Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1467035
MD5:	06e9439beabd1813ff13295adbba48ff
SHA1:	f70c1c806fcb2fbbd97d4c9ecf7c473b3dc957da
SHA256:	47eb2e1f94933fc6da9cf436804c0a303c539de3ce93c7dfaa6b427625447a22
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Powershell download and execute

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 5316 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 06E9439BEABD1813FF13295ADBBA48FF)

WerFault.exe (PID: 2032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199730044335", "https://t.me/bu77un"], "Botnet": "d2e09041336e6342825973ff413879b9"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x527:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 5316	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 5316	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 5316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.9423fa.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.9423fa.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Code function: 0_2_02F84AD5 GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_02F84AD5

Source: global traffic

HTTP traffic detected: GET /bu77un HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: file.exe	String found in binary or memory: http:///1.18.10.3141/Apps/Battle.net.agent.db
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: file.exe, 00000000.00000002.2334293329.00000000009F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe, 00000000.00000003.2227716018.000000000A074000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227655043.000000000A06D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227758478.000000000A07D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c5c6e24cd307b
Source: file.exe	String found in binary or memory: http://iir.blizzard.com:3724/submit/BNET_APP
Source: file.exe	String found in binary or memory: http://iir.blizzard.com:3724/submit/BNET_APPUnknown
Source: file.exe	String found in binary or memory: http://nydus.battle.net/App/%s/setup/error/%s
Source: file.exe	String found in binary or memory: http://nydus.battle.net/geoip
Source: file.exe	String found in binary or memory: http://nydus.battle.net/geoipX-Geoip-RegionX-Geoip-CountryUSCNSEASGGETd:
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://scripts.sil.org/OFL
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.google.com/get/noto/
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70/
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/1
Source: file.exe, 00000000.00000002.2339985934.000000000A06D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/2
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/T
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/Y/h
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/dows
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/ps;PATHEXT=.CO
Source: file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/sqlt.dll
Source: file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/sqlt.dll4
Source: file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/sqlt.dllnamK.exe
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/talV
Source: file.exe, 00000000.00000002.2336090672.0000000003148000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432Content-Disposition:
Source: file.exe, 00000000.00000002.2336090672.0000000003148000.00000004.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2336090672.0000000002FB0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432rss.exe
Source: file.exe	String found in binary or memory: https://bitwarden.com
Source: file.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: file.exe	String found in binary or memory: https://nydus.battle.net/App/%s/setup/app
Source: file.exe	String found in binary or memory: https://nydus.battle.net/App/%s/setup/appSelected
Source: file.exe, file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335
Source: file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, 00000000.00000002.2336090672.0000000002FC5000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://t.me/bu77un
Source: file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/bu77unguf_hMozilla/5.0
Source: file.exe	String found in binary or memory: https://telemetry-in.battle.net/data
Source: file.exe	String found in binary or memory: https://telemetry-in.battlenet.com.cn/data
Source: file.exe	String found in binary or memory: https://telemetry-in.battlenet.com.cn/datahttps://telemetry-in.battle.net/data
Source: file.exe, 00000000.00000003.2210215100.0000000000A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: file.exe	String found in binary or memory: https://www.openssl.org/docs/faq.html

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49707 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F93160 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

0_2_02F93160

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00977D3D NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00977D3D

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00977D3D	0_2_00977D3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094037D	0_2_0094037D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009604E6	0_2_009604E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940000	0_2_00940000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00960113	0_2_00960113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009606BB	0_2_009606BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00960EC9	0_2_00960EC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9F6CF	0_2_02F9F6CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9EEC1	0_2_02F9EEC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9ECEC	0_2_02F9ECEC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9E919	0_2_02F9E919

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000000.2099940661.0000000001263000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBattle.net-Setup.exeD vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameBattle.net-Setup.exeD vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/7@2/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00940A8D CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,FindCloseChangeNotification,

0_2_00940A8D

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\BNR8DUDO.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5316

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e44e4a1c-0572-4549-9da6-a8b01284fa9a

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: %lxLoadLibraryExA\/AddDllDirectoryserver response timeoutselect/poll errorcached response data too big to handleresponse reading failedExcessive server response line length received, %zd bytes. Stripping
Source: file.exe	String found in binary or memory: id-cmc-addExtensions
Source: file.exe	String found in binary or memory: set-addPolicy
Source: file.exe	String found in binary or memory: en Sie alle Battle.net-Installationsprogramme, warten Sie 30 Sekunden und versuchen Sie es erneut.
Source: file.exe	String found in binary or memory: en Sie alle Battle.net-Installationsprogramme, warten Sie 30 Sekunden und versuchen Sie es erneut.Ups! Sieht so aus, als ob etwas nicht mehr korrekt funktioniert. Fehlercode: {error_code}Ups! Sieht so aus, als ob etwas nicht mehr korrekt funktioniert: {message}
Source: file.exe	String found in binary or memory: battle.net-launcher.log
Source: file.exe	String found in binary or memory: battle.net-launcher
Source: file.exe	String found in binary or memory: @{%s}enUSBytesKilobytesMegabytesGigabytesTerabytes%.2finvalid unordered_map<K, T> keyd:\buildserver\bna-2\work-git\bootstrapper-repository\contrib\contrib\cajun\json\reader.inlm_itCurrent != m_Tokens.end()nullUnexpected character in stream: Expected string: Unrecognized escape sequence found in string: \0123456789.eE-+Unexpected end of token streamUnexpected token: Duplicate object member token: Unexpected character in NUMBER token: Unexpected End of token streamObject member already exists: expires_atbtsagentusfiledirectorymessageplatformwinconfigtagsallupdate_methoddistproduct=btsproduct=AgentSTATE_INVALID_PROGRESS_STATESTATE_CHECK_ENVIRONMENTSTATE_UPDATE_BOOTSTRAPPERSTATE_EXTRACT_AGENTSTATE_START_AGENTSTATE_CHECK_AGENTSTATE_UPDATE_AGENTSTATE_CHECK_CLIENTSTATE_UPDATE_CLIENTSTATE_LAUNCH_CLIENTSTATE_CHECK_UNREGISTERED_CLIENTSTATE_INSTALL_CLIENTSTATE_SELECT_LANGUAGESTATE_TRIGGER_RESTARTSTATE_EXITINGRESTART_RUN_SETUPRESTART_RUN_ORIGINALRESTART_ELEVATEanalytic] - launchersetupWe were launched by cmdver= and we are cmdver=, allowing self-patching to occurBootstrapper work completed. Shutting down.LogsFailed to check if another instance of bootstrapper is running. Shutting down...Another instance of bootstrapper is running. Shutting down...Checking permissions on path: depth=Elevation is unnecessary. The current user is an administrator.Permissions problem detected for path and elevation is required. path=Failed to repair file/folder permissions: path=Session hash generated. hash=Session hash extracted from process. hash=Checking for bootstrapper updates.We need to patch but are running from the patching location. Continuing without patching.We are currently up to date.Agent is missing. Will download Agent.The installed agent is older than the one remotely available. Will download Agent.Agent is currently up to date.Elevation required: Restarting to fix Image File Execution options.Agent is running as another user. We can't safely perform work with agent. Shutting down...An update is in progress. Transitioning to update state to track the update.Beta branch detected on client, setting to retail branchAlready updated client. Skipping updateBattle.netpatchBootstrapper thread startedA crash delay ws set via command line argument.Battle.net Setup started. Running from: Configuration: locale= region= uid=Running as adminEmbedded data found on command line: Embedded data found in binary: Session hash found: client_idAn error code is set via command line argument. Raising that error nowAn agent error code is set via command line argument. Raising that error nowBootstrapper thread completedEntering main loop.Bootstrapper State: Invalid transition to state: Restart triggered with reason: Failed to update agent. Continuing on.filenameHandling exception in state Exceeded maximum exception countException converted to: Bootstrapperbattle.net-setup.logbattle.net-launcher.logbattle.net-setupbattle.net-launcherPosting exception to controller: Failed to create Batt
Source: file.exe	String found in binary or memory: DBG-ADDR<{:x}>("{}")
Source: file.exe	String found in binary or memory: DBG-ADDR<
Source: file.exe	String found in binary or memory: : error %u: (%u)%s %s.%s Log-auto-attachmentDBG-ADDR<{:x}>("{}")DBG-OPTIONS<FunctionsOnly>
Source: file.exe	String found in binary or memory: WowError.exeAssertion FailureWowErrord.exeUnknown ErrorFatal Exception<unknown>ERROR #%u (0x%08x) %s %s%08X %08X %04X:%08X %s<can't read from this address>%08X: Exe:%02X %02X %02X %02X Time:%-10s%sUser:%-10s%3s %2d, %4d %2d:%02d:%02d.%03d %cMMemory DumpComputer:Stack: %d bytes starting at (ESP = %08X)Code: %d bytes starting at (EIP = %08X)<unknown symbol><unknown module>** SymGetLineFromAddr() failed, error: %d SymGetModuleInfo() failed, error: %d%08X %-12s %s+%d (0x%08X,0x%08X,0x%08X,0x%08X) (%s,%d) SymGetSymFromAddr() failed, error: %d%08X %-12s %s+%d (%s,%d)%08X %-12s %s+%d (0x%08X,0x%08X,0x%08X,0x%08X) StackWalk() returned FALSE, error: %d%08X %-12s %s+%dStack Trace (Using DBGHELP.DLL) StackWalk() returned zero address - skipping stack frameShowing %d/%d threads... Couldn't load DBGHELP.DLL, error: %d--- Thread ID: %d ------ Thread ID: %d [Current Thread] --- Unable to retrieve thread context, error: %d** Unable to gain access to the thread, error: Address Frame Logical addr ModuleStack Trace (Manual)%4.4x%2.2x%16.16lx%8.8xx86 Registers = %04xLoaded Modules%02x%08x>("DBG-ADDR<+")DBG-MODULE<%8x" "%04d-%02d-%02d %02d.%02d.%02d>dbghelp.dllBlizzard::DebugSymFunctionTableAccess64StackWalk64SymGetModuleBase64SymGetLineFromAddr64SymGetOptionsSymGetModuleInfo64SymInitializeSymGetSymFromAddr64SymSetOptionsSymCleanupSymEnumerateSymbols64SymEnumerateModules64EAXMiniDumpWriteDumpECXEBXESIEDXEBPEDIEIPESPCSFLGESDSGSFSDR0SSDR2DR1DR6DR3psapi.dllDR7GetModuleInformationEnumProcessModules<Application>{}
Source: file.exe	String found in binary or memory: /install
Source: file.exe	String found in binary or memory: J\|U-QtJ\|4,QExecuteUpdateCreateShortcutUninstall/updateresult_uri{"uid":"%s"}/installresponse_urirun64bit/gamesessionuninstall_complete%s/%sinstructions_productinstructions_patch_urlforminstructions_dataset{"uid":"%s","background_download": %s}{"paused": false}{"uid" : "%s","title" : "%s"}/createshortcut/backfill/version(M\|

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068

Source: C:\Users\user\Desktop\file.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 5158776 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2cc000
Source: file.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x11e400

Source: file.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdbs source: file.exe
Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdb source: file.exe

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F9A76B lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LoadLibraryA,GetProcAddress,GetProcAddress,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,OpenEventA,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,CreateEventA,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,ExitProcess,

0_2_02F9A76B

Source: file.exe

Static PE information: real checksum: 0xbe708 should be: 0x4f7dcb

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009636EF push ecx; ret		0_2_00963702
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA1EF5 push ecx; ret		0_2_02FA1F08

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F9B050 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02F9B050

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_02F8C6B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_02F8D690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F977D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F977D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F89FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F89FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9738D GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02F9738D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F964C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_02F964C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_02F8BC98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F81443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F81443
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8C039
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8E016
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F96D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02F96D7D

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91F21 GetSystemInfo,wsprintfA,

0_2_02F91F21

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$mK
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareY
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp{
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-34511

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02FA224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_02FA224F

Source: C:\Users\user\Desktop\file.exe

0_2_02F9A76B

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094093D mov eax, dword ptr fs:[00000030h]	0_2_0094093D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094037D mov edx, dword ptr fs:[00000030h]	0_2_0094037D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095C4ED mov eax, dword ptr fs:[00000030h]	0_2_0095C4ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940CED mov eax, dword ptr fs:[00000030h]	0_2_00940CED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940F8C mov eax, dword ptr fs:[00000030h]	0_2_00940F8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940F8D mov eax, dword ptr fs:[00000030h]	0_2_00940F8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9ACF3 mov eax, dword ptr fs:[00000030h]	0_2_02F9ACF3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91ADD GetProcessHeap,RtlAllocateHeap,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

0_2_02F91ADD

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02FA224F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA1C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02FA1C0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA3DCD SetUnhandledExceptionFilter,	0_2_02FA3DCD

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F90A14 memset,memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_02F90A14

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F938BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		0_2_02F938BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F937BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_02F937BD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009427FA cpuid

0_2_009427FA

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_02F91D31

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F3BFEC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F3BFEC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91BEC GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_02F91BEC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91CBF GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_02F91CBF

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.9423fa.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.9423fa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.9423fa.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.9423fa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	21 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	21 Process Injection	Security Account Manager	51 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	44 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe
https://t.me/	0%	Avira URL Cloud	safe
http://www.google.com/get/noto/	0%	Avira URL Cloud	safe
https://telemetry-in.battlenet.com.cn/datahttps://telemetry-in.battle.net/data	0%	Avira URL Cloud	safe
https://nydus.battle.net/App/%s/setup/app	0%	Avira URL Cloud	safe
https://116.202.180.70:5432/	0%	Avira URL Cloud	safe
https://www.openssl.org/docs/faq.html	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199730044335	100%	Avira URL Cloud	malware
https://116.202.180.70:5432/sqlt.dll4	0%	Avira URL Cloud	safe
http://nydus.battle.net/App/%s/setup/error/%s	0%	Avira URL Cloud	safe
https://web.telegram.org	0%	Avira URL Cloud	safe
http://nydus.battle.net/geoip	0%	Avira URL Cloud	safe
https://116.202.180.70:5432/2	0%	Avira URL Cloud	safe
https://116.202.180.70:5432/1	0%	Avira URL Cloud	safe
https://t.me/bu77un	100%	Avira URL Cloud	malware
https://116.202.180.70:5432/talV	0%	Avira URL Cloud	safe
https://bitwarden.com	0%	Avira URL Cloud	safe
https://116.202.180.70:5432/dows	0%	Avira URL Cloud	safe
https://116.202.180.70:5432	0%	Avira URL Cloud	safe
https://116.202.180.70:5432/sqlt.dllnamK.exe	0%	Avira URL Cloud	safe
https://116.202.180.70:5432rss.exe	0%	Avira URL Cloud	safe
https://t.me/bu77unguf_hMozilla/5.0	0%	Avira URL Cloud	safe
https://telemetry-in.battlenet.com.cn/data	0%	Avira URL Cloud	safe
http://iir.blizzard.com:3724/submit/BNET_APP	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll	0%	Avira URL Cloud	safe
https://telemetry-in.battle.net/data	0%	Avira URL Cloud	safe
https://116.202.180.70:5432/T	0%	Avira URL Cloud	safe
https://116.202.180.70:5432/ps;PATHEXT=.CO	0%	Avira URL Cloud	safe
http:///1.18.10.3141/Apps/Battle.net.agent.db	0%	Avira URL Cloud	safe
https://116.202.180.70:5432Content-Disposition:	0%	Avira URL Cloud	safe
http://iir.blizzard.com:3724/submit/BNET_APPUnknown	0%	Avira URL Cloud	safe
http://scripts.sil.org/OFL	0%	Avira URL Cloud	safe
http://nydus.battle.net/geoipX-Geoip-RegionX-Geoip-CountryUSCNSEASGGETd:	0%	Avira URL Cloud	safe
https://116.202.180.70:5432/sqlt.dll	0%	Avira URL Cloud	safe
https://116.202.180.70/	0%	Avira URL Cloud	safe
https://nydus.battle.net/App/%s/setup/appSelected	0%	Avira URL Cloud	safe
https://116.202.180.70:5432/Y/h	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	true		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199730044335	true	Avira URL Cloud: malware	unknown
https://t.me/bu77un	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://116.202.180.70:5432/sqlt.dll4	file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nydus.battle.net/App/%s/setup/app	file.exe	false	Avira URL Cloud: safe	unknown
https://t.me/	file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://telemetry-in.battlenet.com.cn/datahttps://telemetry-in.battle.net/data	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/	file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nydus.battle.net/App/%s/setup/error/%s	file.exe	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/docs/faq.html	file.exe	false	Avira URL Cloud: safe	unknown
http://www.google.com/get/noto/	file.exe	false	Avira URL Cloud: safe	unknown
https://web.telegram.org	file.exe, 00000000.00000003.2210215100.0000000000A27000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nydus.battle.net/geoip	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/2	file.exe, 00000000.00000002.2339985934.000000000A06D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/dows	file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/1	file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/talV	file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bitwarden.com	file.exe	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://116.202.180.70:5432	file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432rss.exe	file.exe, 00000000.00000002.2336090672.0000000003148000.00000004.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2336090672.0000000002FB0000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/sqlt.dllnamK.exe	file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/docs/http-cookies.html	file.exe	false	URL Reputation: safe	unknown
https://t.me/bu77unguf_hMozilla/5.0	file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://iir.blizzard.com:3724/submit/BNET_APP	file.exe	false	Avira URL Cloud: safe	unknown
https://telemetry-in.battlenet.com.cn/data	file.exe	false	Avira URL Cloud: safe	unknown
https://telemetry-in.battle.net/data	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/T	file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll	file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http:///1.18.10.3141/Apps/Battle.net.agent.db	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/ps;PATHEXT=.CO	file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://iir.blizzard.com:3724/submit/BNET_APPUnknown	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432Content-Disposition:	file.exe, 00000000.00000002.2336090672.0000000003148000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scripts.sil.org/OFL	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/sqlt.dll	file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nydus.battle.net/geoipX-Geoip-RegionX-Geoip-CountryUSCNSEASGGETd:	file.exe	false	Avira URL Cloud: safe	unknown
https://nydus.battle.net/App/%s/setup/appSelected	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.180.70/	file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.180.70:5432/Y/h	file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
116.202.180.70	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467035
Start date and time:	2024-07-03 16:49:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/7@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 44 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 20.189.173.20
Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, blobcollector.events.data.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:50:14	API Interceptor	1x Sleep call for process: file.exe modified
10:50:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
116.202.180.70	82xul16VKj.exe	Get hash	malicious	CryptOne, Vidar	Browse
149.154.167.99	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	vSlVoTPrmP.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	1dntbjwU2s.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	XZ50BK5JPZ.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	82xul16VKj.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	https://clicktime.cloud.postoffice.net/clicktime.php?U=https%3A%2F%2Ftelegra.ph%2FDavis-Insurance-Agency-LLC-06-28&E=kgarber%40woodlandsbank.com&X=XID311CFbwQP1837Xd1&T=WDLP&HV=U,E,X,T&H=3a14786ee7a8dd2b0305ef5dd961d4108cbfaf34	Get hash	malicious	Unknown	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	1dntbjwU2s.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	XZ50BK5JPZ.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	19808bS58f.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	0VcrCVxnMP.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	SecuriteInfo.com.Win64.PWSX-gen.4145.5357.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	project plan.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	payment.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Safeguard and Grow Your Assets.html	Get hash	malicious	Unknown	Browse	149.154.167.220
	82xul16VKj.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	https://sula.starladeroff.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
HETZNER-ASDE	82xul16VKj.exe	Get hash	malicious	CryptOne, Vidar	Browse	116.202.180.70
	https://gmoq4wwvl9phy.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	195.201.57.90
	https://acmecomma.bitdocs.ai/share/d/cix0eL8Ef0J0SESM	Get hash	malicious	Unknown	Browse	49.13.69.241
	https://xxxjkam8s4e.z13.web.core.windows.net/?click_id=611h5aaw1cly4j0bmp&tid=701&subid=otka.com&ref=otka.com&883#	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	file.exe	Get hash	malicious	Vidar	Browse	49.13.159.121
	hkLFB22XxS.exe	Get hash	malicious	FormBook	Browse	135.181.212.206
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	49.13.159.121
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	49.13.159.121
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	149.154.167.99
	1dntbjwU2s.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	XZ50BK5JPZ.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	BomqT2a55e.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.99
	eXiJWkp8OE.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99
	MzjwuZnJF0.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99
	7Pqym5wyq5.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99
	fuqDLDLV7g.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.99
	Inquiry Studbolt - 240703.vbe	Get hash	malicious	GuLoader	Browse	149.154.167.99

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_23ac2d3598194099bfea53d8620e685cbd9df63_2fa1aaae_46522aeb-fbd2-4ad7-8707-f1f3c121c621\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1831758355341229
Encrypted:	false
SSDEEP:	192:Pp56fGxBvSQvIPpw0YvK6NC03jRdZrKFayIzuiF7Z24IO8nZBu:Us5IRLYvK6HjUjIzuiF7Y4IO8P
MD5:	639229628C9F27DCAF7A22EA02848CAE
SHA1:	C778755BB46072477A3EA256E06DA47F59C835FE
SHA-256:	1ADD57D97A602986F58A86D29575E9BAABE90D896C8B629E8C28D50F2E4E80E3
SHA-512:	9C46BA618112CAEA2C50FDA6B8C6D9AA76D4832071764256A3372C7F9DF7EEC6451EAB34B70C2F9B75C2989CA4BF23582E71D4FA713949E388482E77C260E8F3
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.9.1.8.1.5.2.7.7.9.2.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.9.1.8.1.6.2.6.2.2.9.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.5.2.2.a.e.b.-.f.b.d.2.-.4.a.d.7.-.8.7.0.7.-.f.1.f.3.c.1.2.1.c.6.2.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.0.c.0.e.6.b.-.c.1.4.a.-.4.2.8.c.-.a.5.a.7.-.f.b.1.9.2.8.c.d.d.e.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.a.t.t.l.e...n.e.t.-.S.e.t.u.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.c.4.-.0.0.0.1.-.0.0.1.5.-.5.0.1.2.-.f.0.4.4.5.8.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.8.f.d.5.2.f.a.8.5.c.b.1.9.a.c.a.0.7.8.6.0.2.c.d.8.5.b.3.2.0.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.7.0.c.1.c.8.0.6.f.c.b.2.f.b.b.d.9.7.d.4.c.9.e.c.f.7.c.4.7.3.b.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F85.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 3 14:50:15 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	187574
Entropy (8bit):	1.8277239220974038
Encrypted:	false
SSDEEP:	768:OHnikT6HSmIR7W5FRgwy/9RVDw+Tu9JkIv:SRO57gP1u9Jx
MD5:	53409A5AC5D65329E0028E7DF080C131
SHA1:	6809D86A0FBBDD4564AEAAF85A254AB30103D97E
SHA-256:	94D1D0502A58993F32BC0FFA37A26D5F532DC60FBC17A717418721B782EA9090
SHA-512:	254598C705C63D96DA29D9BD580E0176F68F41B377C93C1740FA42B315B6116B3FFEE61C594837FDBBFFA87B09294E7056FBEE5CF2B950E092FB8ECE6B0457A6
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......'e.f........................."..........$...T,..........fb..........`.......8...........T...........0X..............x,..........d...............................................................................eJ..............GenuineIntel............T............e.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6283.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	3.6981652379830625
Encrypted:	false
SSDEEP:	192:R6l7wVeJLCn6o6Y2DemSU9jgmfBfUJlscfupr189bVUsf+G7nm:R6lXJu6o6YiSU9jgmfpUJlsKZVHf+9
MD5:	9DDF9BA4CE8F2A3F3631F27E92059441
SHA1:	837BC2DEE830800A33D147F0DDB0C436667A3D34
SHA-256:	19BE0F8BF89CDBD3D424970703BBDD8F8C4F3B0BB6D10CA88C7E448919194546
SHA-512:	C4D328992B0B9A1FB97B32CD5E969ED4B9B2B0B36028318D7AB7736385262EEFA661221A4687DAE9F6248DA85DF36E3547485069580D2B85D2C41B9093A7EB28
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER62B3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4690
Entropy (8bit):	4.490284455717078
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI94vrWpW8VYtYm8M4JIjzFnh+q8bqRFTcWvd:uIjfQI7KC7VJJGh1TcWvd
MD5:	5826FE1E6871F5C532D1B2DCAE77EDEF
SHA1:	9F54E23F0950D72591EEF014DE53A034160240BE
SHA-256:	AA6B2903C0F8612AB333DC5DCCFA937AA9B22F2740778216CC1E47BF7AC69813
SHA-512:	B46EBA7D59C1BC209EEA51F9858816AF98814FF44865130988E699BF02D5727A3812B4DA24456F126171E88C5C0CDD1A7725608D1695BA891E512D8BEA89CFF8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="394912" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.144086598890895
Encrypted:	false
SSDEEP:	6:kKrHa9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:DVDnLNkPlE99SNxAhUe/3
MD5:	AAA449A9D4FD81D64402AAA465FCE03C
SHA1:	DBA6B744C353C846F709A50833858C4CF522DEFF
SHA-256:	86245B5BEBC4C4883EE2A94C9774453FDA2869A99146CFF4749BA4A6C5EC6925
SHA-512:	6E26292B4B509515D230A1A95471219347A9392C6BB9CA31494BAB7673E99C5230F6F70A9FB3BD0BD74F73F4BAFB850EBAB165DCA8C92CD56A98671A511F0B78
Malicious:	false
Reputation:	low
Preview:	p...... ........[..LX...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4689181212615265
Encrypted:	false
SSDEEP:	6144:7zZfpi6ceLPx9skLmb0fqZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:3ZHtqZWOKnMM6bFp9j4
MD5:	D832B3AA6F66FD3F48AB10827D5C2BEB
SHA1:	7F8FC45A447153BA8635CF51B5ACD4E6AF69EF97
SHA-256:	E79B4BDC59BFF9CC7362E7A796E0DCA24FE4FAAA11779ED1E08E4CA75C9BC1EA
SHA-512:	2C22096077425005B865E32D567D9F36C913D1491285CEE76B71E871A52A4148A9FCF18EBB4A345497C405BD38352053EE46A4567338F759209786BBA3715434
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.xhPX..................................................................................................................................................................................................................................................................................................................................................d........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.905003406667077
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	5'158'776 bytes
MD5:	06e9439beabd1813ff13295adbba48ff
SHA1:	f70c1c806fcb2fbbd97d4c9ecf7c473b3dc957da
SHA256:	47eb2e1f94933fc6da9cf436804c0a303c539de3ce93c7dfaa6b427625447a22
SHA512:	3143051b25bce1e2a80dc11006398309d09308ae6542e0e20c1c3e95947ea798d176ea75c8a53265846a902b2d0f9e81dc315e1343ec7d5b7fd4e16d77d7d118
SSDEEP:	98304:a84BwyMWieDN4+F/8njOyiiqTdAGlucxG3:aAEwnjOy5qzlucE3
TLSH:	E436BF92BA40C075D14303706678BBBD46BEBEB02B21C5C36F94265DCDB35D2AA36397
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........f...5...5...5...4...5...4...5...4...5Lc.5...5...4...5...4W..5...4...5...4...5...4...5...5...5...4...5...4...5...4T..5..05...

