,?,?,?,?,00000000,00000000), ref: 00431F29
GetLastError.KERNEL32 ref: 00431F35
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 00431F5B
GetLastError.KERNEL32 ref: 00431F67

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 35e7bea43bf35a340b569ac256c958a5570a5f93565d5de543f4fdf7da8372b1
Instruction ID: 5e8341cea1a57eda6e9d4b8ca3b7a39c6f892c49641055c0ca5066718be154a8
Opcode Fuzzy Hash: 35e7bea43bf35a340b569ac256c958a5570a5f93565d5de543f4fdf7da8372b1
Instruction Fuzzy Hash: C901FF36600255BBCF221FA1DC08D9B3E36EBD97A1F104015FE1556230C7318866E7B5

Function 005458C0 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 005458DF
GetLastError.KERNEL32 ref: 005458EA
SetEndOfFile.KERNEL32(?), ref: 005458F7
GetLastError.KERNEL32 ref: 00545901

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorFileLast$Pointer
String ID:
API String ID: 1697706070-0
Opcode ID: 99ed1c69f56f5325abe80c91d58b6415e30b45006e4dec00d143e7c5daf9e1c0
Instruction ID: 8fd75b374af1164205c64c99f3da373fde227693c6e20ab0659c9ae24c58912b
Opcode Fuzzy Hash: 99ed1c69f56f5325abe80c91d58b6415e30b45006e4dec00d143e7c5daf9e1c0
Instruction Fuzzy Hash: BFF03032514708EFDB209FA4EC05AAA7BB8FB15735F104656F82DC62A0E731D924AB91

Function 00456D32 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,0043D547,00000000,00000000,?,00453DCE,00000000,00000001,?,?,?,00449291,?,00000000,00000000), ref: 00456D49
GetLastError.KERNEL32(?,00453DCE,00000000,00000001,?,?,?,00449291,?,00000000,00000000,?,?,?,0044986B,00000000), ref: 00456D55

Part of subcall function 00456D1B: CloseHandle.KERNEL32(FFFFFFFE,00456D65,?,00453DCE,00000000,00000001,?,?,?,00449291,?,00000000,00000000,?,?), ref: 00456D2B

___initconout.LIBCMT ref: 00456D65

Part of subcall function 00456CDD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00456D0C,00453DBB,?,?,00449291,?,00000000,00000000,?), ref: 00456CF0

WriteConsoleW.KERNEL32(00000000,00000000,0043D547,00000000,?,00453DCE,00000000,00000001,?,?,?,00449291,?,00000000,00000000,?), ref: 00456D7A

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
Instruction ID: b582005f90f2c4d159ccd48a3422ceca8e6e351b7b3b67145bbef734a6de3f3c
Opcode Fuzzy Hash: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
Instruction Fuzzy Hash: F4F01C37500518BBCF221FD1DC18A8A3F76EB583A2B814415FE0D96231D6328928EB94

Function 00481BC0 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00481BC4
GetCurrentProcessId.KERNEL32 ref: 00481BCC
SetEvent.KERNEL32 ref: 00481BE9
WaitForSingleObject.KERNEL32(000000FF), ref: 00481BF7

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Current$EventObjectProcessSingleThreadWait
String ID:
API String ID: 977356572-0
Opcode ID: 145f1463f0330e510467377b19718f6381c7c9cc9e72a15fcc7b338b6b78320b
Instruction ID: 43167ce624a0f5263368e741b5dc2b465bdabedb5219c12b94d6a200efc4dfb2
Opcode Fuzzy Hash: 145f1463f0330e510467377b19718f6381c7c9cc9e72a15fcc7b338b6b78320b
Instruction Fuzzy Hash: 3FE01A72004315DFD7109F64EC1C855BBB5FB293227148221F9099B3B0E6318989EBA5

Function 00408F20 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 272libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,00000004,00000000), ref: 004091C8
GetProcAddress.KERNEL32(00000000,?), ref: 004091D3