File Icon


Icon Hash:	071975cccc7d3907

Static PE Info

General

Entrypoint:	0x53b686
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64CC57ED [Fri Aug 4 01:44:13 2023 UTC]
TLS Callbacks:	0x46ba43
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	79dbe573912bfd2d08a3c01a29dfeaed

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	02/02/2022 01:00:00 03/04/2025 01:59:59
Subject Chain	CN=8bit Solutions LLC, O=8bit Solutions LLC, L=Jacksonville, S=Florida, C=US, SERIALNUMBER=L16000106119, OID.1.3.6.1.4.1.311.60.2.1.2=Florida, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	ABD40EF42FACAAE2500E04A7C3A05644
Thumbprint SHA-1:	E52631F3A497896894CABCB6E1B18E734BE09342
Thumbprint SHA-256:	B4E4E6202977829E9ADF73DB66C49386E5EBBCFA19499A58C7A45D38613D871C
Serial:	0D4ED820E34466C1DB3375E3AD1937FF

Entrypoint Preview

Instruction
call 00007F5D1CB648D3h
jmp 00007F5D1CB63D9Fh
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F5D1CB64215h
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 006D1CD4h
je 00007F5D1CB63F2Ch
push 0000000Ch
push esi
call 00007F5D1CB63EFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
jmp 00007F5D1CB63F2Fh
push dword ptr [ebp+08h]
call 00007F5D1CB96053h
pop ecx
test eax, eax
je 00007F5D1CB63F31h
push dword ptr [ebp+08h]
call 00007F5D1CB911CEh
pop ecx
test eax, eax
je 00007F5D1CB63F08h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F5D1CB64BF8h
jmp 00007F5D1CB4FDC3h
push ebp
mov ebp, esp
mov eax, dword ptr [007EC06Ch]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [007EC06Ch]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F5D1CB63F3Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F5D1CB63F2Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F5D1CB63F2Eh
add edx, 28h
cmp edx, esi
jne 00007F5D1CB63F0Ch
xor eax, eax
pop esi
pop ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3e8b6c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x463000	0x83658	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4e8800	0x2f78	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e7000	0x27370	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b5040	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3b5138	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3b5098	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2cd000	0x70c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2cbe2c	0x2cc000	3339be8f888abfeffc46de3220b43eb8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2cd000	0x11e36c	0x11e400	705bbe9d4e6b83e6c21146b4e5654fbc	False	0.3312218545305677	data	6.072282917025936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3ec000	0x76b74	0x1a200	fd9ccb7d2e5e076136cc28819c8447dc	False	0.23657109748803828	DOS executable (block device driver pyright)	5.114446923921056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x463000	0x83658	0x83800	1138008a95a7b1e30c435570d5908d3e	False	0.511757738236692	data	6.405633499821989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e7000	0x60600	0x60600	24f9cce49c9de2ed8592f872d0b8d318	False	0.5834270630674449	data	7.278306055320921	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
FONT	0x464220	0x13e0c	TrueType Font data, 18 tables, 1st "FFTM", 30 names, Macintosh			0.46435765168263327
FONT	0x47802c	0x13fe8	TrueType Font data, 18 tables, 1st "FFTM", 30 names, Macintosh			0.4684722086548794
FONT	0x48c014	0x171a8	TrueType Font data, 18 tables, 1st "FFTM", 32 names, Macintosh			0.4292733958914532
JSON	0x4a31bc	0x386	JSON data			0.40022172949002216
JSON	0x4a3544	0x7fe	JSON data			0.31573802541544477
JSON	0x4a3d44	0x6f2	JSON data			0.3233970753655793
JSON	0x4a4438	0x73d	JSON data			0.3135456017269293
JSON	0x4a4b78	0xd7b	JSON data			0.275282526803825
JSON	0x4a58f4	0x19a	JSON data			0.5414634146341464
PNG	0x4a5a90	0x94c	PNG image data, 428 x 343, 8-bit colormap, non-interlaced			0.9857142857142858
PNG	0x4a63dc	0x5e9	PNG image data, 408 x 108, 8-bit colormap, non-interlaced			1.004626569729015
PNG	0x4a69c8	0xd822	PNG image data, 220 x 449, 8-bit colormap, non-interlaced			1.0004699078257726
PNG	0x4b41ec	0xd8c4	PNG image data, 220 x 449, 8-bit colormap, non-interlaced			1.00046853600519
PNG	0x4c1ab0	0x174	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced			1.0295698924731183
PNG	0x4c1c24	0x154	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced			1.011764705882353
PNG	0x4c1d78	0xf2	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced			1.0082644628099173
PNG	0x4c1e6c	0x13f	PNG image data, 165 x 36, 8-bit/color RGBA, non-interlaced			0.8495297805642633
PNG	0x4c1fac	0x165	PNG image data, 165 x 36, 8-bit/color RGBA, non-interlaced			0.834733893557423
PNG	0x4c2114	0x165	PNG image data, 165 x 36, 8-bit/color RGBA, non-interlaced			0.834733893557423
PNG	0x4c227c	0x136	PNG image data, 165 x 36, 8-bit/color RGBA, non-interlaced			0.8451612903225807
PNG	0x4c23b4	0x170	PNG image data, 165 x 36, 8-bit/color RGBA, non-interlaced			0.8396739130434783
PNG	0x4c2524	0x119	PNG image data, 92 x 36, 8-bit/color RGBA, non-interlaced			0.8718861209964412
PNG	0x4c2640	0x149	PNG image data, 92 x 36, 8-bit/color RGBA, non-interlaced			0.9300911854103343
PNG	0x4c278c	0x149	PNG image data, 92 x 36, 8-bit/color RGBA, non-interlaced			0.9300911854103343
PNG	0x4c28d8	0x11d	PNG image data, 92 x 36, 8-bit/color RGBA, non-interlaced			0.8736842105263158
PNG	0x4c29f8	0x14f	PNG image data, 92 x 36, 8-bit/color RGBA, non-interlaced			0.9253731343283582
PNG	0x4c2b48	0xb3	PNG image data, 21 x 19, 8-bit/color RGBA, non-interlaced			0.994413407821229
PNG	0x4c2bfc	0xd2	PNG image data, 21 x 19, 8-bit/color RGBA, non-interlaced			1.0095238095238095
PNG	0x4c2cd0	0x90	PNG image data, 21 x 19, 8-bit/color RGBA, non-interlaced			0.9722222222222222
PNG	0x4c2d60	0x93	PNG image data, 21 x 19, 8-bit/color RGBA, non-interlaced			0.9931972789115646
PNG	0x4c2df4	0x11c	PNG image data, 11 x 11, 8-bit/color RGBA, non-interlaced			1.017605633802817
PNG	0x4c2f10	0xd0	PNG image data, 11 x 10, 8-bit/color RGBA, non-interlaced			0.9903846153846154
PNG	0x4c2fe0	0x23d5	PNG image data, 738 x 468, 8-bit/color RGBA, non-interlaced			0.8771394309386242
PNG	0x4c53b8	0x139	PNG image data, 451 x 22, 8-bit/color RGBA, non-interlaced			0.9648562300319489
PNG	0x4c54f4	0x169	PNG image data, 451 x 22, 8-bit/color RGBA, non-interlaced			0.9889196675900277
PNG	0x4c5660	0x133	PNG image data, 362 x 22, 8-bit/color RGBA, non-interlaced			0.9804560260586319
PNG	0x4c5794	0x16a	PNG image data, 362 x 22, 8-bit/color RGBA, non-interlaced			1.0
PNG	0x4c5900	0x27b	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced			1.0173228346456693
PNG	0x4c5b7c	0x27e	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced			1.0172413793103448
PNG	0x4c5dfc	0x356	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced			1.0128805620608898
STRINGS	0x4c6154	0x4621	data			0.4167548599119924
RT_ICON	0x4ca778	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m			0.05023364485981308
RT_ICON	0x4dafa0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m			0.33156028368794327
RT_ICON	0x4db408	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m			0.2442622950819672
RT_ICON	0x4dbd90	0x2754	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9887763210170838
RT_ICON	0x4de4e4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m			0.18198874296435272
RT_ICON	0x4df58c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m			0.12282157676348547
RT_ICON	0x4e1b34	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m			0.09659896079357581
RT_GROUP_ICON	0x4e5d5c	0x68	data			0.7692307692307693
RT_VERSION	0x4e5dc4	0x344	data			0.42822966507177035
RT_MANIFEST	0x4e6108	0x550	ASCII text, with CRLF line terminators	English	United States	0.42573529411764705

Imports

DLL	Import
UIAutomationCore.DLL	UiaHostProviderFromHwnd, UiaReturnRawElementProvider, UiaRaiseAutomationPropertyChangedEvent, UiaRaiseAutomationEvent, UiaClientsAreListening
MSIMG32.dll	AlphaBlend
RPCRT4.dll	UuidToStringA, RpcStringFreeA, UuidCreate
WS2_32.dll	bind, socket, freeaddrinfo, getaddrinfo, WSASetLastError, htons, WSACleanup, WSAStartup, connect, htonl, WSAGetLastError, gethostname, closesocket, shutdown, ntohl, getpeername, getsockname, getsockopt, ntohs, setsockopt, WSAIoctl, recvfrom, sendto, accept, listen, __WSAFDIsSet, select, ioctlsocket, send, recv
VERSION.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
KERNEL32.dll	GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetThreadTimes, FreeLibraryAndExitThread, GetModuleFileNameW, GetModuleHandleA, LoadLibraryExW, VirtualAlloc, VirtualProtect, VirtualFree, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, WaitForSingleObject, RtlUnwind, ExitProcess, GetModuleHandleExW, GetStdHandle, GetFileType, GetModuleFileNameA, WriteConsoleW, ExitThread, ResumeThread, WriteFile, GetACP, SetConsoleCtrlHandler, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, OutputDebugStringA, GetDateFormatW, GetTimeFormatW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ReadFile, ReadConsoleW, SetFilePointerEx, GetTimeZoneInformation, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, CreateThread, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetStdHandle, HeapSize, CreateFileW, SetEndOfFile, GetTickCount64, SleepEx, PeekNamedPipe, WaitForMultipleObjects, ExpandEnvironmentStringsA, FormatMessageA, VerSetConditionMask, GetSystemDirectoryA, LoadLibraryA, VerifyVersionInfoA, CreateFileA, GetFileSizeEx, InitializeCriticalSection, GetEnvironmentVariableW, SetCurrentDirectoryW, GetCurrentDirectoryW, CreateDirectoryW, DeleteFileW, FindFirstFileW, GetDiskFreeSpaceExW, GetFileAttributesW, GetFileAttributesExW, GetFileInformationByHandle, GetFileTime, GetFullPathNameW, RemoveDirectoryW, SetFileAttributesW, SetFileTime, DeviceIoControl, MoveFileExW, AreFileApisANSI, OpenEventA, SetWaitableTimer, GetSystemInfo, CreateWaitableTimerA, DeactivateActCtx, ActivateActCtx, CreateActCtxW, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, SystemTimeToTzSpecificLocalTime, GetDriveTypeW, lstrlenW, VirtualUnlock, ReleaseMutex, CreateMutexA, GlobalFree, GetExitCodeProcess, OpenThread, CreateFiber, VirtualQuery, MoveFileW, ConvertThreadToFiber, CreateFiberEx, WaitNamedPipeW, SetFileValidData, IsBadReadPtr, GlobalMemoryStatus, Module32NextW, VerifyVersionInfoW, SignalObjectAndWait, CreateTimerQueue, OutputDebugStringW, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, GetCurrentProcessId, ResetEvent, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCPInfo, SetThreadPriority, MultiByteToWideChar, GetSystemTimeAsFileTime, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, CreateEventW, InitializeCriticalSectionAndSpinCount, SetLastError, EncodePointer, GetExitCodeThread, SwitchToThread, Sleep, WaitForSingleObjectEx, DuplicateHandle, GetCurrentThreadId, TryEnterCriticalSection, LeaveCriticalSection, EnterCriticalSection, QueryPerformanceFrequency, QueryPerformanceCounter, WideCharToMultiByte, GetCurrentThread, GetCurrentProcess, LocalFree, OpenProcess, GetVersionExW, LocalAlloc, FindResourceW, LoadResource, LockResource, SizeofResource, CreateEventA, GetProcessHeap, HeapAlloc, CloseHandle, SetEvent, SystemTimeToFileTime, GetComputerNameW, lstrcpynA, GetFileSize, GetThreadContext, GetLocalTime, HeapFree, GetUserDefaultLangID, GetTickCount, FreeLibrary, GetModuleHandleW, DeleteCriticalSection, GetProcAddress, DecodePointer, LoadLibraryW, RaiseException, GetLastError, InitializeCriticalSectionEx, ConvertFiberToThread, ReadConsoleA, SetConsoleMode, GetOEMCP, Module32FirstW, Process32Next, DeleteFileA, FileTimeToSystemTime, GetTempPathA, CreateToolhelp32Snapshot, SwitchToFiber, SuspendThread, IsBadStringPtrA, Thread32First, GetCompressedFileSizeW, SetFilePointer, Thread32Next, GetProcessId, DeleteFiber, GetVolumeInformationW, SetNamedPipeHandleState, Process32First, IsBadWritePtr, RtlCaptureContext, GetShortPathNameW, GetDiskFreeSpaceW
USER32.dll	AllowSetForegroundWindow, GetDesktopWindow, MessageBoxA, GetDC, DrawTextW, GetWindowLongW, DefWindowProcW, AdjustWindowRectEx, GetWindowRect, DestroyWindow, SetWindowPos, MessageBoxW, CreateWindowExW, SendMessageW, GetSystemMetrics, SetWindowTextW, RegisterClassExW, ShowWindow, DispatchMessageW, SetTimer, PeekMessageW, TrackMouseEvent, TranslateMessage, LoadIconW, LoadCursorW, SetCapture, GetWindowDC, SetWindowLongW, UpdateLayeredWindow, PostQuitMessage, ReleaseCapture, InvalidateRect, IsIconic, ReleaseDC, GetCursorPos, BeginPaint, EndPaint, GetKeyState, GetUserObjectInformationW, ClientToScreen, PostMessageW, GetForegroundWindow, GetActiveWindow, GetShellWindow, GetWindowThreadProcessId, CharLowerA, SetFocus, MoveWindow, ScreenToClient, GetProcessWindowStation
GDI32.dll	CreateDIBSection, GetObjectW, DeleteObject, AddFontMemResourceEx, EnumFontFamiliesExW, CreateFontW, GetStockObject, SetBkColor, RoundRect, SelectObject, GetLayout, SetLayout, DeleteDC, SetTextColor, SetBkMode, SetMapMode, SetTextAlign, CreateCompatibleDC
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, OpenServiceW, QueryServiceConfigW, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, CryptEnumProvidersA, CryptSignHashA, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptAcquireContextW, ReportEventA, RegisterEventSourceA, DeregisterEventSource, RegGetValueW, RegSetValueExW, SetEntriesInAclW, ConvertSecurityDescriptorToStringSecurityDescriptorW, SetNamedSecurityInfoW, GetNamedSecurityInfoW, GetFileSecurityW, MapGenericMask, BuildTrusteeWithSidW, RegQueryValueExW, LookupPrivilegeValueW, AdjustTokenPrivileges, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetUserNameW, DuplicateTokenEx, OpenSCManagerW, RegQueryValueExA, CloseServiceHandle, ConvertSidToStringSidA, RegCloseKey, RegOpenKeyExA, OpenThreadToken, DuplicateToken, CryptEncrypt, CryptImportKey, CryptDestroyKey, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGenRandom, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA, AccessCheck, AllocateAndInitializeSid
SHELL32.dll	SHGetFolderPathW, ShellExecuteExA, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, ShellExecuteExW, CommandLineToArgvW, FindExecutableA
ole32.dll	CoTaskMemFree, CoCreateInstance
WINTRUST.dll	WinVerifyTrust
CRYPT32.dll	CertOpenStore, CertCloseStore, CertFindCertificateInStore, CertFreeCertificateContext, CryptStringToBinaryA, CertAddCertificateContextToStore, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CryptMsgClose, CryptMsgGetParam, CertGetNameStringW, CertEnumCertificatesInStore, CertDuplicateCertificateContext, CertGetCertificateContextProperty, CertFreeCertificateChainEngine
WININET.dll	HttpSendRequestA, InternetCloseHandle, InternetSetStatusCallbackA, InternetOpenA, InternetReadFileExA, InternetSetCookieW, InternetSetOptionA, InternetCrackUrlA, HttpOpenRequestA, HttpQueryInfoA, InternetConnectA
WINHTTP.dll	WinHttpCloseHandle, WinHttpGetIEProxyConfigForCurrentUser, WinHttpGetProxyForUrl, WinHttpOpen
OLEAUT32.dll	VariantClear, SysAllocString, SafeArrayCreateVector, SafeArrayPutElement

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:50:06.851120949 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:06.851164103 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:06.851234913 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:06.862397909 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:06.862425089 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.490022898 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.490217924 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:07.544553041 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:07.544576883 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.544873953 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.545075893 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:07.548033953 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:07.588506937 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.744431973 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.744460106 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.744510889 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.744549036 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:07.744560003 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.744609118 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:07.744616985 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.744657993 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:07.800107002 CEST	49707	443	192.168.2.6	149.154.167.99
Jul 3, 2024 16:50:07.800127029 CEST	443	49707	149.154.167.99	192.168.2.6
Jul 3, 2024 16:50:07.856132030 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:07.861675024 CEST	5432	49708	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:07.861752987 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:07.862127066 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:07.867729902 CEST	5432	49708	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:08.536614895 CEST	5432	49708	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:08.536689997 CEST	5432	49708	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:08.536698103 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:08.536747932 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:09.584213018 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:09.589410067 CEST	5432	49708	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:09.773013115 CEST	5432	49708	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:09.773178101 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:09.773782015 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:09.779989958 CEST	5432	49708	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:10.212049961 CEST	5432	49708	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:10.212126970 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:10.216794014 CEST	49710	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:10.221806049 CEST	5432	49710	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:10.221898079 CEST	49710	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:10.222265005 CEST	49710	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:10.229011059 CEST	5432	49710	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:10.875519991 CEST	5432	49710	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:10.875598907 CEST	49710	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:10.876096964 CEST	49710	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:10.878113031 CEST	49710	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:10.881074905 CEST	5432	49710	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:10.883164883 CEST	5432	49710	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:11.508410931 CEST	5432	49710	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:11.508620977 CEST	49710	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:11.511955976 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:11.512543917 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:11.517471075 CEST	5432	49708	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:11.517570019 CEST	49708	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:11.517963886 CEST	5432	49711	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:11.518029928 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:11.518373966 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:11.523665905 CEST	5432	49711	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:12.191543102 CEST	5432	49711	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:12.191685915 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.192312956 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.194422007 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.197108030 CEST	5432	49711	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:12.199697971 CEST	5432	49711	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:12.851542950 CEST	5432	49711	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:12.851681948 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.853575945 CEST	5432	49711	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:12.853634119 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.855268002 CEST	49710	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.855768919 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.860884905 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:12.860961914 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.861140013 CEST	5432	49710	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:12.861187935 CEST	49710	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.861318111 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:12.866303921 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:13.517237902 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:13.517378092 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:13.517925978 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:13.520028114 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:13.523403883 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:13.525276899 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.031876087 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.031896114 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.031913996 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.032130957 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.032130957 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.032664061 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.032676935 CEST	5432	49712	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.032704115 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.032721043 CEST	49712	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.048018932 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.048861027 CEST	49713	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.060971022 CEST	5432	49713	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.061060905 CEST	49713	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.061598063 CEST	5432	49711	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.061650991 CEST	49711	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.067699909 CEST	49713	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.079387903 CEST	5432	49713	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.731857061 CEST	5432	49713	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.731976032 CEST	49713	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.732425928 CEST	49713	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.734221935 CEST	49713	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:14.738045931 CEST	5432	49713	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:14.739854097 CEST	5432	49713	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:15.377509117 CEST	5432	49713	116.202.180.70	192.168.2.6
Jul 3, 2024 16:50:15.377568960 CEST	49713	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:21.073508978 CEST	49713	5432	192.168.2.6	116.202.180.70
Jul 3, 2024 16:50:21.073597908 CEST	49712	5432	192.168.2.6	116.202.180.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:50:06.831523895 CEST	57863	53	192.168.2.6	1.1.1.1
Jul 3, 2024 16:50:06.846668959 CEST	53	57863	1.1.1.1	192.168.2.6
Jul 3, 2024 16:50:31.364928961 CEST	53	59379	162.159.36.2	192.168.2.6
Jul 3, 2024 16:50:31.838219881 CEST	62182	53	192.168.2.6	1.1.1.1
Jul 3, 2024 16:50:31.851706028 CEST	53	62182	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 16:50:06.831523895 CEST	192.168.2.6	1.1.1.1	0x8b9	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:50:31.838219881 CEST	192.168.2.6	1.1.1.1	0xfe3	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 16:50:06.846668959 CEST	1.1.1.1	192.168.2.6	0x8b9	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:50:31.851706028 CEST	1.1.1.1	192.168.2.6	0xfe3	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	149.154.167.99	443	5316	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:50:07 UTC	85	OUT	GET /bu77un HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-07-03 14:50:07 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 03 Jul 2024 14:50:07 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12323 Connection: close Set-Cookie: stel_ssid=0ea872b77550e6bde8_12601486500904257718; expires=Thu, 04 Jul 2024 14:50:07 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-07-03 14:50:07 UTC	12323	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 62 75 37 37 75 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @bu77un</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent

Target ID:	0
Start time:	10:49:55
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe00000
File size:	5'158'776 bytes
MD5 hash:	06E9439BEABD1813FF13295ADBBA48FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:50:15
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068
Imagebase:	0x530000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 02F9A76B Relevance: 208.8, APIs: 139, Instructions: 337
sleepstringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(02FAA100), ref: 02F9A776
lstrlenW.KERNEL32(02FA9F40), ref: 02F9A781
lstrlenW.KERNEL32(02FA9CF0), ref: 02F9A78C
lstrlenW.KERNEL32(02FA9AB8), ref: 02F9A797
lstrlenW.KERNEL32(02FA9938), ref: 02F9A7A2
LoadLibraryA.KERNEL32(02FA9924), ref: 02F9A7AD
GetProcAddress.KERNEL32(00000000,02FA991C), ref: 02F9A7C4
GetProcAddress.KERNEL32(00000000,02FA990C), ref: 02F9A7D7

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Sleep.KERNEL32(00000014), ref: 02F9A7E4
Sleep.KERNEL32(00000014), ref: 02F9A7EC
Sleep.KERNEL32(00000014), ref: 02F9A7F4
Sleep.KERNEL32(00000014), ref: 02F9A7FC
Sleep.KERNEL32(00000014), ref: 02F9A804
Sleep.KERNEL32(00000014), ref: 02F9A80C
lstrlenW.KERNEL32(02FAA100), ref: 02F9A817
lstrlenW.KERNEL32(02FA9F40), ref: 02F9A822
lstrlenW.KERNEL32(02FA9CF0), ref: 02F9A82D
lstrlenW.KERNEL32(02FA9AB8), ref: 02F9A838
lstrlenW.KERNEL32(02FA9938), ref: 02F9A843
Sleep.KERNEL32(00000014), ref: 02F9A84B
Sleep.KERNEL32(00000014), ref: 02F9A853
Sleep.KERNEL32(00000014), ref: 02F9A85B
Sleep.KERNEL32(00000014), ref: 02F9A863
Sleep.KERNEL32(00000014), ref: 02F9A86B
Sleep.KERNEL32(00000014), ref: 02F9A873
Sleep.KERNEL32(00000014), ref: 02F9A880
Sleep.KERNEL32(00000014), ref: 02F9A888
Sleep.KERNEL32(00000014), ref: 02F9A890
Sleep.KERNEL32(00000014), ref: 02F9A898
Sleep.KERNEL32(00000014), ref: 02F9A8A0
Sleep.KERNEL32(00000014), ref: 02F9A8A8
Sleep.KERNEL32(00000014), ref: 02F9A8B5
Sleep.KERNEL32(00000014), ref: 02F9A8BD
Sleep.KERNEL32(00000014), ref: 02F9A8C5
Sleep.KERNEL32(00000014), ref: 02F9A8CD
Sleep.KERNEL32(00000014), ref: 02F9A8D5
Sleep.KERNEL32(00000014), ref: 02F9A8DD
Sleep.KERNEL32(00000014), ref: 02F9A8E5
Sleep.KERNEL32(00000014), ref: 02F9A8ED
Sleep.KERNEL32(00000014), ref: 02F9A8F5
Sleep.KERNEL32(00000014), ref: 02F9A8FD
Sleep.KERNEL32(00000014), ref: 02F9A905
Sleep.KERNEL32(00000014), ref: 02F9A90D
Sleep.KERNEL32(00000014,02FA5200), ref: 02F9A922
Sleep.KERNEL32(00000014), ref: 02F9A92A
Sleep.KERNEL32(00000014), ref: 02F9A932
Sleep.KERNEL32(00000014), ref: 02F9A93A
Sleep.KERNEL32(00000014), ref: 02F9A942
Sleep.KERNEL32(00000014), ref: 02F9A94A
Sleep.KERNEL32(00000014,00000000,?,?,02FA8E5C,?,00000000), ref: 02F9A9A6
Sleep.KERNEL32(00000014), ref: 02F9A9AE
Sleep.KERNEL32(00000014), ref: 02F9A9B6
Sleep.KERNEL32(00000014), ref: 02F9A9BE
Sleep.KERNEL32(00000014), ref: 02F9A9C6
Sleep.KERNEL32(00000014), ref: 02F9A9CE
Sleep.KERNEL32(00000014), ref: 02F9A9D6
Sleep.KERNEL32(00000014), ref: 02F9A9DE
Sleep.KERNEL32(00000014), ref: 02F9A9E6
Sleep.KERNEL32(00000014), ref: 02F9A9EE
Sleep.KERNEL32(00000014), ref: 02F9A9F6
Sleep.KERNEL32(00000014), ref: 02F9A9FE
Sleep.KERNEL32(00000014), ref: 02F9AA0F
Sleep.KERNEL32(00000014), ref: 02F9AA17
Sleep.KERNEL32(00000014), ref: 02F9AA1F
Sleep.KERNEL32(00000014), ref: 02F9AA27
Sleep.KERNEL32(00000014), ref: 02F9AA2F
Sleep.KERNEL32(00000014), ref: 02F9AA37
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 02F9AA4D
Sleep.KERNEL32(00000014), ref: 02F9AA5E
Sleep.KERNEL32(00000014), ref: 02F9AA66
Sleep.KERNEL32(00000014), ref: 02F9AA6E
Sleep.KERNEL32(00000014), ref: 02F9AA76
Sleep.KERNEL32(00000014), ref: 02F9AA7E
Sleep.KERNEL32(00000014), ref: 02F9AA86
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F9AA9B
Sleep.KERNEL32(00000014), ref: 02F9AAA6
Sleep.KERNEL32(00000014), ref: 02F9AAAE
Sleep.KERNEL32(00000014), ref: 02F9AAB6
Sleep.KERNEL32(00000014), ref: 02F9AABE
Sleep.KERNEL32(00000014), ref: 02F9AAC6
Sleep.KERNEL32(00000014), ref: 02F9AACE
Sleep.KERNEL32(00000014), ref: 02F9AADA
Sleep.KERNEL32(00000014), ref: 02F9AAE2
Sleep.KERNEL32(00000014), ref: 02F9AAEA
Sleep.KERNEL32(00000014), ref: 02F9AAF2
Sleep.KERNEL32(00000014), ref: 02F9AAFA
Sleep.KERNEL32(00000014), ref: 02F9AB02
CloseHandle.KERNEL32(00000000), ref: 02F9AB0B
Sleep.KERNEL32(00001B58), ref: 02F9AB16
Sleep.KERNEL32(00000014), ref: 02F9AB1E
Sleep.KERNEL32(00000014), ref: 02F9AB26
Sleep.KERNEL32(00000014), ref: 02F9AB2E
Sleep.KERNEL32(00000014), ref: 02F9AB36
Sleep.KERNEL32(00000014), ref: 02F9AB3E
Sleep.KERNEL32(00000014), ref: 02F9AB46
Sleep.KERNEL32(00000014), ref: 02F9AB53
Sleep.KERNEL32(00000014), ref: 02F9AB5B
Sleep.KERNEL32(00000014), ref: 02F9AB63
Sleep.KERNEL32(00000014), ref: 02F9AB6B
Sleep.KERNEL32(00000014), ref: 02F9AB73
Sleep.KERNEL32(00000014), ref: 02F9AB7B
Sleep.KERNEL32(00000014), ref: 02F9AB83
Sleep.KERNEL32(00000014), ref: 02F9AB8B
Sleep.KERNEL32(00000014), ref: 02F9AB93
Sleep.KERNEL32(00000014), ref: 02F9AB9B
Sleep.KERNEL32(00000014), ref: 02F9ABA3
Sleep.KERNEL32(00000014), ref: 02F9ABAB
Sleep.KERNEL32(00000014), ref: 02F9ABB8
Sleep.KERNEL32(00000014), ref: 02F9ABC0
Sleep.KERNEL32(00000014), ref: 02F9ABC8
Sleep.KERNEL32(00000014), ref: 02F9ABD0
Sleep.KERNEL32(00000014), ref: 02F9ABD8
Sleep.KERNEL32(00000014), ref: 02F9ABE0
Sleep.KERNEL32(00000014), ref: 02F9ABE8
Sleep.KERNEL32(00000014), ref: 02F9ABF0
Sleep.KERNEL32(00000014), ref: 02F9ABF8
Sleep.KERNEL32(00000014), ref: 02F9AC00
Sleep.KERNEL32(00000014), ref: 02F9AC08
Sleep.KERNEL32(00000014), ref: 02F9AC10
CloseHandle.KERNEL32(?), ref: 02F9AC19
Sleep.KERNEL32(00000014), ref: 02F9AC21
Sleep.KERNEL32(00000014), ref: 02F9AC29
Sleep.KERNEL32(00000014), ref: 02F9AC31
Sleep.KERNEL32(00000014), ref: 02F9AC39
Sleep.KERNEL32(00000014), ref: 02F9AC41
Sleep.KERNEL32(00000014), ref: 02F9AC49
Sleep.KERNEL32(00000014), ref: 02F9AC51
Sleep.KERNEL32(00000014), ref: 02F9AC59
Sleep.KERNEL32(00000014), ref: 02F9AC61
Sleep.KERNEL32(00000014), ref: 02F9AC69
Sleep.KERNEL32(00000014), ref: 02F9AC71
Sleep.KERNEL32(00000014), ref: 02F9AC79
Sleep.KERNEL32(00000014), ref: 02F9AC81
Sleep.KERNEL32(00000014), ref: 02F9AC89
Sleep.KERNEL32(00000014), ref: 02F9AC91
Sleep.KERNEL32(00000014), ref: 02F9AC99
Sleep.KERNEL32(00000014), ref: 02F9ACA1
Sleep.KERNEL32(00000014), ref: 02F9ACA9
ExitProcess.KERNEL32 ref: 02F9ACB1

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Sleep$lstrlen$AddressCloseEventHandleProclstrcpy$CreateExitLibraryLoadOpenProcesslstrcat
String ID:
API String ID: 1968030747-0
Opcode ID: 8383a8eac1abb5738f656640abd2cb80b8a82122ebb86d8dcd7bfe74855b0003
Instruction ID: dfb7c89e150fa4858f847cf6c8ae0ae101806c65f14345dfb0e825716eeaa61f
Opcode Fuzzy Hash: 8383a8eac1abb5738f656640abd2cb80b8a82122ebb86d8dcd7bfe74855b0003
Instruction Fuzzy Hash: 6CD1AC715E125EBFEB047BE0A81EBE97E6AAB0CB42F544034B3069C1E5CAF054D09B71

Function 02F9B050 Relevance: 182.0, APIs: 121, Instructions: 507
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B06C
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B083
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B09A
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B0B1
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B0C8
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B0DF
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B0F6
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B10D
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B124
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B13B
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B152
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B169
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B180
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B197
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B1AE
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B1C5
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B1DC
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B1F3
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B20A
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B221
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B238
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B24F
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B266
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B27D
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B294
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B2AB
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B2C2
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B2D9
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B2F0
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B307
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B31E
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B335
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B34C
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B363
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B37A
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B391
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B3A8
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B3BF
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B3D6
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B3ED
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B404
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B41B
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B432
GetProcAddress.KERNEL32(02FAA450), ref: 02F9B448
GetProcAddress.KERNEL32(02FAA43C), ref: 02F9B45E
GetProcAddress.KERNEL32(02FAA428), ref: 02F9B474
GetProcAddress.KERNEL32(02FAA418), ref: 02F9B48A
GetProcAddress.KERNEL32(02FAA408), ref: 02F9B4A0
GetProcAddress.KERNEL32(02FAA3F4), ref: 02F9B4B6
GetProcAddress.KERNEL32(02FAA3E0), ref: 02F9B4CC
LoadLibraryA.KERNEL32(?,02F9922C), ref: 02F9B4DD
LoadLibraryA.KERNEL32(?,02F9922C), ref: 02F9B4EE
LoadLibraryA.KERNEL32(?,02F9922C), ref: 02F9B4FF
LoadLibraryA.KERNEL32(?,02F9922C), ref: 02F9B510
LoadLibraryA.KERNEL32(?,02F9922C), ref: 02F9B521
LoadLibraryA.KERNEL32(?,02F9922C), ref: 02F9B532
LoadLibraryA.KERNEL32(?,02F9922C), ref: 02F9B543
LoadLibraryA.KERNEL32(?,02F9922C), ref: 02F9B554
LoadLibraryA.KERNEL32(02FAA3D4,?,02F9922C), ref: 02F9B564
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B584
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B59B
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B5B2
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B5C9
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B5E0
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B604
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B61B
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B632
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B649
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B660
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B677
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B68E
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B6A5
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B6C5
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B6DC
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B6F3
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B70A
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B721
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B745
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B75C
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B773
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B78A
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B7A1
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B7B8
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B7DC
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B7F3
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B80A
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B821
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B838
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B84F
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B866
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B87D
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B894
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B8B4
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B8CB
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B8E2
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B8F9
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B910
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B930
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B947
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B967
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B97E
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B9A2
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B9B9
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B9D0
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B9E7
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9B9FE
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BA15
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BA2C
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BA43
GetProcAddress.KERNEL32(02FAA3C4), ref: 02F9BA59
GetProcAddress.KERNEL32(02FAA3B0), ref: 02F9BA6F
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BA8F
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BAA6
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BABD
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BAD4
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BAF4
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BB14
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BB2B
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BB42
GetProcAddress.KERNEL32(?,02F9922C), ref: 02F9BB59
GetProcAddress.KERNEL32(02FAA3A0), ref: 02F9BB78

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 1d785e602963b4d81dc4cb6035dd659ab20d531e26516bb353c2ca16bf2c4f3d
Instruction ID: 2d6497051439c5450755d494b503d0b47909315db4ddbe034cd71909536817ee
Opcode Fuzzy Hash: 1d785e602963b4d81dc4cb6035dd659ab20d531e26516bb353c2ca16bf2c4f3d
Instruction Fuzzy Hash: 6A52E9794A5210FFEB0E7F61FA09AA53FA2F70C3457444539E9029122EE77648E4EF60

Function 02F84AD5 Relevance: 19.7, APIs: 13, Instructions: 197
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F84387
Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F8439B
Part of subcall function 02F8430F: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F843B9
Part of subcall function 02F8430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F843C9

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02F84B22
RtlAllocateHeap.NTDLL(00000000), ref: 02F84B29
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02F84B54
StrCmpCA.SHLWAPI(?), ref: 02F84B6D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F84BA1
HttpOpenRequestA.WININET(00000000,02FA8D80,?,00000000,00000000,00400100,00000000), ref: 02F84C00
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02F84C38
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02F84C49
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 02F84C74
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 02F84D05
InternetCloseHandle.WININET(00000000), ref: 02F84D9B
InternetCloseHandle.WININET(00000000), ref: 02F84DA7
InternetCloseHandle.WININET(00000000), ref: 02F84DC5

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID:
API String ID: 442264750-0
Opcode ID: bc4fd7d68c3ceda8383b8d059e16ca8294943c2b7b4bb4840b2753a7e60966ab
Instruction ID: eb8a4d4cfb03a9c5e619e98693272e4782659e3b553ec79a7a32dfc0d59e31b4
Opcode Fuzzy Hash: bc4fd7d68c3ceda8383b8d059e16ca8294943c2b7b4bb4840b2753a7e60966ab
Instruction Fuzzy Hash: 499115B1D4022DABEF20EF60DC44BEEBBB5BB08346F1040E5E609A6191DB756AC4CF14

Function 00977D3D Relevance: 11.2, APIs: 7, Instructions: 730memorynativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 00977DD6
NtMapViewOfSection.NTDLL(?,00000000), ref: 00977E7E
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 009781F2
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 009782A7
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 009782C4
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00978367
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 0097839A

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, Offset: 00976000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_976000_file.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$View$AllocCreate
String ID:
API String ID: 2664363762-0
Opcode ID: 42def313b3f27d7dbc40fe03692585391203b583680a0eb8e46ebb5996ff43a6
Instruction ID: 320e187601c9f200fd25b6620b589ff29bf37645bf90fcd8797486fc92d1d9d2
Opcode Fuzzy Hash: 42def313b3f27d7dbc40fe03692585391203b583680a0eb8e46ebb5996ff43a6
Instruction Fuzzy Hash: 65428C72648301AFD724CF24CC48B6BBBE9EF88714F14892DF9899B251EB74E845CB51

Function 02F91ADD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91AF1
RtlAllocateHeap.NTDLL(00000000), ref: 02F91AF8
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,?), ref: 02F91B29
RegQueryValueExA.KERNEL32(?,00000000,00000000,?,000000FF), ref: 02F91B47
RegCloseKey.ADVAPI32(?), ref: 02F91B50

Strings

Windows 11, xrefs: 02F91B0A

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 2efced819c014a7475f1b5b879641aabf04030cd8a253f5af2e1ffab870a804b
Instruction ID: ced48e507eb47a4401b507a9f01f605f696bad5a55ac3370bb5abf343aa36dca
Opcode Fuzzy Hash: 2efced819c014a7475f1b5b879641aabf04030cd8a253f5af2e1ffab870a804b
Instruction Fuzzy Hash: 48011975A80209FBEF14BFA4DC0AB9E7BB9FB08784F100070F705A6095E77196949B20

Function 02F938BA Relevance: 7.6, APIs: 5, Instructions: 51processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F938F5
Process32First.KERNEL32(?,00000128), ref: 02F93908
Process32Next.KERNEL32(?,00000128), ref: 02F9391C
StrCmpCA.SHLWAPI(?,?), ref: 02F93930
FindCloseChangeNotification.KERNEL32(?), ref: 02F93943

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: f69444655a90166b5c3cc8b9c9f002ddf23f9e1c610ceac2ec6bdd93d6ee477d
Instruction ID: 22e0f501780685dbe28835847810e269be43a4408d9c4feff7515635929bb8d2
Opcode Fuzzy Hash: f69444655a90166b5c3cc8b9c9f002ddf23f9e1c610ceac2ec6bdd93d6ee477d
Instruction Fuzzy Hash: 3211C271D44259EFEF119F91CC19BFEBFB9FB08795F0001A9EA01A2290D7749A40CB60

Function 00940A8D Relevance: 6.1, APIs: 4, Instructions: 100threadprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,009405D3,?,00000001,?,81EC8B55,000000FF), ref: 00940ACB
Thread32First.KERNEL32(00000000,0000001C), ref: 00940AF7
Wow64SuspendThread.KERNEL32(00000000), ref: 00940B4A
FindCloseChangeNotification.KERNEL32(00000000), ref: 00940B74

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindFirstNotificationSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 376097663-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: f9da47013b434fd643a6c8e1fdea333da52a4f0bf7c63a295dee648e095a8742
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: D0410C71A00108AFDB18DFA8C990FADB7F6EFC8304F10C168E6159B7A4DA34AE45CB54

Function 02F91CBF Relevance: 6.0, APIs: 4, Instructions: 31memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91CCF
RtlAllocateHeap.NTDLL(00000000), ref: 02F91CD6
GetTimeZoneInformation.KERNEL32(?), ref: 02F91CE9
wsprintfA.USER32 ref: 02F91D20

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID:
API String ID: 3317088062-0
Opcode ID: 745d9b9381bf291212f1c08244f2f52f76fb427e3d729f7f41202ff21703d958
Instruction ID: b59e395b114c6b289b5c5435fca83b379e76dc93f8a20866a949920868174aab
Opcode Fuzzy Hash: 745d9b9381bf291212f1c08244f2f52f76fb427e3d729f7f41202ff21703d958
Instruction Fuzzy Hash: 09F05B71D44318AFEB24BB24DC49B95777ABB04355F0001E5F609A6191D7749AC4CF52

Function 02F91BEC Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91BF8
RtlAllocateHeap.NTDLL(00000000), ref: 02F91BFF
GetUserNameA.ADVAPI32(?,00000104), ref: 02F91C16

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heap$AllocateNameProcessUser
String ID:
API String ID: 1296208442-0
Opcode ID: 7f2fe1993ac94138236298effdf56df0d59f1d172e0784061dc4d8f67b7cb0a3
Instruction ID: 10274e94065b34465b1967c8a2b02e58402063daf332ced9b6f94574c6d8c86b
Opcode Fuzzy Hash: 7f2fe1993ac94138236298effdf56df0d59f1d172e0784061dc4d8f67b7cb0a3
Instruction Fuzzy Hash: 1BE026F4D4020DFFDB00DB94D84AB9DBBB8EB04745F908455A601A2150D6B45A549B60

Function 0094093D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00940A09

Strings

,, xrefs: 00940A55

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 3e18605c10f506f479e1e5a0f6788849fa0cebc7e0445ce31945ccb7920274e2
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: 0F41C174A00209EFDB14CF98C994BAEB7B1FF88314F208698D515AB381D775AE81DF94

Function 02F91F21 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 02F91F2E
wsprintfA.USER32 ref: 02F91F43

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: de14122045c32c5e25ee2cc50d20b26054f1a6f196519052eb8787c2fa1b9713
Instruction ID: 1b795a574b47307fbd0ef7d5170e686faf05d22c50492d1dda931bcffaea4edb
Opcode Fuzzy Hash: de14122045c32c5e25ee2cc50d20b26054f1a6f196519052eb8787c2fa1b9713
Instruction Fuzzy Hash: CAD05EF180021CABDB00EBE4EC499D97BBCBB08208F4408B1E715E2041E3F4E6D88BE4

Function 0094037D Relevance: 1.9, APIs: 1, Instructions: 399threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 00940620

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d1867d65438df7f4ba1faff640181a03717b11aaafb002cc76c39316aa089a81
Instruction ID: 6effc7fa976747c307b720568620bcd20cb0628cce80f66f72e4525ebe496470
Opcode Fuzzy Hash: d1867d65438df7f4ba1faff640181a03717b11aaafb002cc76c39316aa089a81
Instruction Fuzzy Hash: DE12D2B4E00219DFDB14CF98C990BADBBB1FF88304F2486A9E615AB385D7356A41CF54