Strings

Ws2_32.dll, xrefs: 004091BF

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Ws2_32.dll
API String ID: 1646373207-3093949381
Opcode ID: ea9167e3bcfed1d29222b40259f4286497e10de2dd63420951b2f22a9489b711
Instruction ID: cb5ead6240095672237fdab8273f91d80b82b8d73d4ae51f565ea22395c8577a
Opcode Fuzzy Hash: ea9167e3bcfed1d29222b40259f4286497e10de2dd63420951b2f22a9489b711
Instruction Fuzzy Hash: E7C16A70E01214DFCB24CFA8C84579EBBB0BF08714F24859EE955AB392D779AD01CB95

Function 00406B10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 258COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406CF0
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406D3E

Strings

., xrefs: 00406D10

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_fs_directory_iterator_advance@8
String ID: .
API String ID: 2610647541-248832578
Opcode ID: 8de97e0557b89d418490575b2115c1d7852bdd46763aabdbcc61db0957447ddc
Instruction ID: 06e113195c9c995bb1126ed1958f592d786724859c69b2563011d6ef3baaff07
Opcode Fuzzy Hash: 8de97e0557b89d418490575b2115c1d7852bdd46763aabdbcc61db0957447ddc
Instruction Fuzzy Hash: 6A91D071A00625ABCB34DF18C4846AAB7B4FF05324F01026AE856A77D0D739FDA5CBD9

Function 004036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403819
___std_exception_destroy.LIBVCRUNTIME ref: 004038F0

Strings

)@, xrefs: 004037ED, 004038EA

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )@
API String ID: 2970364248-4120265097
Opcode ID: ed1ac0f14267c2b8626e9d784d9228836504f476972db074cc70cf608e0aac1a
Instruction ID: 269ef50febfdc4b1c22cf7239a576f40f0b19685bcb009e1facc48eb6157c32a
Opcode Fuzzy Hash: ed1ac0f14267c2b8626e9d784d9228836504f476972db074cc70cf608e0aac1a
Instruction Fuzzy Hash: DD6169B1C00248DBDB10DF98C945B9EFFB5FF19324F14825EE814AB282D7B95A44CBA5

Function 004047F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F

Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,75CA23A0,?,00431D09,?,005799D8,75CA23A0,?,75CA23A0,-00589880), ref: 0043525B

Strings

ios_base::failbit set, xrefs: 00404828
ios_base::badbit set, xrefs: 00404937, 00404962

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 1903096808-1240500531
Opcode ID: 037fbcf792b1db2df9f4c70af3e1ac54ab8959b344865e02de195616cc3e88a6
Instruction ID: 59789774a96eacd1a5b8f49c51d8e497543063f0a2ed12b155596828dbf76f3a
Opcode Fuzzy Hash: 037fbcf792b1db2df9f4c70af3e1ac54ab8959b344865e02de195616cc3e88a6
Instruction Fuzzy Hash: E84124B2C00244ABCB04DF68C845BAEBBB8FB49710F14826EF554A73C1D7795A00CBA5

Function 0044EA2E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(00000000,?,00000000,?,?,?,?,?,!,D,0044EA1C,?,?,!,D,?,00000000,?), ref: 0044EB7A
GetLastError.KERNEL32(?,?,?,?,!,D,0044EA1C,?,?,!,D,?,00000000,?), ref: 0044EB84

Strings

!,D, xrefs: 0044EA30

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorFileLast
String ID: !,D
API String ID: 734332943-2387483618
Opcode ID: 6a1e7ac7384b4bb6329048eea8c26e09b822db16cd26105a02b1221d47aee58a
Instruction ID: 1e1ef3cad634bc89b09ed5b2214d0c7337f84d15d2fc9132cafc43e0310a1cdb
Opcode Fuzzy Hash: 6a1e7ac7384b4bb6329048eea8c26e09b822db16cd26105a02b1221d47aee58a
Instruction Fuzzy Hash: FB511971900685AAFB14CF67CC85B9E7B70FF04328F14021BF516A2281D779E891DBA9

Function 004D65F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 004D676A
std::_Throw_Cpp_error.LIBCPMT ref: 004D677B