Function 02F9AAD6 Relevance: 105.2, APIs: 70, Instructions: 160
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000014), ref: 02F9AA0F
Sleep.KERNEL32(00000014), ref: 02F9AA17
Sleep.KERNEL32(00000014), ref: 02F9AA1F
Sleep.KERNEL32(00000014), ref: 02F9AA27
Sleep.KERNEL32(00000014), ref: 02F9AA2F
Sleep.KERNEL32(00000014), ref: 02F9AA37
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 02F9AA4D
Sleep.KERNEL32(00000014), ref: 02F9AA5E
Sleep.KERNEL32(00000014), ref: 02F9AA66
Sleep.KERNEL32(00000014), ref: 02F9AA6E
Sleep.KERNEL32(00000014), ref: 02F9AA76
Sleep.KERNEL32(00000014), ref: 02F9AA7E
Sleep.KERNEL32(00000014), ref: 02F9AA86
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F9AA9B
Sleep.KERNEL32(00000014), ref: 02F9AAA6
Sleep.KERNEL32(00000014), ref: 02F9AAAE
Sleep.KERNEL32(00000014), ref: 02F9AAB6
Sleep.KERNEL32(00000014), ref: 02F9AABE
Sleep.KERNEL32(00000014), ref: 02F9AAC6
Sleep.KERNEL32(00000014), ref: 02F9AACE
Sleep.KERNEL32(00000014), ref: 02F9AADA
Sleep.KERNEL32(00000014), ref: 02F9AAE2
Sleep.KERNEL32(00000014), ref: 02F9AAEA
Sleep.KERNEL32(00000014), ref: 02F9AAF2
Sleep.KERNEL32(00000014), ref: 02F9AAFA
Sleep.KERNEL32(00000014), ref: 02F9AB02
CloseHandle.KERNEL32(00000000), ref: 02F9AB0B
Sleep.KERNEL32(00001B58), ref: 02F9AB16
Sleep.KERNEL32(00000014), ref: 02F9AB1E
Sleep.KERNEL32(00000014), ref: 02F9AB26
Sleep.KERNEL32(00000014), ref: 02F9AB2E
Sleep.KERNEL32(00000014), ref: 02F9AB36
Sleep.KERNEL32(00000014), ref: 02F9AB3E
Sleep.KERNEL32(00000014), ref: 02F9AB46
Sleep.KERNEL32(00000014), ref: 02F9AB53
Sleep.KERNEL32(00000014), ref: 02F9AB5B
Sleep.KERNEL32(00000014), ref: 02F9AB63
Sleep.KERNEL32(00000014), ref: 02F9AB6B
Sleep.KERNEL32(00000014), ref: 02F9AB73
Sleep.KERNEL32(00000014), ref: 02F9AB7B
Sleep.KERNEL32(00000014), ref: 02F9AB83
Sleep.KERNEL32(00000014), ref: 02F9AB8B
Sleep.KERNEL32(00000014), ref: 02F9AB93
Sleep.KERNEL32(00000014), ref: 02F9AB9B
Sleep.KERNEL32(00000014), ref: 02F9ABA3
Sleep.KERNEL32(00000014), ref: 02F9ABAB
Sleep.KERNEL32(00000014), ref: 02F9ABB8
Sleep.KERNEL32(00000014), ref: 02F9ABC0
Sleep.KERNEL32(00000014), ref: 02F9ABC8
Sleep.KERNEL32(00000014), ref: 02F9ABD0
Sleep.KERNEL32(00000014), ref: 02F9ABD8
Sleep.KERNEL32(00000014), ref: 02F9ABE0
Sleep.KERNEL32(00000014), ref: 02F9ABE8
Sleep.KERNEL32(00000014), ref: 02F9ABF0
Sleep.KERNEL32(00000014), ref: 02F9ABF8
Sleep.KERNEL32(00000014), ref: 02F9AC00
Sleep.KERNEL32(00000014), ref: 02F9AC08
Sleep.KERNEL32(00000014), ref: 02F9AC10
CloseHandle.KERNEL32(?), ref: 02F9AC19
Sleep.KERNEL32(00000014), ref: 02F9AC21
Sleep.KERNEL32(00000014), ref: 02F9AC29
Sleep.KERNEL32(00000014), ref: 02F9AC31
Sleep.KERNEL32(00000014), ref: 02F9AC39
Sleep.KERNEL32(00000014), ref: 02F9AC41
Sleep.KERNEL32(00000014), ref: 02F9AC49
Sleep.KERNEL32(00000014), ref: 02F9AC51
Sleep.KERNEL32(00000014), ref: 02F9AC59
Sleep.KERNEL32(00000014), ref: 02F9AC61
Sleep.KERNEL32(00000014), ref: 02F9AC69
Sleep.KERNEL32(00000014), ref: 02F9AC71
Sleep.KERNEL32(00000014), ref: 02F9AC79
Sleep.KERNEL32(00000014), ref: 02F9AC81
Sleep.KERNEL32(00000014), ref: 02F9AC89
Sleep.KERNEL32(00000014), ref: 02F9AC91
Sleep.KERNEL32(00000014), ref: 02F9AC99
Sleep.KERNEL32(00000014), ref: 02F9ACA1
Sleep.KERNEL32(00000014), ref: 02F9ACA9
ExitProcess.KERNEL32 ref: 02F9ACB1

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Sleep$CloseEventHandle$CreateExitOpenProcess
String ID:
API String ID: 3990214622-0
Opcode ID: f272b5dccdab99b60ecd536f8fb32ba91250107cee5cd3f403f23d7be1450420
Instruction ID: 7357fb167c691705bebfd37f7e85373a6b0d1fb25ebd7fe7a20cb2b1c04abdc3
Opcode Fuzzy Hash: f272b5dccdab99b60ecd536f8fb32ba91250107cee5cd3f403f23d7be1450420
Instruction Fuzzy Hash: 8F5157316E525EBFEB047BE0990EBE83E66AB1C746F140034B30A9D1E6CAF145D49B31

Function 02F84E03 Relevance: 38.2, APIs: 25, Instructions: 713
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F84387
Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F8439B
Part of subcall function 02F8430F: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F843B9
Part of subcall function 02F8430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F843C9

lstrlen.KERNEL32(00000000), ref: 02F84E8B

Part of subcall function 02F9302D: CryptBinaryToStringA.CRYPT32(00000000,02F84E7F,40000001,00000000,00000000), ref: 02F9304A

StrCmpCA.SHLWAPI(?,02FA5200,02FA5200,02FA5200,02FA5200), ref: 02F84EEF
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F84F17
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F85025
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 02F85082
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02F850BA

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

lstrlen.KERNEL32(00000000,00000000,?,02FA8D60,00000000,?,02FA8D94,00000000,?,00000000,?,02FA8D7C,00000000,?,00000000,00000000), ref: 02F85579
lstrlen.KERNEL32(00000000), ref: 02F8558D
GetProcessHeap.KERNEL32(00000000,?), ref: 02F8559D
RtlAllocateHeap.NTDLL(00000000), ref: 02F855A4
lstrlen.KERNEL32(00000000), ref: 02F855B9
memcpy.MSVCRT ref: 02F855CF
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02F855E6
memcpy.MSVCRT ref: 02F855F3
lstrlen.KERNEL32(00000000), ref: 02F85604
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02F8561D
memcpy.MSVCRT ref: 02F8562D
lstrlen.KERNEL32(00000000,?,?), ref: 02F85647
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 02F8565A
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 02F8568D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02F85730
StrCmpCA.SHLWAPI(00000000,02FA8D84), ref: 02F857A1
ExitProcess.KERNEL32 ref: 02F857AD
InternetCloseHandle.WININET(00000000), ref: 02F85824

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrlen$Internet$lstrcpy$Httpmemcpy$HeapOpenProcessRequestlstrcat$AllocateBinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
String ID:
API String ID: 1402206147-0
Opcode ID: e3434e3b3524ebc8bd6f96a596d98d899eb9b8ed5056f7cf61cef7391578ce0d
Instruction ID: e331e3b1e3a571a2dce3a9936120564dcb25bc9a415c24cc149096004c647552
Opcode Fuzzy Hash: e3434e3b3524ebc8bd6f96a596d98d899eb9b8ed5056f7cf61cef7391578ce0d
Instruction Fuzzy Hash: F652BD72D0021EAAEF15FB60DCA0EDEB77AAF15381F5041B5E61AB2090DF716A48CF51

Function 02F858C4 Relevance: 30.6, APIs: 20, Instructions: 565
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F84387
Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F8439B
Part of subcall function 02F8430F: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F843B9
Part of subcall function 02F8430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F843C9

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F8595F
StrCmpCA.SHLWAPI(?), ref: 02F85975
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F85AEF
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 02F85B4C
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,02FA8D60,00000000,?,02FA8DB4,00000000,?,00000000,?,02FA8D7C,00000000), ref: 02F85F2B
lstrlen.KERNEL32(00000000), ref: 02F85F3C
GetProcessHeap.KERNEL32(00000000,?), ref: 02F85F4C
RtlAllocateHeap.NTDLL(00000000), ref: 02F85F53
lstrlen.KERNEL32(00000000), ref: 02F85F68
memcpy.MSVCRT ref: 02F85F7E
lstrlen.KERNEL32(00000000), ref: 02F85F8F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02F85FA8
memcpy.MSVCRT ref: 02F85FB5
lstrlen.KERNEL32(00000000,?,?), ref: 02F85FCF
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 02F85FE2
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 02F85FFE
InternetCloseHandle.WININET(00000000), ref: 02F86061
InternetCloseHandle.WININET(00000000), ref: 02F8606D
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02F85B84

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

InternetCloseHandle.WININET(00000000), ref: 02F86076

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileOptionProcessReadSend
String ID:
API String ID: 3096766799-0
Opcode ID: 52d2a762ac38d543be935cd40b0760002e26ce1b17847884047889bd0d2a4e0a
Instruction ID: bb53a6692c1c77a30eaf4f57437559e923226258ac0d4df336faa9f063af2cf2
Opcode Fuzzy Hash: 52d2a762ac38d543be935cd40b0760002e26ce1b17847884047889bd0d2a4e0a
Instruction Fuzzy Hash: D9329C7281011EAAEF15FBA0DD94EDEB77ABF14781F5001B5E60AA20A0DF716B48CF51

Function 02FA095B Relevance: 25.1, APIs: 12, Strings: 2, Instructions: 617
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 02FA0CDC
T, xrefs: 02FA0CE3

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID:
String ID: T$U
API String ID: 0-2115836835
Opcode ID: f212c1a9dbe602e5907e09758c857071885e3c502ffebd4a886c7e0a8c353d1b
Instruction ID: 5b7c212cfcce902b1ea5c9fa64ffe51637c9c5ab857dadd9e10923a2abc24a90
Opcode Fuzzy Hash: f212c1a9dbe602e5907e09758c857071885e3c502ffebd4a886c7e0a8c353d1b
Instruction Fuzzy Hash: 956228B4E052A9CFDB20CF64D8A4BEAB7B5AF04345F0540DADA09A7251D734DE88CF58

Function 02F98FD9 Relevance: 22.2, APIs: 4, Strings: 8, Instructions: 1237
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F91715: lstrlen.KERNEL32(02F860AC,?,?,02F860AC,02FA5200), ref: 02F9171F
Part of subcall function 02F91715: lstrcpy.KERNEL32(02FA5200,00000000), ref: 02F9176D

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F938BA: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F938F5
Part of subcall function 02F938BA: Process32First.KERNEL32(?,00000128), ref: 02F93908
Part of subcall function 02F938BA: Process32Next.KERNEL32(?,00000128), ref: 02F9391C
Part of subcall function 02F938BA: StrCmpCA.SHLWAPI(?,?), ref: 02F93930
Part of subcall function 02F938BA: FindCloseChangeNotification.KERNEL32(?), ref: 02F93943

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,?,?,02FA5200,00000000), ref: 02F99657
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F9972D
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F99747

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F91948: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02F91964
Part of subcall function 02F91948: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02F919A1
Part of subcall function 02F91948: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91A18
Part of subcall function 02F91948: RtlAllocateHeap.NTDLL(00000000), ref: 02F91A1F

Part of subcall function 02F843FA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F84492
Part of subcall function 02F843FA: StrCmpCA.SHLWAPI(?), ref: 02F844B2

Part of subcall function 02F94F8C: StrCmpCA.SHLWAPI(00000000,02FA8D84), ref: 02F94FB1
Part of subcall function 02F94F8C: ExitProcess.KERNEL32 ref: 02F94FBD

Part of subcall function 02F8F99F: StrCmpCA.SHLWAPI(00000000,?,?), ref: 02F8F9EF
Part of subcall function 02F8F99F: StrCmpCA.SHLWAPI(00000000,?,?), ref: 02F8FA75

Part of subcall function 02F858C4: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F8595F
Part of subcall function 02F858C4: StrCmpCA.SHLWAPI(?), ref: 02F85975

Part of subcall function 02F9497B: strtok_s.MSVCRT ref: 02F949A3
Part of subcall function 02F9497B: strtok_s.MSVCRT ref: 02F94A94

Part of subcall function 02F97B07: lstrcat.KERNEL32(?,00000000), ref: 02F97B40
Part of subcall function 02F97B07: lstrcat.KERNEL32(?), ref: 02F97B5E

Sleep.KERNEL32(000003E8), ref: 02F99AFA

Part of subcall function 02F97C93: memset.MSVCRT ref: 02F97CAA
Part of subcall function 02F97C93: lstrcat.KERNEL32(?,00000000), ref: 02F97CD1
Part of subcall function 02F97C93: lstrcat.KERNEL32(?,02FA97E8), ref: 02F97CEE
Part of subcall function 02F97C93: memset.MSVCRT ref: 02F97D2E
Part of subcall function 02F97C93: lstrcat.KERNEL32(?,00000000), ref: 02F97D55
Part of subcall function 02F97C93: lstrcat.KERNEL32(?,02FA97CC), ref: 02F97D72
Part of subcall function 02F97C93: memset.MSVCRT ref: 02F97DB2
Part of subcall function 02F97C93: lstrcat.KERNEL32(?,00000000), ref: 02F97DD9
Part of subcall function 02F97C93: lstrcat.KERNEL32(?,02FA97AC), ref: 02F97DF6

Part of subcall function 02F84E03: lstrlen.KERNEL32(00000000), ref: 02F84E8B
Part of subcall function 02F84E03: StrCmpCA.SHLWAPI(?,02FA5200,02FA5200,02FA5200,02FA5200), ref: 02F84EEF
Part of subcall function 02F84E03: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F84F17

Strings

d, xrefs: 02F9A1C0
d, xrefs: 02F99188
2, xrefs: 02F991C9
d, xrefs: 02F99106
2, xrefs: 02F9A169
d, xrefs: 02F9A217
d, xrefs: 02F9A26E
d, xrefs: 02F99147

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$InternetOpenlstrcpy$lstrlenmemset$CreateDirectoryHeapProcessProcess32strtok_s$AllocateChangeCloseExitFindFirstInformationNextNotificationSleepSnapshotToolhelp32VolumeWindows
String ID: 2$2$d$d$d$d$d$d
API String ID: 2038798392-2515486650
Opcode ID: 947e22c2129685afcf28886b8638971ebafcb015995e79c7f0f78b52f49f98ec
Instruction ID: 950e917067ce0d26c76be5a00ba8d845025bde2c555c335bcf9176f95ea9f27f
Opcode Fuzzy Hash: 947e22c2129685afcf28886b8638971ebafcb015995e79c7f0f78b52f49f98ec
Instruction Fuzzy Hash: A5B22E72D441199AEF24FB60CC95EDEB779AB14380F5041F9D60EA2150EF35AB88CFA1

Function 02F9218B Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

RegOpenKeyExA.KERNEL32(?,00000000,00020019,00000000,02FA5200), ref: 02F921DE
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 02F92259
wsprintfA.USER32 ref: 02F9228B
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,00000000), ref: 02F922AC
RegCloseKey.ADVAPI32(00000000), ref: 02F922BC
RegCloseKey.ADVAPI32(00000000), ref: 02F922C8

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Strings

?, xrefs: 02F921B9

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: ?
API String ID: 3246050789-1684325040
Opcode ID: 10b136e1ebd7e9a157356fa845cef6e9f0827f2c8e945de3964ea6afb3465bfa
Instruction ID: 06d07ca680cc8c392a928597afa9268ed46876ca97f76c599bee82b67e147512
Opcode Fuzzy Hash: 10b136e1ebd7e9a157356fa845cef6e9f0827f2c8e945de3964ea6afb3465bfa
Instruction Fuzzy Hash: 6C71D47290011DABEF65EB60CD45FDA77B9FF08345F4086A5E60AA2050DF71AB89CF90

Function 02F91948 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 116
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02F91964
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02F919A1
GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91A18
RtlAllocateHeap.NTDLL(00000000), ref: 02F91A1F
wsprintfA.USER32 ref: 02F91A54
lstrcat.KERNEL32(00000000,02FA9270), ref: 02F91A65

Part of subcall function 02F92667: GetCurrentHwProfileA.ADVAPI32(?), ref: 02F92674

lstrlen.KERNEL32(00000000), ref: 02F91A7E

Part of subcall function 02F936CE: malloc.MSVCRT ref: 02F936D5

lstrcat.KERNEL32(00000000,00000000), ref: 02F91AAC

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Strings

\, xrefs: 02F91982
C, xrefs: 02F9196E
:, xrefs: 02F9197E

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heaplstrcat$AllocateCurrentDirectoryInformationProcessProfileVolumeWindowslstrcpylstrlenmallocwsprintf
String ID: :$C$\
API String ID: 2966432621-3809124531
Opcode ID: 3e6e1a94b985cd2c640396f920c6f33c7730d6ecb681b97e0d20f196b371e941
Instruction ID: d8a4b998d0c12c829d8bc396310f0470ac887df020920b0c0f88c7b5e40e0d75
Opcode Fuzzy Hash: 3e6e1a94b985cd2c640396f920c6f33c7730d6ecb681b97e0d20f196b371e941
Instruction Fuzzy Hash: 90415E71D0021DAFEF11FBA0DC59BEE7BB9AF08345F1000A5E60AA6190DB759B84CF64

Function 02F843FA Relevance: 18.5, APIs: 12, Instructions: 451
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F84387
Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F8439B
Part of subcall function 02F8430F: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F843B9
Part of subcall function 02F8430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F843C9

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F84492
StrCmpCA.SHLWAPI(?), ref: 02F844B2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F8462C
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 02F84682
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02F846BA

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

lstrlen.KERNEL32(00000000,00000000,?,?,?,?,02FA5200,00000000,?,?,00000000,?,02FA8D60,00000000,?,02FA8D54), ref: 02F8497C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02F84998
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 02F849AB
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02F849D5
InternetCloseHandle.WININET(00000000), ref: 02F84A38
InternetCloseHandle.WININET(00000000), ref: 02F84A4F
InternetCloseHandle.WININET(00000000), ref: 02F84A58

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID:
API String ID: 3006978581-0
Opcode ID: d9d966a054fe72894472deb394ddb7827469530aafb856abb02d03f2a8e0f81c
Instruction ID: 6d513a3c0b791db42415c51369383db7088355b9b67fe327d262ebe7589d3baf
Opcode Fuzzy Hash: d9d966a054fe72894472deb394ddb7827469530aafb856abb02d03f2a8e0f81c
Instruction Fuzzy Hash: 6012D97291021EAAEF15EB60CDA1FDEB77ABF15381F5001B5E60AA2090DF716B48CF51

Function 02F98167 Relevance: 17.2, APIs: 11, Instructions: 749
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F91715: lstrlen.KERNEL32(02F860AC,?,?,02F860AC,02FA5200), ref: 02F9171F
Part of subcall function 02F91715: lstrcpy.KERNEL32(02FA5200,00000000), ref: 02F9176D

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

StrCmpCA.SHLWAPI(00000000,02FA8D8C,00000000), ref: 02F982BD
StrCmpCA.SHLWAPI(00000000,02FA8D8C), ref: 02F98321

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F97E48: StrCmpCA.SHLWAPI(00000000,02FA8D8C), ref: 02F97E8B

Part of subcall function 02F97F35: StrCmpCA.SHLWAPI(00000000,02FA8D8C,00000000), ref: 02F97F96
Part of subcall function 02F97F35: lstrlen.KERNEL32(00000000), ref: 02F97FAD
Part of subcall function 02F97F35: StrStrA.SHLWAPI(00000000,00000000), ref: 02F97FDD
Part of subcall function 02F97F35: lstrlen.KERNEL32(00000000), ref: 02F97FF9
Part of subcall function 02F97F35: lstrlen.KERNEL32(00000000), ref: 02F9801F

StrCmpCA.SHLWAPI(00000000,02FA8D8C,00000000), ref: 02F9840E
StrCmpCA.SHLWAPI(00000000,02FA8D8C), ref: 02F98519
StrCmpCA.SHLWAPI(00000000,02FA8D8C,00000000), ref: 02F98606
StrCmpCA.SHLWAPI(00000000,02FA8D8C), ref: 02F98711
StrCmpCA.SHLWAPI(00000000,02FA8D8C,00000000), ref: 02F987FE
StrCmpCA.SHLWAPI(00000000,02FA8D8C), ref: 02F98909
StrCmpCA.SHLWAPI(00000000,02FA8D8C), ref: 02F98B01

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpylstrlen
String ID:
API String ID: 2001356338-0
Opcode ID: c80921ed6ca27118ff00362cbf1497eab3d62a60a46ba1d466ade6328ab81d12
Instruction ID: 7c9d3fad819d1debe1ef85fce4b89be83572c8ec1f5956b1e946b99d3e66b36b
Opcode Fuzzy Hash: c80921ed6ca27118ff00362cbf1497eab3d62a60a46ba1d466ade6328ab81d12
Instruction Fuzzy Hash: EE42E072D0010E5AEF14FBB0DD659EEB77AAF113C1F504175DA0AA6090EF35AA48CE92

Function 02F86312 Relevance: 16.7, APIs: 11, Instructions: 184
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F84387
Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F8439B
Part of subcall function 02F8430F: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F843B9
Part of subcall function 02F8430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F843C9

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F86373
StrCmpCA.SHLWAPI(?), ref: 02F86390
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F863BE
HttpOpenRequestA.WININET(00000000,02FA8D80,?,00000000,00000000,00400100,00000000), ref: 02F8640A
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02F86442
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02F86453
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 02F8647E
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02F864F3
InternetCloseHandle.WININET(00000000), ref: 02F8657C
InternetCloseHandle.WININET(00000000), ref: 02F86585
InternetCloseHandle.WININET(00000000), ref: 02F8658E

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID:
API String ID: 3749127164-0
Opcode ID: 76fd2df6ad7bdfd8a983fe606c654921c98872489415edf88f2e7ea5c5991517
Instruction ID: 94694f44675e73d64b4deb21cf077a634f0724b9a68b7bb4f9de91674e5dbbd6
Opcode Fuzzy Hash: 76fd2df6ad7bdfd8a983fe606c654921c98872489415edf88f2e7ea5c5991517
Instruction Fuzzy Hash: F6712D7194021DEFEF25EFA0CC45BDEBBB9FB04341F1040A5E60AAA194DBB16A84CF51

Function 02F84239 Relevance: 13.8, APIs: 11, Instructions: 73
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02F8234D,02FA57D0,02FA57E0,0000000F), ref: 02F84246
wcslen.MSVCRT ref: 02F84272
wcslen.MSVCRT ref: 02F8427D
wcslen.MSVCRT ref: 02F84288
wcslen.MSVCRT ref: 02F84293
strlen.MSVCRT ref: 02F842A5
wcslen.MSVCRT ref: 02F842CA
wcslen.MSVCRT ref: 02F842D5
wcslen.MSVCRT ref: 02F842ED
wcslen.MSVCRT ref: 02F842F8
wcslen.MSVCRT ref: 02F84303

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: wcslen$AllocLocalstrlen
String ID:
API String ID: 224765317-0
Opcode ID: 68ef355b82286542988cec362b45668d643523796e110a58e149001cd7afdbce
Instruction ID: 71338c153eea9647970555150fbb977f36474a910c655a03b92da83c4d7071d6
Opcode Fuzzy Hash: 68ef355b82286542988cec362b45668d643523796e110a58e149001cd7afdbce
Instruction Fuzzy Hash: CE216FB168424CAFF704EBECDCA6E5E7BE5EF447D0F510045E60996180DAB4AA508E12

Function 02F92081 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F9208E
RtlAllocateHeap.NTDLL(00000000), ref: 02F92095
GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 02F920B6
__aulldiv.LIBCMT ref: 02F920CE
__aulldiv.LIBCMT ref: 02F920DC
wsprintfA.USER32 ref: 02F920FF

Strings

@, xrefs: 02F920AB

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
String ID: @
API String ID: 2774356765-2766056989
Opcode ID: 8de75cd04586127e4528087c793e4526af859eb85762724c7f37b993d0a14144
Instruction ID: 550f798116d68f7b0c75b81009980fa01967490688793ff6ae44906cfd0b32ad
Opcode Fuzzy Hash: 8de75cd04586127e4528087c793e4526af859eb85762724c7f37b993d0a14144
Instruction Fuzzy Hash: DC0108B1D40208BBEF00AFE0CC09BAEBBB9BB04B85F104418F714BA095C7B8A6519F54

Function 02F8430F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 02F84387
??_U@YAPAXI@Z.MSVCRT ref: 02F8439B
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F843B9
InternetCrackUrlA.WININET(00000000,00000000), ref: 02F843C9

Strings

<, xrefs: 02F8435B
<, xrefs: 02F8431A

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: CrackInternetlstrlen
String ID: <$<
API String ID: 1274457161-213342407
Opcode ID: 67dfed34478a66d728c554d39906b35a79514a011547d1335f4bcd0ad1ae7b29
Instruction ID: 83998020b12b59e98e4d3096cd8ce5435d52ce35062274dafff1196a79b04615
Opcode Fuzzy Hash: 67dfed34478a66d728c554d39906b35a79514a011547d1335f4bcd0ad1ae7b29
Instruction Fuzzy Hash: 8921E871D00219EFDF14DFA8E884BDDBBB4BB08364F108155E669E7290DB705A85CF60

Function 02F927AF Relevance: 9.2, APIs: 6, Instructions: 172memorytimeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02F928C1
FileTimeToSystemTime.KERNEL32(?,?), ref: 02F928FA
GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F92907
RtlAllocateHeap.NTDLL(00000000), ref: 02F9290E
wsprintfA.USER32 ref: 02F9293D
VariantClear.OLEAUT32(?), ref: 02F92955

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: HeapTimeVariant$AllocateClearFileInitProcessSystemwsprintf
String ID:
API String ID: 2682051928-0
Opcode ID: 25dc41e8c21762d4dfa0fbbb0c9b40bdc4686f555efceeb733c7134619fb3f19
Instruction ID: 6ac84732edb40389e059b5735e9321148d1d459d31710207271b619fb5ea3147
Opcode Fuzzy Hash: 25dc41e8c21762d4dfa0fbbb0c9b40bdc4686f555efceeb733c7134619fb3f19
Instruction Fuzzy Hash: 1461B8B1E80208BFEB10DBD4DC55FADBBB9BB08B91F104125FA11BA1D0D7B4A944DB64

Function 02F9FD2C Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02F9FD9F

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d3f9d8d80f934f854145404bb274e2ce0c4b7689de2b781352d67f735750ed0a
Instruction ID: 22784f1acaac67a2ddcd473ae5712613f1a1341079bf0a0f237f1b26a4f798b3
Opcode Fuzzy Hash: d3f9d8d80f934f854145404bb274e2ce0c4b7689de2b781352d67f735750ed0a
Instruction Fuzzy Hash: 2B61E774E0020ADFEF10CF58CA49BAEBBF1BB04755F258659E515AB292C3B4DA40CF61

Function 02F97F35 Relevance: 7.6, APIs: 5, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F86312: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F86373
Part of subcall function 02F86312: StrCmpCA.SHLWAPI(?), ref: 02F86390
Part of subcall function 02F86312: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F863BE
Part of subcall function 02F86312: HttpOpenRequestA.WININET(00000000,02FA8D80,?,00000000,00000000,00400100,00000000), ref: 02F8640A
Part of subcall function 02F86312: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02F86442
Part of subcall function 02F86312: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02F86453

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

StrCmpCA.SHLWAPI(00000000,02FA8D8C,00000000), ref: 02F97F96
lstrlen.KERNEL32(00000000), ref: 02F97FAD

Part of subcall function 02F92FD6: LocalAlloc.KERNEL32(00000040,00000001), ref: 02F92FF2

StrStrA.SHLWAPI(00000000,00000000), ref: 02F97FDD
lstrlen.KERNEL32(00000000), ref: 02F97FF9
lstrlen.KERNEL32(00000000), ref: 02F9801F

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
String ID:
API String ID: 3240024479-0
Opcode ID: eb062cedc47b3c2228bc1f8d124cfb057adf87990bd81f29efa40c764c8edb0d
Instruction ID: e46bf6f87093fc735f1fc32b6fafcbc90cbc3544703eeba4b30ec3ddb44177e4
Opcode Fuzzy Hash: eb062cedc47b3c2228bc1f8d124cfb057adf87990bd81f29efa40c764c8edb0d
Instruction Fuzzy Hash: 5851DA7190020AAFEF18FF60DD659EE7776BF113C5F604128EA0B961A0DF31AA49CE51

Function 02F92213 Relevance: 7.6, APIs: 5, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 02F92259
wsprintfA.USER32 ref: 02F9228B
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,00000000), ref: 02F922AC
RegCloseKey.ADVAPI32(00000000), ref: 02F922BC
RegCloseKey.ADVAPI32(00000000), ref: 02F922C8

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

RegQueryValueExA.KERNEL32(00000000,00000000,000F003F,?,00000400), ref: 02F9231A
lstrlen.KERNEL32(?), ref: 02F9232F
RegQueryValueExA.KERNEL32(00000000,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,02FA8E48), ref: 02F923C6
RegCloseKey.ADVAPI32(00000000), ref: 02F92434
RegCloseKey.ADVAPI32(00000000), ref: 02F92445

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID:
API String ID: 3896182533-0
Opcode ID: 8a6637edf35ba5a0aee68b8c783e4f5618b33f94d86ef307c16564af4ec779f8
Instruction ID: 90298f2d43188848238a0de02f522ebbb03d67aa5bd55b26d7c0509e45b3296f
Opcode Fuzzy Hash: 8a6637edf35ba5a0aee68b8c783e4f5618b33f94d86ef307c16564af4ec779f8
Instruction Fuzzy Hash: C821037194012CAFEF64EB10CC44BD9BBB8FF08344F4085E4E649A2090DF709AC98FA0

Function 02F925CA Relevance: 7.5, APIs: 5, Instructions: 39registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F925F2
RegOpenKeyExA.KERNEL32(80000002,02FA92C4,00000000,00020119,?), ref: 02F92612
RegQueryValueExA.KERNEL32(?,02FA92B8,00000000,00000000,00000000,000000FF), ref: 02F92639
RegCloseKey.ADVAPI32(?), ref: 02F92645
CharToOemA.USER32(00000000,?), ref: 02F92659

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: CharCloseOpenQueryValuememset
String ID:
API String ID: 2391366103-0
Opcode ID: 84d26874a1e4eb95e5888200782f90602aef9f1474292e68e3ea39a3cbb6d26d
Instruction ID: dcea43374c5f2dd849d62c767a82bb2d75532607be8fbb58ee43b9b229d6ca83
Opcode Fuzzy Hash: 84d26874a1e4eb95e5888200782f90602aef9f1474292e68e3ea39a3cbb6d26d
Instruction Fuzzy Hash: 4A01F4B594031DBBEB209B50DC4AFDA77BCAB14744F4001E1A749E5091DBF09AD48F51

Function 02F91B5B Relevance: 7.5, APIs: 5, Instructions: 36registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91B6F
RtlAllocateHeap.NTDLL(00000000), ref: 02F91B76
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,02F91B06), ref: 02F91B95
RegQueryValueExA.KERNEL32(02F91B06,02FA9280,00000000,00000000,?,000000FF), ref: 02F91BB2
RegCloseKey.ADVAPI32(02F91B06), ref: 02F91BBB

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 72613fce09d43cd4e668089effc5b5fced9c907c34c41c4765e42db3c1b4a2f7
Instruction ID: b8d7d5323bb157be32c1f7f84f5dcf035f4e9d3eeabdd91e5d0f567670faefd7
Opcode Fuzzy Hash: 72613fce09d43cd4e668089effc5b5fced9c907c34c41c4765e42db3c1b4a2f7
Instruction Fuzzy Hash: 37F03771980309BBEB04BFE0DC0AFAEBFB8FB08744F1000A4F701A6095D7B096909B60

Function 02F91EB5 Relevance: 7.5, APIs: 5, Instructions: 32registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91EC9
RtlAllocateHeap.NTDLL(00000000), ref: 02F91ED0
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,?), ref: 02F91EEF
RegQueryValueExA.KERNEL32(?,00000000,00000000,?,000000FF), ref: 02F91F0D
RegCloseKey.ADVAPI32(?), ref: 02F91F16

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 4f3518d00a611bdafacb68fc415c6f79fe9d4df803ebef9ebdd9012aa210798f
Instruction ID: 4a7a91a6795cd40e7bc5447c38cfd86387d9e601e0265267b75c530272b3fbe9
Opcode Fuzzy Hash: 4f3518d00a611bdafacb68fc415c6f79fe9d4df803ebef9ebdd9012aa210798f
Instruction Fuzzy Hash: 7FF01775A80309FBEB14BBE0EC0AF9DBFB8FB0C745F104064F601A5195D77196949B20

Function 02F98DB9 Relevance: 6.1, APIs: 4, Instructions: 85synchronizationthreadCOMMON

Download Yara Rule

APIs

_MSFOpenExW.MSPDB140-MSVCRT ref: 02F98E6C
CreateThread.KERNEL32(00000000,00000000,Function_00017C65,?,00000000,00000000), ref: 02F98E85
WaitForSingleObject.KERNEL32(?,000003E8), ref: 02F98E96

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: CreateObjectOpenSingleThreadWait
String ID:
API String ID: 4234577939-0
Opcode ID: 78b1d5a3bd9b11881289c3e98ee72e6a8c7cd13f34101651422d582419bc4a6b
Instruction ID: f7fd06c9f5b35486c490cc64ea613df9cfdc4ca3be2f50ee5c6d24b17758634d
Opcode Fuzzy Hash: 78b1d5a3bd9b11881289c3e98ee72e6a8c7cd13f34101651422d582419bc4a6b
Instruction Fuzzy Hash: A2316C7194010DAFEF14EFA0CC51BEE7BB9FF04385F548125EA06A6190EB709A4ACF90

Function 02F9246A Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F92491
Process32First.KERNEL32(?,00000128), ref: 02F924A4
Process32Next.KERNEL32(?,00000128), ref: 02F924B8

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

CloseHandle.KERNEL32(?), ref: 02F92525

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 9c255fa2cf99e613ef5ed00005c65caa49dff99794aa38c4fbf402e6ae2ab280
Instruction ID: 5c75ef89804f760467436e894cbfd6bba54b56167ccfb092daedc8a6723d18a0
Opcode Fuzzy Hash: 9c255fa2cf99e613ef5ed00005c65caa49dff99794aa38c4fbf402e6ae2ab280
Instruction Fuzzy Hash: FA211A7190011DAAEF15EB50DD64ADEB779AF15385F5041F5A60AB20A0DB319F88CF90

Function 009789BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 00978A4D

Strings

.dll, xrefs: 00978A29, 00978A2C
., xrefs: 009789E6

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, Offset: 00976000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_976000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$.dll
API String ID: 1029625771-979041800
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: 4f69dd9f66ce5841fa757d4049c8677dcbe05cdc67fb311e3e060848bc89d429
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: EA210A336042859FDB15DF6CC848B7B7BA8AF05320F18816DD949D7A41EB30EC45C750

Function 02F926A3 Relevance: 4.6, APIs: 3, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02F92700
SysFreeString.OLEAUT32(?), ref: 02F92771
SysFreeString.OLEAUT32(00000000), ref: 02F9277A

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 9dac5744905a80ff998445484e665f22444d383ce9b30e0ff42894bec7b3f464
Instruction ID: 5704cf050caf350b0d6c1050d82f88fae51ddc2487da00425622e3a2f42ed609
Opcode Fuzzy Hash: 9dac5744905a80ff998445484e665f22444d383ce9b30e0ff42894bec7b3f464
Instruction Fuzzy Hash: AA3103B5D00209EFEF05DFA8C849BEEBBB5FB08355F004569EA15A32A0C7759940CFA0

Function 02F98E9E Relevance: 4.5, APIs: 3, Instructions: 45sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

_MSFOpenExW.MSPDB140-MSVCRT ref: 02F98E6C
CreateThread.KERNEL32(00000000,00000000,Function_00017C65,?,00000000,00000000), ref: 02F98E85
WaitForSingleObject.KERNEL32(?,000003E8), ref: 02F98E96
Sleep.KERNEL32(000003E8,?,00000000,?,?), ref: 02F98EA5

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: CreateObjectOpenSingleSleepThreadWait
String ID:
API String ID: 1990444757-0
Opcode ID: 39949be7ff8a4b878e96c24a33bbfa01f13689d3536b4c5e55f44cfb1305b89d
Instruction ID: db1db515b45ad9233acb6b815a2cbf2233757275b65b7e787682b335a96c720c
Opcode Fuzzy Hash: 39949be7ff8a4b878e96c24a33bbfa01f13689d3536b4c5e55f44cfb1305b89d
Instruction Fuzzy Hash: E8015771A90109ABFF15FFA0DC51BAD7B69BB057C9F544120E60AA50A1DB709A42CF50

Function 02F93563 Relevance: 4.5, APIs: 3, Instructions: 25COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 02F93576
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 02F93596
CloseHandle.KERNEL32(00000000), ref: 02F9359F

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 7d8b7802d37e1bbd87d4f589c6e046fc1b9ee14492e68af191a0d42c957c5b1c
Instruction ID: 3a4c76d734e6de014d210a59d105c5eec72a47c47affe561eb73855db42791df
Opcode Fuzzy Hash: 7d8b7802d37e1bbd87d4f589c6e046fc1b9ee14492e68af191a0d42c957c5b1c
Instruction Fuzzy Hash: F8F0DF7494020DFBEB15EFA0DC0ABDC7BB8BB08748F1444A1A615A61A0D7B0AA84DB50

Function 02F951E4 Relevance: 3.8, APIs: 2, Instructions: 830stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F91C63: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91C70
Part of subcall function 02F91C63: RtlAllocateHeap.NTDLL(00000000), ref: 02F91C77
Part of subcall function 02F91C63: GetLocalTime.KERNEL32(?), ref: 02F91C84
Part of subcall function 02F91C63: wsprintfA.USER32 ref: 02F91CB1

Part of subcall function 02F925CA: memset.MSVCRT ref: 02F925F2
Part of subcall function 02F925CA: RegOpenKeyExA.KERNEL32(80000002,02FA92C4,00000000,00020119,?), ref: 02F92612
Part of subcall function 02F925CA: RegQueryValueExA.KERNEL32(?,02FA92B8,00000000,00000000,00000000,000000FF), ref: 02F92639
Part of subcall function 02F925CA: RegCloseKey.ADVAPI32(?), ref: 02F92645
Part of subcall function 02F925CA: CharToOemA.USER32(00000000,?), ref: 02F92659

Part of subcall function 02F92667: GetCurrentHwProfileA.ADVAPI32(?), ref: 02F92674

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F91948: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02F91964
Part of subcall function 02F91948: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02F919A1
Part of subcall function 02F91948: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91A18
Part of subcall function 02F91948: RtlAllocateHeap.NTDLL(00000000), ref: 02F91A1F

GetCurrentProcessId.KERNEL32(00000000,?,02FA96E8,00000000,?,02FA8FE4,00000000,?,00000000,00000000,?,02FA96F0,00000000,?,02FA8E48,00000000), ref: 02F95497

Part of subcall function 02F93563: OpenProcess.KERNEL32(00000410,00000000,?), ref: 02F93576
Part of subcall function 02F93563: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 02F93596
Part of subcall function 02F93563: CloseHandle.KERNEL32(00000000), ref: 02F9359F

Part of subcall function 02F91ADD: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91AF1
Part of subcall function 02F91ADD: RtlAllocateHeap.NTDLL(00000000), ref: 02F91AF8

Part of subcall function 02F91C21: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91C2D
Part of subcall function 02F91C21: RtlAllocateHeap.NTDLL(00000000), ref: 02F91C34
Part of subcall function 02F91C21: GetComputerNameA.KERNEL32(?,00000104), ref: 02F91C4B

Part of subcall function 02F91BEC: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91BF8
Part of subcall function 02F91BEC: RtlAllocateHeap.NTDLL(00000000), ref: 02F91BFF
Part of subcall function 02F91BEC: GetUserNameA.ADVAPI32(?,00000104), ref: 02F91C16

Part of subcall function 02F9254A: CreateDCA.GDI32(00000000,00000000,00000000), ref: 02F9255C
Part of subcall function 02F9254A: GetDeviceCaps.GDI32(?,00000008), ref: 02F9256A
Part of subcall function 02F9254A: GetDeviceCaps.GDI32(?,0000000A), ref: 02F92578
Part of subcall function 02F9254A: ReleaseDC.USER32(00000000,?), ref: 02F92586
Part of subcall function 02F9254A: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F92593
Part of subcall function 02F9254A: RtlAllocateHeap.NTDLL(00000000), ref: 02F9259A
Part of subcall function 02F9254A: wsprintfA.USER32 ref: 02F925B1

Part of subcall function 02F91D31: GetKeyboardLayoutList.USER32(00000000,00000000,02FA5200), ref: 02F91D59
Part of subcall function 02F91D31: LocalAlloc.KERNEL32(00000040,?), ref: 02F91D71
Part of subcall function 02F91D31: GetKeyboardLayoutList.USER32(?,00000000), ref: 02F91D83
Part of subcall function 02F91D31: GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200), ref: 02F91DD3
Part of subcall function 02F91D31: LocalFree.KERNEL32(00000000), ref: 02F91E90

Part of subcall function 02F91CBF: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91CCF
Part of subcall function 02F91CBF: RtlAllocateHeap.NTDLL(00000000), ref: 02F91CD6
Part of subcall function 02F91CBF: GetTimeZoneInformation.KERNEL32(?), ref: 02F91CE9

Part of subcall function 02F91EB5: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91EC9
Part of subcall function 02F91EB5: RtlAllocateHeap.NTDLL(00000000), ref: 02F91ED0
Part of subcall function 02F91EB5: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,?), ref: 02F91EEF
Part of subcall function 02F91EB5: RegQueryValueExA.KERNEL32(?,00000000,00000000,?,000000FF), ref: 02F91F0D
Part of subcall function 02F91EB5: RegCloseKey.ADVAPI32(?), ref: 02F91F16

Part of subcall function 02F91F54: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 02F91F87
Part of subcall function 02F91F54: GetLastError.KERNEL32 ref: 02F91F96

Part of subcall function 02F91F21: GetSystemInfo.KERNEL32(?), ref: 02F91F2E
Part of subcall function 02F91F21: wsprintfA.USER32 ref: 02F91F43

Part of subcall function 02F92081: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F9208E
Part of subcall function 02F92081: RtlAllocateHeap.NTDLL(00000000), ref: 02F92095
Part of subcall function 02F92081: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 02F920B6
Part of subcall function 02F92081: __aulldiv.LIBCMT ref: 02F920CE
Part of subcall function 02F92081: __aulldiv.LIBCMT ref: 02F920DC
Part of subcall function 02F92081: wsprintfA.USER32 ref: 02F920FF

Part of subcall function 02F9210D: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 02F92148

Part of subcall function 02F9246A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F92491
Part of subcall function 02F9246A: Process32First.KERNEL32(?,00000128), ref: 02F924A4
Part of subcall function 02F9246A: Process32Next.KERNEL32(?,00000128), ref: 02F924B8
Part of subcall function 02F9246A: CloseHandle.KERNEL32(?), ref: 02F92525

Part of subcall function 02F9218B: RegOpenKeyExA.KERNEL32(?,00000000,00020019,00000000,02FA5200), ref: 02F921DE

Part of subcall function 02F9218B: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 02F92259
Part of subcall function 02F9218B: wsprintfA.USER32 ref: 02F9228B
Part of subcall function 02F9218B: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,00000000), ref: 02F922AC
Part of subcall function 02F9218B: RegCloseKey.ADVAPI32(00000000), ref: 02F922BC
Part of subcall function 02F9218B: RegCloseKey.ADVAPI32(00000000), ref: 02F922C8

lstrlen.KERNEL32(00000000,00000000,?,02FA8FE4,00000000,?,00000000,00000000,?,00000000,00000000,?,02FA95F0,00000000,?,02FA8FE4), ref: 02F95DE1

Part of subcall function 02F98DB9: _MSFOpenExW.MSPDB140-MSVCRT ref: 02F98E6C
Part of subcall function 02F98DB9: CreateThread.KERNEL32(00000000,00000000,Function_00017C65,?,00000000,00000000), ref: 02F98E85
Part of subcall function 02F98DB9: WaitForSingleObject.KERNEL32(?,000003E8), ref: 02F98E96

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heap$Process$Allocate$CloseOpen$wsprintf$lstrcpy$CreateInformationLocalName$CapsCurrentDeviceEnumHandleInfoKeyboardLayoutListProcess32QueryTimeValue__aulldivlstrcatlstrlen$AllocCharComputerDevicesDirectoryDisplayErrorFileFirstFreeGlobalLastLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID:
API String ID: 1879197162-0
Opcode ID: 04a4e2ae022c6f59a4c65d7b00ac2d5cafbd88ce273c165211c42855516f0c21
Instruction ID: 7728911e717083cda6cee78b1565f1197fb4d8e4b013457b197604afd32ec3ea
Opcode Fuzzy Hash: 04a4e2ae022c6f59a4c65d7b00ac2d5cafbd88ce273c165211c42855516f0c21
Instruction Fuzzy Hash: 40624C7280011EAAEF15FBA0DDA1DDF737EAF14381F5046B9961BA2050EF726B48CE51

Function 02F929BF Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02F92AC6
VariantClear.OLEAUT32(?), ref: 02F92AFC

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: e74244d612ae103c80f6a15583500d14d13a042eeb1c80733fea4d31d722bb2f
Instruction ID: 54beaa2dccea1b6523bd8ef92581d167233ddffa24839c6a58738e36a7d700f6
Opcode Fuzzy Hash: e74244d612ae103c80f6a15583500d14d13a042eeb1c80733fea4d31d722bb2f
Instruction Fuzzy Hash: A051C671A84208BFFF15DFA4CC46FADBBB8AB08B91F104165FA11BA1D0C7B1A945CB54

Function 02F98C65 Relevance: 3.1, APIs: 2, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 02F98C99
StrCmpCA.SHLWAPI(00000000,02FA8D8C,00000000), ref: 02F98D4B

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 341a67b8c9a06eb4adbb31614c158a7a5a1b66db813b38ff3ac5fdc7d40963f1
Instruction ID: 64d8754be6b3656ccd715accedb40b28f643f9acc794f194b2bf2c7c802dd8d1
Opcode Fuzzy Hash: 341a67b8c9a06eb4adbb31614c158a7a5a1b66db813b38ff3ac5fdc7d40963f1
Instruction Fuzzy Hash: A6316FB2E10109ABEF04FBA8DD45AAE77B9FF15394F140525E602F7250DB359904CFA1

Function 0097760D Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00977687

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, Offset: 00976000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_976000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3ef942e361509333a6c4df6da77594675f5189c2bdfdb6f3c545f129199b24a5
Instruction ID: 7f3e275149d748aa9f2cc0511eed59af3cd960f59c0fe6014a834788f29ab5de
Opcode Fuzzy Hash: 3ef942e361509333a6c4df6da77594675f5189c2bdfdb6f3c545f129199b24a5
Instruction Fuzzy Hash: 5FB1E373509B02EBDB219AA4CC84BA7F7ECFF45310F108929FA5D96151E731E950CBA2

Function 02F97E48 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F86312: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F86373
Part of subcall function 02F86312: StrCmpCA.SHLWAPI(?), ref: 02F86390
Part of subcall function 02F86312: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F863BE
Part of subcall function 02F86312: HttpOpenRequestA.WININET(00000000,02FA8D80,?,00000000,00000000,00400100,00000000), ref: 02F8640A
Part of subcall function 02F86312: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02F86442
Part of subcall function 02F86312: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02F86453

StrCmpCA.SHLWAPI(00000000,02FA8D8C), ref: 02F97E8B

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID:
API String ID: 3287882509-0
Opcode ID: 03a928425593444dc5e8731505fc633512705c9837c7d3cfe101a46b88648e10
Instruction ID: acc3c033806283fe4d70898be5bf5d00665ec1ab14d2841ba837556246d448ba
Opcode Fuzzy Hash: 03a928425593444dc5e8731505fc633512705c9837c7d3cfe101a46b88648e10
Instruction Fuzzy Hash: DF119E7195010A9AEF14FF60DC659DE777AAF10385F504134EA1B96191EF31EB08CF81

Function 02F92667 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 02F92674

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: CurrentProfilelstrcpy
String ID:
API String ID: 2831436455-0
Opcode ID: 03f35fcdbe09fba07380814a3432bd4c07bb40beaa6873aac2f4d58fb87eff28
Instruction ID: 179c6591752678e71e268ad96bd737ee1ce6c691d1bd990afba92bb5c520d43b
Opcode Fuzzy Hash: 03f35fcdbe09fba07380814a3432bd4c07bb40beaa6873aac2f4d58fb87eff28
Instruction Fuzzy Hash: 60E09270A00209AFEF14EEA8D895E9D7BADAB047C8F448024AA099B140DB70E959CF90

Non-executed Functions

Function 02F964C7 Relevance: 37.8, APIs: 25, Instructions: 318fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02F964EA
FindFirstFileA.KERNEL32(?,?), ref: 02F96501
memset.MSVCRT ref: 02F9651B
memset.MSVCRT ref: 02F96531
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F96562
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F96578
FindNextFileA.KERNEL32(000000FF,?), ref: 02F969C8
FindClose.KERNEL32(000000FF), ref: 02F969DC

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Find$Filememset$CloseFirstNextwsprintf
String ID:
API String ID: 1738266208-0
Opcode ID: 78da328da91ac1b3c55f4ee2e41ff6cb955fcddc2bd22d92d4310c10d7be1b79
Instruction ID: 7498dd62c5e9215689db6f83e5404815d69d1dad05e7f9ada58d2f0a1b9a119a
Opcode Fuzzy Hash: 78da328da91ac1b3c55f4ee2e41ff6cb955fcddc2bd22d92d4310c10d7be1b79
Instruction Fuzzy Hash: CBD1FDB2D4021EAEEF25EB60CC55EEA77BDAB04385F4040B5E709E6050EB719B98CF51

Function 02F89FC0 Relevance: 30.8, APIs: 20, Instructions: 760fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

FindFirstFileA.KERNEL32(00000000,?,02FA5200,02FA5200,00000000,?,?,?,02FA8F3C,02FA5200), ref: 02F8A045
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F8A0A0
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F8A0B6
FindNextFileA.KERNEL32(000000FF,?), ref: 02F8AB2C
FindClose.KERNEL32(000000FF), ref: 02F8AB3D

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: d8fda1eef01559c2f1f8ea39c6aaafba52aa7e60914530a22013149b91dbd46c
Instruction ID: ecee1690c56e9fa2b93f491fe9fe45870c4350c8d8d32666189c0833838f8b67
Opcode Fuzzy Hash: d8fda1eef01559c2f1f8ea39c6aaafba52aa7e60914530a22013149b91dbd46c
Instruction Fuzzy Hash: BF52FC7290011AAAEF25FB70DC65EEE777EAB54380F4041B5E60EE2050EE329B49CF51

Function 02F977D3 Relevance: 27.2, APIs: 18, Instructions: 207fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02F977EB
FindFirstFileA.KERNEL32(?,?), ref: 02F97802
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F97830
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F97846
FindNextFileA.KERNEL32(000000FF,?), ref: 02F97AE3
FindClose.KERNEL32(000000FF), ref: 02F97AF7

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 5add10353a81d3aa0d1783e564b3dbcc6099adc533e2bc39dee055d65af23266
Instruction ID: 86a4c750838073e590e08609b0b6bd1be2c3188043d7934c3f1d1a01f1aa35fa
Opcode Fuzzy Hash: 5add10353a81d3aa0d1783e564b3dbcc6099adc533e2bc39dee055d65af23266
Instruction Fuzzy Hash: 4C811F7191021DABEF14FBA0DC54EEA77BDBB08381F5445A5E64AE2050EF31DA84CFA1

Function 02F9738D Relevance: 22.7, APIs: 15, Instructions: 176stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02F9739D
RtlAllocateHeap.NTDLL(00000000), ref: 02F973A4
wsprintfA.USER32 ref: 02F973BF
FindFirstFileA.KERNEL32(?,?), ref: 02F973D6
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F97404
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F9741A
FindNextFileA.KERNEL32(000000FF,?), ref: 02F9756F
FindClose.KERNEL32(000000FF), ref: 02F97583
lstrcat.KERNEL32(?,?), ref: 02F975A7
lstrcat.KERNEL32(?), ref: 02F975BA
lstrlen.KERNEL32(?), ref: 02F975C6
lstrlen.KERNEL32(?), ref: 02F975D6

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
String ID:
API String ID: 671575355-0
Opcode ID: 86e0bdba393bd34158e80640b03069dbb2619aad6b8450c0660cc700bcc32a0b
Instruction ID: 3f0c4c911263c79f6d9cd88ffa72b74518bc4d5967c464321753dad889856d51
Opcode Fuzzy Hash: 86e0bdba393bd34158e80640b03069dbb2619aad6b8450c0660cc700bcc32a0b
Instruction Fuzzy Hash: 0F610BB194021DABEF14FB60CD99EEE777DBB18381F4044A5E60AE2050EB719B84CF61

Function 02F93160 Relevance: 22.7, APIs: 15, Instructions: 167COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F93184

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 7b06508a9bd92b92a6cb8704679f54d0d3e3c65b80071c217878b0d52a7fd9a6
Instruction ID: cbc1d37a05e7d5d45241875b631fd893059850182bf2a29ebdc0d5a2846165f6
Opcode Fuzzy Hash: 7b06508a9bd92b92a6cb8704679f54d0d3e3c65b80071c217878b0d52a7fd9a6
Instruction Fuzzy Hash: 7961D272D50208BBEF05AFA0DC49BEDBBB9FF08351F104064F605A60A4DB719A95DF60

Function 02F90A14 Relevance: 19.7, APIs: 13, Instructions: 157threadinjectionmemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F90A4F
memset.MSVCRT ref: 02F90A5F
CreateProcessA.KERNEL32(?,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 02F90A81
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 02F90AA7
GetThreadContext.KERNEL32(?,?), ref: 02F90ABF
ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000), ref: 02F90AE5
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 02F90B01
ResumeThread.KERNEL32(?), ref: 02F90B13
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00000000), ref: 02F90B3B
WriteProcessMemory.KERNEL32(?,00000000,?,00000000,00000000), ref: 02F90B92
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02F90BB5
SetThreadContext.KERNEL32(?,?), ref: 02F90BD3
ResumeThread.KERNEL32(?), ref: 02F90BDC

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtualmemset$CreateRead
String ID:
API String ID: 619895632-0
Opcode ID: 885beae74daac6c8f99798fd4e7bb164b720a1f1f6cd81853e8fc5de052cc56a
Instruction ID: cb3af06b11b819628bac3c75b7b86a747d5fcd1bde269ced772cf2fce9776bb3
Opcode Fuzzy Hash: 885beae74daac6c8f99798fd4e7bb164b720a1f1f6cd81853e8fc5de052cc56a
Instruction Fuzzy Hash: 6E61C075A40208EFEF04DF98C845FEDBBB5BF08315F1080A4E615AB2A1D771AA90DF24

Function 02F81443 Relevance: 18.7, APIs: 12, Instructions: 685fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,02FA51E8,?,?,?,02FA51E8,?,?,00000000,?,00000000), ref: 02F81696
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F816E6
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F816FC
FindFirstFileA.KERNEL32(00000000,?,?,?,?,02FA51E8,?,?,?,02FA51E8,?,?,?,02FA51E8,?,?), ref: 02F81802

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F92F4C: GetFileAttributesA.KERNEL32(00000000,?,02F81C1A,?,?,?,02FA5200), ref: 02F92F5B

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F81DEC
DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02F81AE7

Part of subcall function 02F98DB9: _MSFOpenExW.MSPDB140-MSVCRT ref: 02F98E6C
Part of subcall function 02F98DB9: CreateThread.KERNEL32(00000000,00000000,Function_00017C65,?,00000000,00000000), ref: 02F98E85
Part of subcall function 02F98DB9: WaitForSingleObject.KERNEL32(?,000003E8), ref: 02F98E96

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F81A62

Part of subcall function 02F87CDF: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02F87D05
Part of subcall function 02F87CDF: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F87D29
Part of subcall function 02F87CDF: LocalAlloc.KERNEL32(00000040,?), ref: 02F87D48
Part of subcall function 02F87CDF: ReadFile.KERNEL32(000000FF,00000000,?,02F81270,00000000), ref: 02F87D6E
Part of subcall function 02F87CDF: LocalFree.KERNEL32(00000000), ref: 02F87DA0
Part of subcall function 02F87CDF: CloseHandle.KERNEL32(000000FF), ref: 02F87DA9

FindNextFileA.KERNEL32(000000FF,?,?,?,?,?,?,?), ref: 02F81B34
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 02F81B48

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F92D64: GetSystemTime.KERNEL32(?,02FA5200,?,?,?,?,?,?,?,?,?,02F84F38,?,00000014), ref: 02F92D8A

DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,02FA5200), ref: 02F81E71
FindNextFileA.KERNEL32(000000FF,?), ref: 02F81EC6
FindClose.KERNEL32(000000FF), ref: 02F81ED7

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: File$Find$lstrcpy$Close$CopyCreateDeleteFirstLocalNextlstrcat$AllocAttributesFreeHandleObjectOpenReadSingleSizeSystemThreadTimeWaitlstrlen
String ID:
API String ID: 3942515123-0
Opcode ID: 47eb75b00ad45897c2f528fe822f88c8abfd758b61329773905e244b3c10b1fb
Instruction ID: 1f55774e8c091896dfc4623240266033e858a0ff850293d470c18fbba003cb5d
Opcode Fuzzy Hash: 47eb75b00ad45897c2f528fe822f88c8abfd758b61329773905e244b3c10b1fb
Instruction Fuzzy Hash: 9A52787190011E9AEF15FB60CDA5EEF737AAB15381F5041B9D60EA2090EF329B89CF51

Function 02F96D7D Relevance: 18.1, APIs: 12, Instructions: 123fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02F96D98
FindFirstFileA.KERNEL32(?,?), ref: 02F96DAF
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F96DDD
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F96DF3
FindNextFileA.KERNEL32(000000FF,?), ref: 02F96F36
FindClose.KERNEL32(000000FF), ref: 02F96F4A

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 2270c89887d4047094eb62dff823d9af23ff753b11a9fcaaf69058bf8d982484
Instruction ID: 8e7a89da05d2374d3d2f2dd4c16cbd7b4d894ae361c5301fc2643e9b08d0881a
Opcode Fuzzy Hash: 2270c89887d4047094eb62dff823d9af23ff753b11a9fcaaf69058bf8d982484
Instruction Fuzzy Hash: 414119B2D4421DBBDF10FBB0DC49EDA7BBDBB08344F4445A5A65AE2040EB75D6888F60

Function 02F8D690 Relevance: 13.9, APIs: 9, Instructions: 373fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02F8D6AE
FindFirstFileA.KERNEL32(?,?), ref: 02F8D6C5
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F8D71B
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F8D731
FindNextFileA.KERNEL32(000000FF,?), ref: 02F8DC3C
FindClose.KERNEL32(000000FF), ref: 02F8DC50

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 540bddbc67b5e69e6ab0212ec099b51c4d00ec2758bd4b09bda998b0fd1ea0c7
Instruction ID: 2c7d0d50195290f94282b083155cbc75482adf70a02f015ff3f22a9fb349c8c2
Opcode Fuzzy Hash: 540bddbc67b5e69e6ab0212ec099b51c4d00ec2758bd4b09bda998b0fd1ea0c7
Instruction Fuzzy Hash: F9E19C7290121E9AFF55FB60CC95EEF7379AF15381F4001B5E60EA2091EE319B89CE91

Function 02F8BC98 Relevance: 13.8, APIs: 9, Instructions: 254fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,02FA8F3C,02FA5200), ref: 02F8BD03
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F8BD4E
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F8BD64
FindNextFileA.KERNEL32(000000FF,?), ref: 02F8BFF5
FindClose.KERNEL32(000000FF), ref: 02F8C006

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 7798353706b8e0956300d0b18ad0a951d5e85154f1f952e359970ae2d0ddf2bb
Instruction ID: 703b373e7e1fbc3de024825924390e92c196fe7f9c7436ce032cb07f35c167e1
Opcode Fuzzy Hash: 7798353706b8e0956300d0b18ad0a951d5e85154f1f952e359970ae2d0ddf2bb
Instruction Fuzzy Hash: 5C910A72D001099AEF24FAB0DC59AEEB7BEAB54384F404175EA1AD6050EF35DB488F91

Function 02F8E016 Relevance: 12.3, APIs: 8, Instructions: 279fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,02FA8F3C,02FA5200), ref: 02F8E083
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F8E0CE
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F8E0E4
FindNextFileA.KERNEL32(000000FF,?), ref: 02F8E3F8
FindClose.KERNEL32(000000FF), ref: 02F8E409

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 9b9039b0e298fa3caef0a1cc97653ddef961810c9039968bd2a28e9f7a24f6fe
Instruction ID: 2d87da8b677c6cf477781aa5b235cc413b82a3dcea46cba347470505b160a0b5
Opcode Fuzzy Hash: 9b9039b0e298fa3caef0a1cc97653ddef961810c9039968bd2a28e9f7a24f6fe
Instruction Fuzzy Hash: 7DB11B72D0011A9AEF24FB70DC95AEEB37AAB55381F4041B5E60ED6090EE319B49CF91

Function 02F8C6B5 Relevance: 11.0, APIs: 7, Instructions: 510fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,02FA5244,02FA5200), ref: 02F8C724
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F8C774
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F8C78A
FindNextFileA.KERNEL32(000000FF,?), ref: 02F8CE7B

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID:
API String ID: 433455689-0
Opcode ID: ea79e75f23378f9009f28c7675272172c014e4b906a2bed78c1c0d48f7034a6e
Instruction ID: 5af2572920d59f2e317447bdb5e2a01ffff80d8a4c6eebe00f901cab601b2779
Opcode Fuzzy Hash: ea79e75f23378f9009f28c7675272172c014e4b906a2bed78c1c0d48f7034a6e
Instruction Fuzzy Hash: 9112AB7194021E9AEF15FB60CCA5EEE737AAF55381F5001B5D60EA2090EF319B89CF91

Function 02F8C039 Relevance: 10.9, APIs: 7, Instructions: 388fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

FindFirstFileA.KERNEL32(00000000,?,00000000,?,02FA5244,02FA5200), ref: 02F8C087
StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F8C0D7
StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F8C0ED
FindNextFileA.KERNEL32(000000FF,?), ref: 02F8C66C
FindClose.KERNEL32(000000FF), ref: 02F8C67D

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID:
API String ID: 2325840235-0
Opcode ID: c1a51ae7ea1c835586453056ae9a32ce19772df2b0f673794c5fe4d620fff9b2
Instruction ID: 6da0084ac9c0c26ea050cda231025f8899caee499931f955b3af28a99b9bbd21
Opcode Fuzzy Hash: c1a51ae7ea1c835586453056ae9a32ce19772df2b0f673794c5fe4d620fff9b2
Instruction Fuzzy Hash: 3FF1497191411E9AEF15FB60CDA4EEFB379AB15381F5001B6D60EA2090EE329B89CE51

Function 02F8AB80 Relevance: 10.6, APIs: 7, Instructions: 83stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F8ABB0
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 02F8ABCC
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 02F8ABD6
memcpy.MSVCRT ref: 02F8AC63
lstrcat.KERNEL32(?,02FA5200), ref: 02F8AC92
lstrcat.KERNEL32(?,02FA5200), ref: 02F8ACA5
lstrcat.KERNEL32(?,02FA5200), ref: 02F8ACC2

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 21054524c48f4f99f066ca17f9e53c1cf8abb533bafc51ec6f558a5f552d501d
Instruction ID: e835ae7997079478ac38ad9d55af675ad627abcd343c3be6031f7315a89cf274
Opcode Fuzzy Hash: 21054524c48f4f99f066ca17f9e53c1cf8abb533bafc51ec6f558a5f552d501d
Instruction Fuzzy Hash: 9131EA71D4421EAFDB10AB90DD49BEEBBB8FB08385F5041B5E605A2180D7749A84CFA1

Function 02F91D31 Relevance: 7.6, APIs: 5, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

GetKeyboardLayoutList.USER32(00000000,00000000,02FA5200), ref: 02F91D59
LocalAlloc.KERNEL32(00000040,?), ref: 02F91D71
GetKeyboardLayoutList.USER32(?,00000000), ref: 02F91D83
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200), ref: 02F91DD3
LocalFree.KERNEL32(00000000), ref: 02F91E90

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID:
API String ID: 3090951853-0
Opcode ID: 59192ad7be816ae3cd251e6c1bce98c2f9ea908cad5acdb1ddcceecc4d1d1c47
Instruction ID: f48a2f61178d5b8fbd59484faf356b72a53765930d1f1cdbddedf851bdfebd77
Opcode Fuzzy Hash: 59192ad7be816ae3cd251e6c1bce98c2f9ea908cad5acdb1ddcceecc4d1d1c47
Instruction Fuzzy Hash: D541177598021DABEF24EB50DC88BEEB3B9EB14341F2041E5E61AA2091DB706F85CF10

Function 02FA224F Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02FA2C26
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02FA2C3B
UnhandledExceptionFilter.KERNEL32(02FAC0CC), ref: 02FA2C46
GetCurrentProcess.KERNEL32(C0000409), ref: 02FA2C62
TerminateProcess.KERNEL32(00000000), ref: 02FA2C69

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0ec93da08bcc6704215436bd1bec9e6e54a9cf6b95d89eabd8a7ed91fda6061a
Instruction ID: 82a5c20810f7fee26320c2a4759da95181edc54b8450d7ad3698474c52a660fe
Opcode Fuzzy Hash: 0ec93da08bcc6704215436bd1bec9e6e54a9cf6b95d89eabd8a7ed91fda6061a
Instruction Fuzzy Hash: 3A2125B8961309CFDB09EF64F0956447FB4FB0C790F508909EA0987248E7B199C2CFA5

Function 02F937BD Relevance: 7.6, APIs: 5, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F937F8
Process32First.KERNEL32(?,00000128), ref: 02F9380B
Process32Next.KERNEL32(?,00000128), ref: 02F9381F
StrCmpCA.SHLWAPI(?,02F9136D), ref: 02F93833
CloseHandle.KERNEL32(?), ref: 02F93850

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 93dc2a95adb037c7a2ff44d3e8e4947e015296cda9e2dd296dad5f7a1589e0b4
Instruction ID: 1a87aa1ac41829aed49339503030aa5e5f88f66cf57f33277c0681e6a8f358af
Opcode Fuzzy Hash: 93dc2a95adb037c7a2ff44d3e8e4947e015296cda9e2dd296dad5f7a1589e0b4
Instruction Fuzzy Hash: B1115E72E40219EFEF11DF95C849FEEBBB8FB08795F0042A9E605A2190D7349A40CB60

Function 02F9302D Relevance: 6.0, APIs: 4, Instructions: 48encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,02F84E7F,40000001,00000000,00000000), ref: 02F9304A

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 1a4e72ee3b89cf55d6dcc57c03a876b036d9fdea6c514b3dba24075f89d24b55
Instruction ID: eb0557c7f59e0cd2405df873d3eddf2f22b8735d8e40399113e336f5402a0023
Opcode Fuzzy Hash: 1a4e72ee3b89cf55d6dcc57c03a876b036d9fdea6c514b3dba24075f89d24b55
Instruction Fuzzy Hash: B611D736614208FFEF41AF64DC44BA93BA6FF49788F0044A0FA158B171C77699A0EB20

Function 02F87DC2 Relevance: 6.0, APIs: 4, Instructions: 47encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02F86095,00000000,00000000), ref: 02F87DE6
LocalAlloc.KERNEL32(00000040,02F86095,?,?,02F86095,00000000,?), ref: 02F87DF7
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02F86095,00000000,00000000), ref: 02F87E1D
LocalFree.KERNEL32(00000000,?,?,02F86095,00000000,?), ref: 02F87E31

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: f368554a33aaa2e84a87de841b830d7121920f485ea272b71e179f07293c8547
Instruction ID: ed543c8398c8f6cb3a9f7ca9be59b1a8f5aa8f0b219cbead35cf2760712ec781
Opcode Fuzzy Hash: f368554a33aaa2e84a87de841b830d7121920f485ea272b71e179f07293c8547
Instruction Fuzzy Hash: 6111DD35290308FFEB12AF54CC46B997BB1FB08755F208064FA14AF2E0C3B1AA50DB18

Function 02F87E41 Relevance: 4.5, APIs: 3, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 02F87E65
LocalAlloc.KERNEL32(00000040,00000000), ref: 02F87E83
LocalFree.KERNEL32(?), ref: 02F87EAB

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 39651999e1d833c7a6e2938292c8e67647c59726b6ee513882c8ab50f06b8129
Instruction ID: 5deef2d67c2b52f7adcf88cd3e659875df576fcc78d779cfefd156897204c1f9
Opcode Fuzzy Hash: 39651999e1d833c7a6e2938292c8e67647c59726b6ee513882c8ab50f06b8129
Instruction Fuzzy Hash: D4019375900209EFCB05EF98D945A9EBBF5FF09304F500064F901AB2A0D7309E50DF61

Function 02F9EEC1 Relevance: 1.8, Strings: 1, Instructions: 518COMMON

Download Yara Rule

Strings

K, xrefs: 02F9EEDA

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 1a641afb7448ea8624540d959037065100805b0cb9cf6c6ba227a397cac0e44b
Instruction ID: 7e5d77bc767c76e833b674ada3b56218810838ca361edaeb419b40b6fa799dee
Opcode Fuzzy Hash: 1a641afb7448ea8624540d959037065100805b0cb9cf6c6ba227a397cac0e44b
Instruction Fuzzy Hash: B322D131950289AFDB01CF98CC46EED7BB5EF44310F0880A1FD58DA292D276DB68DB95

Function 009606BB Relevance: 1.8, Strings: 1, Instructions: 518COMMON

Download Yara Rule

Strings

K, xrefs: 009606D4

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 1a641afb7448ea8624540d959037065100805b0cb9cf6c6ba227a397cac0e44b
Instruction ID: aa0ab1e66d5205d6580fdfd371cb55786a4f2b13f54ce1c2c0468aab528c041a
Opcode Fuzzy Hash: 1a641afb7448ea8624540d959037065100805b0cb9cf6c6ba227a397cac0e44b
Instruction Fuzzy Hash: A122E131550289AFDB01CF98CC46EED7BB5EF44310F4880A0FD58DA292D276DB68DB95