Strings

UaJ, xrefs: 004D65FD

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID: UaJ
API String ID: 2134207285-2144978721
Opcode ID: 71bc9411bda081ba2c6ca070473d6e11764a2e135bc835127b003db35da83e39
Instruction ID: 177bb7d1701b8dda1f5a90c4ee3be826f8175b366ab48e47effb054e9b4aa952
Opcode Fuzzy Hash: 71bc9411bda081ba2c6ca070473d6e11764a2e135bc835127b003db35da83e39
Instruction Fuzzy Hash: 6441F2B1E002058BC720DF68995136EBBA1BB94314F19072FE815673D1EB79EA04C795

Function 004E6270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 004E6290
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 004E62BD

Strings

image/png, xrefs: 004E62D2

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: e7fc661bbe40e167e968ce4b4834ac07952c6a2874a5ff204e6fe5eb7edf3d15
Instruction ID: e08145eb1897d221235e8b13ede795c589c6d842b6ab703e07584c42203d8d4f
Opcode Fuzzy Hash: e7fc661bbe40e167e968ce4b4834ac07952c6a2874a5ff204e6fe5eb7edf3d15
Instruction Fuzzy Hash: 99216D72E00104ABDB10AFA6DC816AFB7B8FF34395F1201F6ED05A7351E7369A44C295

Function 00404040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004040C4

Strings

bad locale name, xrefs: 004040E6

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
Instruction ID: 65c2995a4cce64452fc0e082f9126f7f9302ed92d60cad1113ce5137d9e79936
Opcode Fuzzy Hash: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
Instruction Fuzzy Hash: DB112670805B84EED321CF69C50474BBFF0AF25714F10868DD09597781D3B9A604CB95

Function 00416590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004165C9
___std_exception_copy.LIBVCRUNTIME ref: 004165FC

Strings

)@, xrefs: 004165BA, 004165ED

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )@
API String ID: 2659868963-4120265097
Opcode ID: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
Instruction ID: 79ebb971947c26e29da123751e765caa72f3f100f47198c89106861aa63fe252
Opcode Fuzzy Hash: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
Instruction Fuzzy Hash: F0112EB6910649EBCB11CF99C980B86FBF8FF09724F10876AE82497641E774A5448BA0

Function 004327B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004327C2
std::_Lockit::~_Lockit.LIBCPMT ref: 0043281E

Strings

`-@, xrefs: 004327E9, 00432803

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: `-@
API String ID: 593203224-3781167437
Opcode ID: 0fa848a44c73a6aeeb21660fd2b14f5aaf999c273a66810f0e0171f36124b769
Instruction ID: 083d3c1e84ca2e980ab4dd45ca0d837cc41164b3fcfcb6a28aec5d987169874b
Opcode Fuzzy Hash: 0fa848a44c73a6aeeb21660fd2b14f5aaf999c273a66810f0e0171f36124b769
Instruction Fuzzy Hash: 2A019231600214AFCB15EB19C995E5E77B8EF88754F05409AE8019B3A1DFB0EE44CB60

Function 00404C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GdipCloneImage.GDIPLUS(?,00000000,?,?,?,000000FF), ref: 00404C4C
GdipAlloc.GDIPLUS(00000010,?,?,?,000000FF), ref: 00404C5B

Strings

`K@, xrefs: 00404C75

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Gdip$AllocCloneImage
String ID: `K@
API String ID: 3021075589-3536307564
Opcode ID: 6e910720078c30621a47b6eca49d96a116425349966641e16d2adddba9b4a4fa
Instruction ID: 8747f557437175caeb58756454adc5b6b8cc0decca9fbbd4afccec21ee9e9ac9
Opcode Fuzzy Hash: 6e910720078c30621a47b6eca49d96a116425349966641e16d2adddba9b4a4fa
Instruction Fuzzy Hash: C0112DB1905749DFDB10CF98D904BAABBF8FB48720F10866AE829D37D0D7749900CB91

Function 00404CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS(FFFFFFFF,?,?,?,0054C48D,000000FF), ref: 00404CDF
GdipFree.GDIPLUS(?,?,?,?,0054C48D,000000FF), ref: 00404CF1

Strings

`K@, xrefs: 00404CD9

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Gdip$DisposeFreeImage
String ID: `K@
API String ID: 1950503971-3536307564
Opcode ID: 3316c4455565ac62ed6a26cea9d7150bfba2d0e3f41cbf1825aecc5a329bdf6e
Instruction ID: 7ba4187510c4fdb2f2599f15a6424d96657f10c150e71c31b65947a42bc49c9a
Opcode Fuzzy Hash: 3316c4455565ac62ed6a26cea9d7150bfba2d0e3f41cbf1825aecc5a329bdf6e
Instruction Fuzzy Hash: 7201F472A00614ABC720CF48ED01B99BBA8FB19B21F00472FFC11A37C0C7B919108BD5

Function 00407A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00407ACC
___std_exception_destroy.LIBVCRUNTIME ref: 00407AE2

Strings

)@, xrefs: 00407AC2, 00407ADC

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@
API String ID: 4194217158-4120265097
Opcode ID: 93267da127a396356cd2fdbad952cd532b26063f3bf799b654b12ef89a692989
Instruction ID: 39a61349d826cdb48b27ae0f58ab52f56d337699a51a428b07672872488508ae
Opcode Fuzzy Hash: 93267da127a396356cd2fdbad952cd532b26063f3bf799b654b12ef89a692989
Instruction Fuzzy Hash: FE01A2B2C04744ABC711DF98CD0178DFFF8EB09715F10466BE814A3380E3B8660487A5

Function 00407C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00407CAC
___std_exception_destroy.LIBVCRUNTIME ref: 00407CC2

Strings

)@, xrefs: 00407CA2, 00407CBC

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@
API String ID: 4194217158-4120265097
Opcode ID: cad3be967c840cba8baab123a4240524b2ea9f27ee00b0363261d2d3a2957baf
Instruction ID: b31235e20b660ddbb30c99c001b11998604f696d918c6d2dbba64f62e05318ed
Opcode Fuzzy Hash: cad3be967c840cba8baab123a4240524b2ea9f27ee00b0363261d2d3a2957baf
Instruction Fuzzy Hash: 3F0162B2C44748ABC711DF98DD01B89FFF8EB09715F10466BE814A3781E3B9AA0487A5

Function 00404B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS(?,?,?,Function_0014BFE0,000000FF), ref: 00404B84
GdipFree.GDIPLUS(?,?,?,Function_0014BFE0,000000FF), ref: 00404B96

Strings

`K@, xrefs: 00404B7E

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Gdip$DisposeFreeImage
String ID: `K@
API String ID: 1950503971-3536307564
Opcode ID: 62ee0daa599b9b00a0c4ce88fb3d390fe4e594f946ea023ffe489846956dd575
Instruction ID: bd97fcbd8bdc5b644a2ca526311264c36a05ae446e09af96bb23667ce14d71f1
Opcode Fuzzy Hash: 62ee0daa599b9b00a0c4ce88fb3d390fe4e594f946ea023ffe489846956dd575
Instruction Fuzzy Hash: ADF0F672A44654ABD3218F08DC02F95B7E8FB19B10F00466BFC01A3780D7BA68108AD9

Function 0044B52D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,00000000,?,-00000008,?,-00000008,?,?,00456130,?,?,-00000008,?,-00000008), ref: 0044B57F

Strings

0aE, xrefs: 0044B53E
`-@, xrefs: 0044B55B

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CompareString
String ID: 0aE$`-@
API String ID: 1825529933-1472567772
Opcode ID: d0df0ea43047c73f5029be752bfe14cefc264b458c3f39c7a470d4df90d53397
Instruction ID: e44343d96fe236ab9219cb5f9cc943518e3960d7194e1eed57cc779ab2011060
Opcode Fuzzy Hash: d0df0ea43047c73f5029be752bfe14cefc264b458c3f39c7a470d4df90d53397
Instruction Fuzzy Hash: CDF0B83200021ABBCF126F90EC08ADE3F26EB483A4F058011FA1825130C736C972AB95