Function 02F9E919 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

K, xrefs: 02F9E932

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 8f5226f9d6fe93ad6a604e25ba4a52b60e503e1c5ce3399b4d435a56d3f081ad
Instruction ID: d9c5c55c1cb6ae9f3ee3c942f760b410386247b005b50ee500ab987dfe18a826
Opcode Fuzzy Hash: 8f5226f9d6fe93ad6a604e25ba4a52b60e503e1c5ce3399b4d435a56d3f081ad
Instruction Fuzzy Hash: B1E1E131950289AFDB01CF98DC46EED7BB5EF40310F0880A1FD58DA292D276DB68DB95

Function 00960113 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

K, xrefs: 0096012C

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 8f5226f9d6fe93ad6a604e25ba4a52b60e503e1c5ce3399b4d435a56d3f081ad
Instruction ID: d0f6ee12d1bf9b18424e99edd154577b6061b9a26987bd8163f5ae16754914ab
Opcode Fuzzy Hash: 8f5226f9d6fe93ad6a604e25ba4a52b60e503e1c5ce3399b4d435a56d3f081ad
Instruction Fuzzy Hash: 3BE1D031950289AFDB01CF98CC46EED7BB5EF44310F0480A1FD58DA2A2D276DB68DB95

Function 02FA3DCD Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00022D8B), ref: 02FA3DD2

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a5c68cc7523b685de3f9c173338211e94e9f14d678d8d0501b3ca339815f117f
Instruction ID: 6f45bcba469e1d30eebff6b06664d93f649ac5df7e71346a2ae8121fd6367031
Opcode Fuzzy Hash: a5c68cc7523b685de3f9c173338211e94e9f14d678d8d0501b3ca339815f117f
Instruction Fuzzy Hash: D99002F0A91119C7E60017B05C5A509BA946A48982793C8947503C4105DB61A01056A1

Function 02F9ECEC Relevance: 1.4, Strings: 1, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

Strings

K, xrefs: 02F9ED04

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: b4552a968a542d6df4a9543d6a16f7554eb957ba9cd019870136d631622b6582
Instruction ID: a62eedf10f362cc4930d7085e293b7856415292743221bc11f3930880cd6faf5
Opcode Fuzzy Hash: b4552a968a542d6df4a9543d6a16f7554eb957ba9cd019870136d631622b6582
Instruction Fuzzy Hash: D561C03156028DBFDB01CF98DC46AED7BB5EF44310F0480A0F954DA292D276DA68DB55

Function 009604E6 Relevance: 1.4, Strings: 1, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

Strings

K, xrefs: 009604FE

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: b4552a968a542d6df4a9543d6a16f7554eb957ba9cd019870136d631622b6582
Instruction ID: a62eedf10f362cc4930d7085e293b7856415292743221bc11f3930880cd6faf5
Opcode Fuzzy Hash: b4552a968a542d6df4a9543d6a16f7554eb957ba9cd019870136d631622b6582
Instruction Fuzzy Hash: D561C03156028DBFDB01CF98DC46AED7BB5EF44310F0480A0F954DA292D276DA68DB55

Function 00940000 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309e5b8e83620cb7c680a11bf899644b121f563c7fabc11498b565a3ef665174
Instruction ID: c04dc7e6796092eabb6bda206bd51d3e14a40980782c4282a45950e089397b50
Opcode Fuzzy Hash: 309e5b8e83620cb7c680a11bf899644b121f563c7fabc11498b565a3ef665174
Instruction Fuzzy Hash: C9C14776E153388BEB19CEB9CC943AE7A62A7C0304F95D22CD546EF289DF7509464BC0

Function 02F9F6CF Relevance: .1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ede5e5d2c40fe7a91c30d488d6fd4ec8691e71f10d082f39faab89df7caed5e
Instruction ID: 7d09ef2af978e680a97d9c5ee25790082d54878e44a57185aed67c50cb1a1d12
Opcode Fuzzy Hash: 5ede5e5d2c40fe7a91c30d488d6fd4ec8691e71f10d082f39faab89df7caed5e
Instruction Fuzzy Hash: 7D517471514589AFCB85DF2CD491AA93BE0EB09391F14C52AFD6ACF280C638E6A0DF54

Function 00960EC9 Relevance: .1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0efc927fa52fff963f3018c9134edacac6edabb7d359014e56f6bce97f91fe
Instruction ID: c4f2e5f3cb0c0c2f0772f4603cf16fb09193b98d99262acac84df3d152fa94af
Opcode Fuzzy Hash: 8d0efc927fa52fff963f3018c9134edacac6edabb7d359014e56f6bce97f91fe
Instruction Fuzzy Hash: 23519E30514189AFCB59CF28D891AA93BE0EB09351F54C52AFD6ECF280C739E6A1DF44

Function 00940F8D Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: c2716a26a242b94d8919bdb171355d1b27cbecb5cc2a29258cd8f614bb8568a2
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: 16517374E00209DFCB08CF98C590AAEB7B2FF88314F248599D815AB355D735AE91DFA4

Function 00940F8C Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: 1c54e359f7c83c5507ab159f06470ddd549ee51ede59da69f36d76240a68c303
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 70317374E00119DFCB08CF98C590AAEBBB1FF48314F248599D815AB345D735AE86DF94

Function 00940CED Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 61770d9b224a640a8f9ac33a331c52e83da2315b26e8643c3822bb8b8d41844e
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: 6C019234A11208EBCB54DF98C184AACB7B6BB84314F608599D9099B785C730AE45DB40

Function 009427FA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90

Function 02F9ACF3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 0095C4ED Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 02F8ACD0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 247stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,?,02FA51E8,00000000,?,?,02FA5200), ref: 02F8ADA3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02F8ADBF
GetFileSize.KERNEL32(00000000,00000000), ref: 02F8ADCA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F8ADDC
??_U@YAPAXI@Z.MSVCRT ref: 02F8ADE7
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02F8AE05
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02F8AE12
RtlAllocateHeap.NTDLL(00000000), ref: 02F8AE19
StrStrA.SHLWAPI(?), ref: 02F8AE2B
StrStrA.SHLWAPI(00000000), ref: 02F8AE50
lstrcat.KERNEL32(?), ref: 02F8AE6B
lstrcat.KERNEL32(?,00000000), ref: 02F8AE7D
lstrcat.KERNEL32(?,02FA8E50), ref: 02F8AE8B
lstrcat.KERNEL32(?,00000000), ref: 02F8AE9D
lstrcat.KERNEL32(?,02FA8E4C), ref: 02F8AEAB
lstrcat.KERNEL32(?), ref: 02F8AEBA
lstrcat.KERNEL32(?,00000000), ref: 02F8AEC6
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8AED4
StrStrA.SHLWAPI(?), ref: 02F8AEE5
StrStrA.SHLWAPI(00000000), ref: 02F8AEFA
lstrcat.KERNEL32(?), ref: 02F8AF15

Part of subcall function 02F8AB80: memset.MSVCRT ref: 02F8ABB0
Part of subcall function 02F8AB80: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 02F8ABCC
Part of subcall function 02F8AB80: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 02F8ABD6
Part of subcall function 02F8AB80: memcpy.MSVCRT ref: 02F8AC63

lstrcat.KERNEL32(?,00000000), ref: 02F8AF28
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8AF36
StrStrA.SHLWAPI(?), ref: 02F8AF47
StrStrA.SHLWAPI(00000000), ref: 02F8AF5C
lstrcat.KERNEL32(?), ref: 02F8AF77

Part of subcall function 02F8AB80: lstrcat.KERNEL32(?,02FA5200), ref: 02F8AC92
Part of subcall function 02F8AB80: lstrcat.KERNEL32(?,02FA5200), ref: 02F8ACA5
Part of subcall function 02F8AB80: lstrcat.KERNEL32(?,02FA5200), ref: 02F8ACC2

lstrcat.KERNEL32(?,00000000), ref: 02F8AF8A
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8AF98
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8AFA6
lstrlen.KERNEL32(?), ref: 02F8AFC2
memset.MSVCRT ref: 02F8B008
CloseHandle.KERNEL32(?), ref: 02F8B013

Strings

, xrefs: 02F8AD03

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$File$lstrcpy$lstrlen$HeapPointermemset$AllocateBinaryCloseCreateCryptHandleProcessReadSizeStringmemcpy
String ID:
API String ID: 2293454344-3916222277
Opcode ID: e29f5c5f6679df24bce147321ed411319fa76d2efa14536704631ff5bc99102c
Instruction ID: b4c4f8a2745d7e8825602aa1c0f40d0b078a4c09f83f3443264713798fff00b5
Opcode Fuzzy Hash: e29f5c5f6679df24bce147321ed411319fa76d2efa14536704631ff5bc99102c
Instruction Fuzzy Hash: FEA1E572950209AFEF05AFA0ED49AEEBFB6FF08341F244024F606A21A5DB755955CF20

Function 02F9AD16 Relevance: 49.7, APIs: 33, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 02F9AD54
GetProcAddress.KERNEL32 ref: 02F9AD6B
GetProcAddress.KERNEL32 ref: 02F9AD82
GetProcAddress.KERNEL32 ref: 02F9AD99
GetProcAddress.KERNEL32 ref: 02F9ADB0
GetProcAddress.KERNEL32 ref: 02F9ADC7
GetProcAddress.KERNEL32 ref: 02F9ADDE
GetProcAddress.KERNEL32 ref: 02F9ADF5
GetProcAddress.KERNEL32 ref: 02F9AE0C
GetProcAddress.KERNEL32 ref: 02F9AE23
GetProcAddress.KERNEL32 ref: 02F9AE3A
GetProcAddress.KERNEL32 ref: 02F9AE51
GetProcAddress.KERNEL32 ref: 02F9AE68
GetProcAddress.KERNEL32 ref: 02F9AE7F
GetProcAddress.KERNEL32 ref: 02F9AE96
GetProcAddress.KERNEL32 ref: 02F9AEAD
GetProcAddress.KERNEL32 ref: 02F9AEC4
GetProcAddress.KERNEL32 ref: 02F9AEDB
GetProcAddress.KERNEL32 ref: 02F9AEF2
GetProcAddress.KERNEL32 ref: 02F9AF09
GetProcAddress.KERNEL32 ref: 02F9AF20
LoadLibraryA.KERNEL32(?,02F9A8B3), ref: 02F9AF31
LoadLibraryA.KERNEL32(?,02F9A8B3), ref: 02F9AF42
LoadLibraryA.KERNEL32(?,02F9A8B3), ref: 02F9AF53
LoadLibraryA.KERNEL32(?,02F9A8B3), ref: 02F9AF64
LoadLibraryA.KERNEL32(?,02F9A8B3), ref: 02F9AF75
GetProcAddress.KERNEL32(?,02F9A8B3), ref: 02F9AF95
GetProcAddress.KERNEL32(?,02F9A8B3), ref: 02F9AFB5
GetProcAddress.KERNEL32(?,02F9A8B3), ref: 02F9AFCC
GetProcAddress.KERNEL32(?,02F9A8B3), ref: 02F9AFEC
GetProcAddress.KERNEL32(?,02F9A8B3), ref: 02F9B00C
GetProcAddress.KERNEL32(?,02F9A8B3), ref: 02F9B02C
GetProcAddress.KERNEL32(?,02F9A8B3), ref: 02F9B043

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 407bbdb69e8cdb084ff073ba950dd8c5e94a7cd8e22afa5e711757b510267ba8
Instruction ID: ed28768eca16d28f5067f0857768cc26a0564f82107d4761dd9dad2a357fec90
Opcode Fuzzy Hash: 407bbdb69e8cdb084ff073ba950dd8c5e94a7cd8e22afa5e711757b510267ba8
Instruction Fuzzy Hash: 3981EE754A5240FFEB0E7F60FA09AA53FA2F70C345B540139E9069122EE77A44E4EF60

Function 02F8F4EC Relevance: 45.3, APIs: 30, Instructions: 328stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F92F92: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F92FBC

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F87CDF: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02F87D05
Part of subcall function 02F87CDF: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F87D29
Part of subcall function 02F87CDF: LocalAlloc.KERNEL32(00000040,?), ref: 02F87D48
Part of subcall function 02F87CDF: ReadFile.KERNEL32(000000FF,00000000,?,02F81270,00000000), ref: 02F87D6E
Part of subcall function 02F87CDF: LocalFree.KERNEL32(00000000), ref: 02F87DA0
Part of subcall function 02F87CDF: CloseHandle.KERNEL32(000000FF), ref: 02F87DA9

Part of subcall function 02F92FD6: LocalAlloc.KERNEL32(00000040,00000001), ref: 02F92FF2

GetProcessHeap.KERNEL32(00000000,000F423F,02FA5200,02FA5200,02FA5200,02FA5200), ref: 02F8F5F8
RtlAllocateHeap.NTDLL(00000000), ref: 02F8F5FF
StrStrA.SHLWAPI(00000000,02FA9110), ref: 02F8F61A
lstrlen.KERNEL32(00000000), ref: 02F8F627

Part of subcall function 02F936CE: malloc.MSVCRT ref: 02F936D5

StrStrA.SHLWAPI(00000000,02FA9108), ref: 02F8F661
lstrlen.KERNEL32(00000000), ref: 02F8F66E
StrStrA.SHLWAPI(00000000,02FA9100), ref: 02F8F6A8
lstrlen.KERNEL32(00000000), ref: 02F8F6B5
StrStrA.SHLWAPI(00000000,02FA90E4), ref: 02F8F6EF
lstrlen.KERNEL32(00000000), ref: 02F8F700
lstrlen.KERNEL32(00000000), ref: 02F8F78B
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 02F8F7A3
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 02F8F7BB
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 02F8F7D3
lstrcat.KERNEL32(?,02FA90D0), ref: 02F8F7EA
lstrcat.KERNEL32(?,02FA9034), ref: 02F8F7F8
lstrcat.KERNEL32(?,00000000), ref: 02F8F80A
lstrcat.KERNEL32(?,02FA8E9C), ref: 02F8F818
lstrcat.KERNEL32(?,00000000), ref: 02F8F82A
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8F838
lstrcat.KERNEL32(?,02FA90C8), ref: 02F8F846
lstrcat.KERNEL32(?,00000000), ref: 02F8F858
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8F866
lstrcat.KERNEL32(?,02FA8FE8), ref: 02F8F874
lstrcat.KERNEL32(?,00000000), ref: 02F8F886
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8F894
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8F8A2
strtok_s.MSVCRT ref: 02F8F8E6
lstrlen.KERNEL32(?), ref: 02F8F8F9
memset.MSVCRT ref: 02F8F945

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrtok_s
String ID:
API String ID: 2504991310-0
Opcode ID: 3d3429cf5e9f6198a3a8bf50d9b3b2dc35e2dbedb9c0090457319efc01953a54
Instruction ID: 5312dbbab2a0148dd6cd2167b3961fa4a8bb930710c47e2fcab0d1657a7c35e7
Opcode Fuzzy Hash: 3d3429cf5e9f6198a3a8bf50d9b3b2dc35e2dbedb9c0090457319efc01953a54
Instruction Fuzzy Hash: 4BC1EA72D5020AAEEF04FBA0DD55EEEBB79AF14381F504034E60BB1094EB725A59CF61

Function 02F8EECC Relevance: 39.4, APIs: 26, Instructions: 410registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F8EEEE
memset.MSVCRT ref: 02F8EF12
memset.MSVCRT ref: 02F8EF2F
memset.MSVCRT ref: 02F8EF4C
memset.MSVCRT ref: 02F8EF62
memset.MSVCRT ref: 02F8EF78
memset.MSVCRT ref: 02F8EF8E
RegOpenKeyExA.ADVAPI32(80000001,02FA9098,00000000,00000001,?), ref: 02F8EFC3
RegGetValueA.ADVAPI32(?,02FA9078,02FA9084,00000010,00000000,?,?), ref: 02F8EFF6
RegCloseKey.ADVAPI32(00000000), ref: 02F8F009

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: memset$CloseOpenValue
String ID:
API String ID: 2153264648-0
Opcode ID: 596f7d9f07f5981cb85379206cf97bb45bdf1111ea31b24e63accbe3d3441d85
Instruction ID: aa56e126f8c20e16af129c53bfcab3d6162808e5e888b3fc4e8f4a5ff0262af3
Opcode Fuzzy Hash: 596f7d9f07f5981cb85379206cf97bb45bdf1111ea31b24e63accbe3d3441d85
Instruction Fuzzy Hash: 48F12171D4021EAAEF10EB90CC55FEFB779AF14781F5001A6E60AB5090DB756B88CF62

Function 02F883A6 Relevance: 33.3, APIs: 22, Instructions: 265stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F92D64: GetSystemTime.KERNEL32(?,02FA5200,?,?,?,?,?,?,?,?,?,02F84F38,?,00000014), ref: 02F92D8A

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F88450
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02F884C9
RtlAllocateHeap.NTDLL(00000000), ref: 02F884D0
lstrlen.KERNEL32(00000000,00000000), ref: 02F8856A
lstrcat.KERNEL32(?), ref: 02F8858F
lstrcat.KERNEL32(?,00000000), ref: 02F885A1
lstrcat.KERNEL32(?,02FA8E50), ref: 02F885AF
lstrcat.KERNEL32(?,00000000), ref: 02F885C1
lstrcat.KERNEL32(?,02FA8E4C), ref: 02F885CF
lstrcat.KERNEL32(?), ref: 02F885DE
lstrcat.KERNEL32(?,00000000), ref: 02F885F0
lstrcat.KERNEL32(?,02FA8E48), ref: 02F885FE
lstrcat.KERNEL32(?), ref: 02F8860D
lstrcat.KERNEL32(?,00000000), ref: 02F8861F
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8862D
lstrcat.KERNEL32(?), ref: 02F8863C
lstrcat.KERNEL32(?,00000000), ref: 02F8864E
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8865C
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8866A
lstrlen.KERNEL32(?), ref: 02F88688
memset.MSVCRT ref: 02F886D4
DeleteFileA.KERNEL32(00000000), ref: 02F88701

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F935B9: memset.MSVCRT ref: 02F935D4
Part of subcall function 02F935B9: OpenProcess.KERNEL32(00001001,00000000,?), ref: 02F9368A
Part of subcall function 02F935B9: TerminateProcess.KERNEL32(00000000,00000000), ref: 02F936A7
Part of subcall function 02F935B9: CloseHandle.KERNEL32(00000000), ref: 02F936B3

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyDeleteHandleOpenSystemTerminateTime
String ID:
API String ID: 1737540870-0
Opcode ID: db06448ca760f4f54ba414a568ae20405822b6f153cae92d4cbe66ccd78ad0a1
Instruction ID: 8e9a04dcdbc318aef88f3b44d6a7fee079e51e185b8cf6afc9dd4ff97e40dbdc
Opcode Fuzzy Hash: db06448ca760f4f54ba414a568ae20405822b6f153cae92d4cbe66ccd78ad0a1
Instruction Fuzzy Hash: 89A1EA7295010AAFEF05FBA0DD559EE7B7AFF18381F604035E206A10A0EB769A54CF61

Function 02F88741 Relevance: 32.0, APIs: 21, Instructions: 471stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F918F6: StrCmpCA.SHLWAPI(02F88758,?,?,?,02F88758), ref: 02F91913

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02F88A97
RtlAllocateHeap.NTDLL(00000000), ref: 02F88A9E
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F88885

Part of subcall function 02F91715: lstrlen.KERNEL32(02F860AC,?,?,02F860AC,02FA5200), ref: 02F9171F
Part of subcall function 02F91715: lstrcpy.KERNEL32(02FA5200,00000000), ref: 02F9176D

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

lstrcat.KERNEL32(?,00000000), ref: 02F88BCD
lstrcat.KERNEL32(?,02FA8E54), ref: 02F88BDB
lstrcat.KERNEL32(?,00000000), ref: 02F88BED
lstrcat.KERNEL32(?,02FA8E54), ref: 02F88BFB
lstrcat.KERNEL32(?,00000000), ref: 02F88C0D
lstrcat.KERNEL32(?,02FA8E54), ref: 02F88C1B
lstrcat.KERNEL32(?,00000000), ref: 02F88C2D
lstrcat.KERNEL32(?,02FA8E54), ref: 02F88C3B
lstrcat.KERNEL32(?,00000000), ref: 02F88C4D
lstrcat.KERNEL32(?,02FA8E54), ref: 02F88C5B
lstrcat.KERNEL32(?,00000000), ref: 02F88C6D
lstrcat.KERNEL32(?,02FA8E54), ref: 02F88C7B
lstrcat.KERNEL32(?,00000000), ref: 02F88CBD
lstrcat.KERNEL32(?,02FA8E48), ref: 02F88CD6
lstrlen.KERNEL32(?), ref: 02F88D14
lstrlen.KERNEL32(?), ref: 02F88D22
memset.MSVCRT ref: 02F88D6D

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

DeleteFileA.KERNEL32(00000000), ref: 02F88D92

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessmemset
String ID:
API String ID: 1498849721-0
Opcode ID: 709b025d55b1f2278bbfba4c24b350c6e1951bd0f257b423f49807e72c93ef50
Instruction ID: c0e33e4e55d97aa42c52be7245e20db5e7b2c19ed301da3806fa8f20c1027dca
Opcode Fuzzy Hash: 709b025d55b1f2278bbfba4c24b350c6e1951bd0f257b423f49807e72c93ef50
Instruction Fuzzy Hash: 5C02CC7291010EAAEF19FBA0DD55DEF777ABF14385F504075E60AB10A0EF329A48CE61

Function 02F8B04C Relevance: 31.9, APIs: 21, Instructions: 377stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F92D64: GetSystemTime.KERNEL32(?,02FA5200,?,?,?,?,?,?,?,?,?,02F84F38,?,00000014), ref: 02F92D8A

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F8B118
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02F8B277
RtlAllocateHeap.NTDLL(00000000), ref: 02F8B27E
lstrcat.KERNEL32(?,00000000), ref: 02F8B3A4
lstrcat.KERNEL32(?,02FA8E54), ref: 02F8B3B2
lstrcat.KERNEL32(?,00000000), ref: 02F8B3C4
lstrcat.KERNEL32(?,02FA8E54), ref: 02F8B3D2
lstrcat.KERNEL32(?,00000000), ref: 02F8B3E4
lstrcat.KERNEL32(?,02FA8E54), ref: 02F8B3F2
lstrcat.KERNEL32(?,02FA8E54), ref: 02F8B412
lstrcat.KERNEL32(?,00000000), ref: 02F8B424
lstrcat.KERNEL32(?,02FA8E54), ref: 02F8B432
lstrcat.KERNEL32(?,00000000), ref: 02F8B444
lstrcat.KERNEL32(?,02FA8E54), ref: 02F8B452
lstrcat.KERNEL32(?,00000000), ref: 02F8B464
lstrcat.KERNEL32(?,02FA8E48), ref: 02F8B472
lstrlen.KERNEL32(?), ref: 02F8B4BF
lstrlen.KERNEL32(?), ref: 02F8B4CD

Part of subcall function 02F98DB9: _MSFOpenExW.MSPDB140-MSVCRT ref: 02F98E6C
Part of subcall function 02F98DB9: CreateThread.KERNEL32(00000000,00000000,Function_00017C65,?,00000000,00000000), ref: 02F98E85
Part of subcall function 02F98DB9: WaitForSingleObject.KERNEL32(?,000003E8), ref: 02F98E96

lstrcat.KERNEL32(?,00000000), ref: 02F8B404

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F935B9: memset.MSVCRT ref: 02F935D4
Part of subcall function 02F935B9: OpenProcess.KERNEL32(00001001,00000000,?), ref: 02F9368A
Part of subcall function 02F935B9: TerminateProcess.KERNEL32(00000000,00000000), ref: 02F936A7
Part of subcall function 02F935B9: CloseHandle.KERNEL32(00000000), ref: 02F936B3

Part of subcall function 02F91715: lstrlen.KERNEL32(02F860AC,?,?,02F860AC,02FA5200), ref: 02F9171F
Part of subcall function 02F91715: lstrcpy.KERNEL32(02FA5200,00000000), ref: 02F9176D

memset.MSVCRT ref: 02F8B518
DeleteFileA.KERNEL32(00000000), ref: 02F8B53D

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Process$FileHeapOpenmemset$AllocateCloseCopyCreateDeleteHandleObjectSingleSystemTerminateThreadTimeWait
String ID:
API String ID: 1766615643-0
Opcode ID: de2655c8099bef5196a78a8082bca48afcc4c2474d3958b914c5494cc4a38b58
Instruction ID: fb1abfe45982d8befbde5916096df336f90fca1422cdae0ffbaa07891acd5934
Opcode Fuzzy Hash: de2655c8099bef5196a78a8082bca48afcc4c2474d3958b914c5494cc4a38b58
Instruction Fuzzy Hash: 1FE1DF7294010AAAEF19FBA0DC55DEE7B7AFF18385F104175E20BA10A0EF325A45CF61

Function 02F94F8C Relevance: 21.2, APIs: 14, Instructions: 151stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,02FA8D84), ref: 02F94FB1
ExitProcess.KERNEL32 ref: 02F94FBD
strtok_s.MSVCRT ref: 02F94FD4

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: d30f128205889b290d07ff60210c694fa165c41842472468e65feaf5c1baec00
Instruction ID: 425d0c767bb7037b3e254526c1db247d44ffb23104dc86995a142845280dfcc6
Opcode Fuzzy Hash: d30f128205889b290d07ff60210c694fa165c41842472468e65feaf5c1baec00
Instruction Fuzzy Hash: 825137B1A4420AFFFF15EF50E854B9E7BB0BB14785F404569E602AB221D7B5CA90CF21

Function 02F94AB5 Relevance: 19.8, APIs: 13, Instructions: 317stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 02F94AEC
lstrcpy.KERNEL32(?,00000000), ref: 02F94BE0

Part of subcall function 02F92F92: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F92FBC

Part of subcall function 02F933A2: StrStrA.SHLWAPI(?,?), ref: 02F933AC

lstrcpy.KERNEL32(?,00000000), ref: 02F94C1B

Part of subcall function 02F933A2: lstrcpyn.KERNEL32(031C0E18,?,?), ref: 02F933CF
Part of subcall function 02F933A2: lstrlen.KERNEL32(?), ref: 02F933E5
Part of subcall function 02F933A2: wsprintfA.USER32 ref: 02F93403

lstrcpy.KERNEL32(?,00000000), ref: 02F94C61
lstrcpy.KERNEL32(?,00000000), ref: 02F94CA7
lstrcpy.KERNEL32(?,00000000), ref: 02F94CED
lstrcpy.KERNEL32(?,00000000), ref: 02F94D33
lstrcpy.KERNEL32(?,00000000), ref: 02F94D79
lstrcpy.KERNEL32(?,00000000), ref: 02F94DBF
lstrcpy.KERNEL32(?,00000000), ref: 02F94E05

Part of subcall function 02F91715: lstrlen.KERNEL32(02F860AC,?,?,02F860AC,02FA5200), ref: 02F9171F
Part of subcall function 02F91715: lstrcpy.KERNEL32(02FA5200,00000000), ref: 02F9176D

strtok_s.MSVCRT ref: 02F94F62

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy$lstrlenstrtok_s$FolderPathlstrcpynwsprintf
String ID:
API String ID: 434863430-0
Opcode ID: 62cb3204359e955136fe1f5925b9b589ed6507e09d63356c0104183160b84407
Instruction ID: a8a1f13fe5d19ab6dd905e2c453020e31e3a2629371dbb044705cc6111485bf2
Opcode Fuzzy Hash: 62cb3204359e955136fe1f5925b9b589ed6507e09d63356c0104183160b84407
Instruction Fuzzy Hash: C0D14E7194421EAFEF64EF64DC88EDA77B9BB28344F0005A5E609E2150EB35DAC5CF50

Function 02F97104 Relevance: 19.7, APIs: 13, Instructions: 174stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F9711F
memset.MSVCRT ref: 02F97135

Part of subcall function 02F92F92: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F92FBC

lstrcat.KERNEL32(?,00000000), ref: 02F97164
lstrcat.KERNEL32(?), ref: 02F97182
lstrcat.KERNEL32(?,?), ref: 02F97196
lstrcat.KERNEL32(?), ref: 02F971A9

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F92F4C: GetFileAttributesA.KERNEL32(00000000,?,02F81C1A,?,?,?,02FA5200), ref: 02F92F5B

Part of subcall function 02F87F8E: StrStrA.SHLWAPI(00000000,02FA8E20), ref: 02F87FDF

Part of subcall function 02F87CDF: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02F87D05
Part of subcall function 02F87CDF: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F87D29
Part of subcall function 02F87CDF: LocalAlloc.KERNEL32(00000040,?), ref: 02F87D48
Part of subcall function 02F87CDF: ReadFile.KERNEL32(000000FF,00000000,?,02F81270,00000000), ref: 02F87D6E
Part of subcall function 02F87CDF: LocalFree.KERNEL32(00000000), ref: 02F87DA0
Part of subcall function 02F87CDF: CloseHandle.KERNEL32(000000FF), ref: 02F87DA9

Part of subcall function 02F934CA: GlobalAlloc.KERNEL32(00000000,?), ref: 02F934DC

StrStrA.SHLWAPI(?), ref: 02F9724F
GlobalFree.KERNEL32(?), ref: 02F97341

Part of subcall function 02F87DC2: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02F86095,00000000,00000000), ref: 02F87DE6
Part of subcall function 02F87DC2: LocalAlloc.KERNEL32(00000040,02F86095,?,?,02F86095,00000000,?), ref: 02F87DF7
Part of subcall function 02F87DC2: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02F86095,00000000,00000000), ref: 02F87E1D
Part of subcall function 02F87DC2: LocalFree.KERNEL32(00000000,?,?,02F86095,00000000,?), ref: 02F87E31

Part of subcall function 02F88093: memcmp.MSVCRT ref: 02F880AD
Part of subcall function 02F88093: memset.MSVCRT ref: 02F880DF
Part of subcall function 02F88093: LocalAlloc.KERNEL32(00000040,?), ref: 02F8812D

lstrcat.KERNEL32(?,00000000), ref: 02F972D7
StrCmpCA.SHLWAPI(?,02FA5200,?,?,?,?,000003E8), ref: 02F972F4
lstrcat.KERNEL32(00000000,00000000), ref: 02F97304
lstrcat.KERNEL32(00000000,?), ref: 02F97316
lstrcat.KERNEL32(00000000,02FA8E48), ref: 02F97324

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$Local$AllocFile$Freememset$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpymemcmp
String ID:
API String ID: 3908518890-0
Opcode ID: abcaf5f7b17a3e64120aa016203909a7668c26aef9f034dad7e7ca6c2f44ad16
Instruction ID: 8cd3a25f2f7bd4743df8d83b4d57f16bc3769a708b05c4fd2f13b8b1241d515f
Opcode Fuzzy Hash: abcaf5f7b17a3e64120aa016203909a7668c26aef9f034dad7e7ca6c2f44ad16
Instruction Fuzzy Hash: A36107B2D0021DBAEF15BBA0DD49FDEB7B9AB08340F1440A5E609E2051EB35DB948F61

Function 02F9FB08 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 183fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 02F9FB15
GetFileSize.KERNEL32(00000000,00000000), ref: 02F9FBD2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F9FBEE
ReadFile.KERNEL32(00000000,?,00000002,?,00000000), ref: 02F9FC03
SetFilePointer.KERNEL32(00000000,00000024,00000000,00000000), ref: 02F9FC12
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 02F9FC27
SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 02F9FC4D
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 02F9FC62

Strings

PE, xrefs: 02F9FC83
(, xrefs: 02F9FBDB

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID: ($PE
API String ID: 2979504256-3347799738
Opcode ID: a2c3b5a3b0c1ae13e9119100d181884d7b21dceceac0f746160094d90b5a816d
Instruction ID: aa8aa48d5ea778c794c52233135ed6eb9d66dbfc344c2a2a925492126cf5b7af
Opcode Fuzzy Hash: a2c3b5a3b0c1ae13e9119100d181884d7b21dceceac0f746160094d90b5a816d
Instruction Fuzzy Hash: 69710471D10209EFEF15CF98D886BADBBB0FF08344F108469EA15EA290D771AA95CB40

Function 02F9A508 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F9A51F
memset.MSVCRT ref: 02F9A52F
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02F9A545

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

ShellExecuteEx.SHELL32(0000003C), ref: 02F9A717
memset.MSVCRT ref: 02F9A725
memset.MSVCRT ref: 02F9A73B
ExitProcess.KERNEL32 ref: 02F9A750

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Strings

<, xrefs: 02F9A6DA

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpymemset$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: <
API String ID: 1134881415-4251816714
Opcode ID: 9203109c39fddf7344007cb8db0be0a35d0f33e25d70b2ca2cda29638d80d12b
Instruction ID: 581e5c61407e16c69c42ece75ba2b61043e6a2ece58f919a19e12f57457bf619
Opcode Fuzzy Hash: 9203109c39fddf7344007cb8db0be0a35d0f33e25d70b2ca2cda29638d80d12b
Instruction Fuzzy Hash: CC51B9B280111D9AEF15EB60CD91FDE777DAF14341F8011B9E70AA2091EF716B88CE55

Function 02F8613F Relevance: 13.6, APIs: 9, Instructions: 130networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F84387
Part of subcall function 02F8430F: ??_U@YAPAXI@Z.MSVCRT ref: 02F8439B
Part of subcall function 02F8430F: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F843B9
Part of subcall function 02F8430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F843C9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F861A8
StrCmpCA.SHLWAPI(?), ref: 02F861E6
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 02F86229
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02F8624D
InternetReadFile.WININET(?,?,00000400,?), ref: 02F86271
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 02F8629D
CloseHandle.KERNEL32(?,?,00000400), ref: 02F862DB
InternetCloseHandle.WININET(?), ref: 02F862E4
InternetCloseHandle.WININET(00000000), ref: 02F862F0

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: 086fec800113cb7fa0ca75c5df7e142f066c1a88d50affd76f7f7f2409e1c57d
Instruction ID: a22fbd0c6f895cb02aa95cb078c9625984be217061186540610b782143d13ecb
Opcode Fuzzy Hash: 086fec800113cb7fa0ca75c5df7e142f066c1a88d50affd76f7f7f2409e1c57d
Instruction Fuzzy Hash: C7512AB1940219AFEF20EF60DC44BEEB7B9FB04345F1040A5E715E6091DB71AA89CF55

Function 02F9F930 Relevance: 13.6, APIs: 9, Instructions: 86stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,02FA0A84,?), ref: 02F9F937
StrCmpCA.SHLWAPI(?,02FAAA34,?,?,02FA0A84,?), ref: 02F9F981
StrCmpCA.SHLWAPI(?,02FAAA2C,?,?,02FA0A84,?), ref: 02F9F99A
StrCmpCA.SHLWAPI(?,02FAAA24,?,?,02FA0A84,?), ref: 02F9F9B3

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: c3a2e42ef2b6cdf5bfd924295709e0afd2f4a9059e455f5b5eb362cd0309f203
Instruction ID: 5463518c8a0280d75a1a53cca973e769cdf6174b72e662071c4b3f83638b6f56
Opcode Fuzzy Hash: c3a2e42ef2b6cdf5bfd924295709e0afd2f4a9059e455f5b5eb362cd0309f203
Instruction Fuzzy Hash: 73312774F88208FBFF01DF61CE65AAD7BB1AE227C8B104551E602E6525D371CA22EA00

Function 02F97C93 Relevance: 12.6, APIs: 10, Instructions: 121stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F97CAA

Part of subcall function 02F92F92: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F92FBC

lstrcat.KERNEL32(?,00000000), ref: 02F97CD1
lstrcat.KERNEL32(?,02FA97E8), ref: 02F97CEE

Part of subcall function 02F977D3: wsprintfA.USER32 ref: 02F977EB
Part of subcall function 02F977D3: FindFirstFileA.KERNEL32(?,?), ref: 02F97802

memset.MSVCRT ref: 02F97D2E
lstrcat.KERNEL32(?,00000000), ref: 02F97D55
lstrcat.KERNEL32(?,02FA97CC), ref: 02F97D72

Part of subcall function 02F977D3: StrCmpCA.SHLWAPI(?,02FA5240), ref: 02F97830
Part of subcall function 02F977D3: StrCmpCA.SHLWAPI(?,02FA523C), ref: 02F97846
Part of subcall function 02F977D3: FindNextFileA.KERNEL32(000000FF,?), ref: 02F97AE3
Part of subcall function 02F977D3: FindClose.KERNEL32(000000FF), ref: 02F97AF7

memset.MSVCRT ref: 02F97DB2
lstrcat.KERNEL32(?,00000000), ref: 02F97DD9
lstrcat.KERNEL32(?,02FA97AC), ref: 02F97DF6

Part of subcall function 02F977D3: wsprintfA.USER32 ref: 02F9786B
Part of subcall function 02F977D3: StrCmpCA.SHLWAPI(?,02FA5200), ref: 02F9787C
Part of subcall function 02F977D3: wsprintfA.USER32 ref: 02F97899
Part of subcall function 02F977D3: PathMatchSpecA.SHLWAPI(?,?), ref: 02F978CD
Part of subcall function 02F977D3: lstrcat.KERNEL32(?,?), ref: 02F978F9
Part of subcall function 02F977D3: lstrcat.KERNEL32(?,02FA51E8), ref: 02F9790B
Part of subcall function 02F977D3: lstrcat.KERNEL32(?,?), ref: 02F9791B
Part of subcall function 02F977D3: lstrcat.KERNEL32(?,02FA51E8), ref: 02F9792D
Part of subcall function 02F977D3: lstrcat.KERNEL32(?,?), ref: 02F97941

memset.MSVCRT ref: 02F97E36

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$memset$Findwsprintf$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 2615841231-0
Opcode ID: d102e567a86ed4b71d9b9ecdecf1ad35eb8e188d0e0f49b9f78bdde3dceebb65
Instruction ID: cfaa38ceece670baf371feaa0e1d60ec17cb8f84957ea42588363ff09cbef7bd
Opcode Fuzzy Hash: d102e567a86ed4b71d9b9ecdecf1ad35eb8e188d0e0f49b9f78bdde3dceebb65
Instruction Fuzzy Hash: CE4132B6A4421C76FF14FAA0DC56ECA77AD6B24740F400561B74AE6080EEB5D6C88F62

Function 02F8E638 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02F8E65F
strchr.MSVCRT ref: 02F8E6BA

Strings

0123456789ABCDEF, xrefs: 02F8E647

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrlenstrchr
String ID: 0123456789ABCDEF
API String ID: 2484550801-2554083253
Opcode ID: f2880f17f2eddda58bc5e6f7a32ed45028346f1b9183eb321a082ae2b43b0dc1
Instruction ID: 6ebb9099b661abd14a3c124c1eca8fbc2c43541d4cede44eb94d0b96da02483e
Opcode Fuzzy Hash: f2880f17f2eddda58bc5e6f7a32ed45028346f1b9183eb321a082ae2b43b0dc1
Instruction Fuzzy Hash: E151E375D0420DAFDF00EFA8C845BEDBBB5EF09390F1084A9E619AB291D7759A84CF50

Function 02F910F9 Relevance: 10.7, APIs: 7, Instructions: 163COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 02F91107
OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,00000000), ref: 02F91146
memset.MSVCRT ref: 02F91194
??_V@YAXPAX@Z.MSVCRT ref: 02F91339

Part of subcall function 02F8FE78: strlen.MSVCRT ref: 02F8FE96

Part of subcall function 02F9002F: memcpy.MSVCRT ref: 02F90062

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: OpenProcessmemcpymemsetstrlen
String ID:
API String ID: 4248304612-0
Opcode ID: c4a0d86e69f274f9e2c136c3898b2fc8c6108eb97aab74f5b7f7c549131a6af1
Instruction ID: 228f285d62a271441eba4337a449d083c3e5555655092d65d39fa937276ff36e
Opcode Fuzzy Hash: c4a0d86e69f274f9e2c136c3898b2fc8c6108eb97aab74f5b7f7c549131a6af1
Instruction Fuzzy Hash: 64614AB1D40219AFFF20DBA4DC91FEEB7B5EB04784F5040A9E719A6190DBB06A84CF45

Function 02F9254A Relevance: 10.5, APIs: 7, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000), ref: 02F9255C
GetDeviceCaps.GDI32(?,00000008), ref: 02F9256A
GetDeviceCaps.GDI32(?,0000000A), ref: 02F92578
ReleaseDC.USER32(00000000,?), ref: 02F92586
GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F92593
RtlAllocateHeap.NTDLL(00000000), ref: 02F9259A
wsprintfA.USER32 ref: 02F925B1

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: CapsDeviceHeap$AllocateCreateProcessReleaselstrcpywsprintf
String ID:
API String ID: 81802983-0
Opcode ID: 7b74f5543a8d33bb700ea6005d05f35289c613dee0290a3e1eca24f4e52ae9b5
Instruction ID: b0950d7f5ccf58af42d254b22504c6ad1c32d937fb8436f419f50fd3ace19bc7
Opcode Fuzzy Hash: 7b74f5543a8d33bb700ea6005d05f35289c613dee0290a3e1eca24f4e52ae9b5
Instruction Fuzzy Hash: 3E01D674990209FFEB05BFA0DD0ABAD7FB1FB08745F104020FA02B51A5D7B15A609F61

Function 02F8F99F Relevance: 9.4, APIs: 6, Instructions: 360COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,?,?), ref: 02F8F9EF
StrCmpCA.SHLWAPI(00000000,?,?), ref: 02F8FA75
StrCmpCA.SHLWAPI(00000000,?,?), ref: 02F8FB84

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

StrCmpCA.SHLWAPI(00000000), ref: 02F8FC57
StrCmpCA.SHLWAPI(00000000), ref: 02F8FCDD

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 22580dc39b034ac6a143c686bb5c5c46acfa1b7c6fee8fa3119f14c2e26c151c
Instruction ID: 27e45961432027f67d9b3e3726dfa975eb141d5a0cc5389bee2660a87615d635
Opcode Fuzzy Hash: 22580dc39b034ac6a143c686bb5c5c46acfa1b7c6fee8fa3119f14c2e26c151c
Instruction Fuzzy Hash: 57D14272A0010A9BDF24FA74DD95EEE77BABB54344F100125DA0AEB190EE31DB49CF91

Function 02F810B9 Relevance: 9.2, APIs: 6, Instructions: 150stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 02F81055: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F81069
Part of subcall function 02F81055: RtlAllocateHeap.NTDLL(00000000), ref: 02F81070
Part of subcall function 02F81055: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 02F8108A
Part of subcall function 02F81055: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 02F810A5
Part of subcall function 02F81055: RegCloseKey.ADVAPI32(?), ref: 02F810AE

lstrcat.KERNEL32(?,00000000), ref: 02F810F7
lstrlen.KERNEL32(?), ref: 02F81104
lstrcat.KERNEL32(?,02FA5204), ref: 02F8111F

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

Part of subcall function 02F92D64: GetSystemTime.KERNEL32(?,02FA5200,?,?,?,?,?,?,?,?,?,02F84F38,?,00000014), ref: 02F92D8A

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

CopyFileA.KERNEL32(?,00000000,00000001), ref: 02F81246

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F87CDF: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02F87D05
Part of subcall function 02F87CDF: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F87D29
Part of subcall function 02F87CDF: LocalAlloc.KERNEL32(00000040,?), ref: 02F87D48
Part of subcall function 02F87CDF: ReadFile.KERNEL32(000000FF,00000000,?,02F81270,00000000), ref: 02F87D6E
Part of subcall function 02F87CDF: LocalFree.KERNEL32(00000000), ref: 02F87DA0
Part of subcall function 02F87CDF: CloseHandle.KERNEL32(000000FF), ref: 02F87DA9

DeleteFileA.KERNEL32(00000000), ref: 02F812CB
memset.MSVCRT ref: 02F812F2

Part of subcall function 02F98DB9: _MSFOpenExW.MSPDB140-MSVCRT ref: 02F98E6C
Part of subcall function 02F98DB9: CreateThread.KERNEL32(00000000,00000000,Function_00017C65,?,00000000,00000000), ref: 02F98E85
Part of subcall function 02F98DB9: WaitForSingleObject.KERNEL32(?,000003E8), ref: 02F98E96

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Filelstrcpy$lstrcat$CloseCreateHeapLocalOpenlstrlen$AllocAllocateCopyDeleteFreeHandleObjectProcessQueryReadSingleSizeSystemThreadTimeValueWaitmemset
String ID:
API String ID: 3222764692-0
Opcode ID: 1eb6c9e2ec86a8749d479c4f0b342f1c81f28f4f4d2b5e143c70abaf4191b8df
Instruction ID: 6402fb1cef0a4a349e441a7444e0501e888785f1a4dfb1dac430ee0646e6a3e3
Opcode Fuzzy Hash: 1eb6c9e2ec86a8749d479c4f0b342f1c81f28f4f4d2b5e143c70abaf4191b8df
Instruction Fuzzy Hash: 7B51FDB1D4021E9AEF15FB60DD95EEE737DAB14380F4001B5E70EA2091EE319B89CE55

Function 02F945D9 Relevance: 9.1, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 02F94601
StrCmpCA.SHLWAPI(00000000,02FA95CC), ref: 02F94671

Part of subcall function 02F91715: lstrlen.KERNEL32(02F860AC,?,?,02F860AC,02FA5200), ref: 02F9171F
Part of subcall function 02F91715: lstrcpy.KERNEL32(02FA5200,00000000), ref: 02F9176D

strtok_s.MSVCRT ref: 02F94783

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 1c001b82be10a9604b191e4bcc32a4386aaa1d8b1c349eb04460ea097e41edd1
Instruction ID: 5dd0a7bd711d7762ca907527ece452d5798beadb2b174ba2120bf377174285ce
Opcode Fuzzy Hash: 1c001b82be10a9604b191e4bcc32a4386aaa1d8b1c349eb04460ea097e41edd1
Instruction Fuzzy Hash: 1D515EB5A4020EEFEF04DF54D995AAE7BB0FF19389F004069E901AB250D735DA52CF92

Function 02F96F6B Relevance: 9.1, APIs: 6, Instructions: 112registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F96F90
RegOpenKeyExA.ADVAPI32(80000001,00000000,00020119,?), ref: 02F96FAE
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,000000FF), ref: 02F96FD0
RegCloseKey.ADVAPI32(?), ref: 02F96FD9
lstrcat.KERNEL32(?,00000000), ref: 02F96FFE
lstrcat.KERNEL32(?), ref: 02F97011

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 2662f5556f13bc1ed87bc64f078a73bbe037e62f5052b20ef064f198bb850541
Instruction ID: 7be98f319198e90b9dc613c60d9ddcb0e4ff7513e81980dbbc1cc98faf8dc0e6
Opcode Fuzzy Hash: 2662f5556f13bc1ed87bc64f078a73bbe037e62f5052b20ef064f198bb850541
Instruction Fuzzy Hash: C9412CB290010CBADF15FBA0DC4AEDEBB7DAB08740F540595A719E6080E77097D88FA2

Function 02F87CDF Relevance: 9.1, APIs: 6, Instructions: 74filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02F87D05
GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F87D29
LocalAlloc.KERNEL32(00000040,?), ref: 02F87D48
ReadFile.KERNEL32(000000FF,00000000,?,02F81270,00000000), ref: 02F87D6E
LocalFree.KERNEL32(00000000), ref: 02F87DA0
CloseHandle.KERNEL32(000000FF), ref: 02F87DA9

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: e8b9ff206b320f0578a341a42519d4f734ebc3301f6a2c9922d4326d385199