Function 00407550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040758C
___std_exception_destroy.LIBVCRUNTIME ref: 004075A2

Strings

)@, xrefs: 00407582, 0040759C

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@
API String ID: 4194217158-4120265097
Opcode ID: c858c6ed78de8a3b5ee1cba1accddd2d2891f2392b50b006f97d08456e2954ad
Instruction ID: 78ccdeb9fbba2d16b6cd524d5c99d9dbf264c3e6aa85c375e1d072593ce1236d
Opcode Fuzzy Hash: c858c6ed78de8a3b5ee1cba1accddd2d2891f2392b50b006f97d08456e2954ad
Instruction Fuzzy Hash: 12F01DB2805748EFC721DF98D901789FFF8FB09728F50466AE865A3780E77466048BA5

Function 00407A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00407A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00407A72

Strings

)@, xrefs: 00407A52, 00407A6C

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@
API String ID: 4194217158-4120265097
Opcode ID: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
Instruction ID: 96290d15a7b89a27e7413382239de33ac52fdad5c525fa7f0e86a9c1871ea130
Opcode Fuzzy Hash: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
Instruction Fuzzy Hash: 68F012B1805744DFC711DF98C90178DFFF8FB05728F50466AE855A3780E7B5660487A5

Function 0043361D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00433077,?,?,?,?,004C7E2F), ref: 00433655
GetSystemTimeAsFileTime.KERNEL32(?,B2E69B1B,00000000,?,00551382,000000FF,?,00433077,?,?,?,?,004C7E2F), ref: 00433659

Strings

`-@, xrefs: 0043364F

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: `-@
API String ID: 743729956-3781167437
Opcode ID: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
Instruction ID: 3e04e591088ee8cc2650925c1d28f2227fba881fd4e87dc1a7d03300bd93dc66
Opcode Fuzzy Hash: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
Instruction Fuzzy Hash: 73F0A032904A54EFCB118F44DC11B59BBA8F708B21F004626EC12A3790DB34A9049F94

Function 0044B7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000016,00000001,004389D2,00000001,00000016,00438BE1,?,?,?,?,?,00000000), ref: 0044B834

Strings

InitializeCriticalSectionEx, xrefs: 0044B804
`-@, xrefs: 0044B824

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$`-@
API String ID: 2593887523-3269949891
Opcode ID: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
Instruction ID: 5bcc12c1b0658f8dc7434a33690804c70bb56e7eadbb0958c8ec10a8e9d05d13
Opcode Fuzzy Hash: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
Instruction Fuzzy Hash: BDE09236581318BBCB212F92DC06DAE7F25EB24BA2F048022FD1956161C7768821BBD9

Function 0044B5DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0044B612

Strings

FlsAlloc, xrefs: 0044B5EE
`-@, xrefs: 0044B608

Memory Dump Source

Source File: 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc$`-@
API String ID: 2773662609-4156633630
Opcode ID: cb3d3b1705c4ad86f1f38207f7089225cebdf7df6536ef5bae3d846ce8807c5c
Instruction ID: f97a85a86a778de88566526de1fe8fa57bb386988dde2a496b9568b12ff0cd72
Opcode Fuzzy Hash: cb3d3b1705c4ad86f1f38207f7089225cebdf7df6536ef5bae3d846ce8807c5c
Instruction Fuzzy Hash: DAE0CD3258031477961036916C16DAA7D14D750BA3F050033F904522619A95891066DF

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rise2406.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rise2406.exe_a2fa92cb97a2b320a08f8e64ea523b20ebb5f8f1_8f97a443_dd428d2d-1b53-456e-afc5-446050e7694b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E75.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F7F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FAF.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
rise2406.exe

Function 007A018D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 005475D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 210
COMMON

Function 00547AB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122
synchronizationthreadCOMMON

Function 00528522 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Function 00547D50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Function 0053A2F4 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Function 00539EF6 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 005374F3 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 0053663B Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00547C30 Relevance: 1.3, APIs: 1, Instructions: 94
memoryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre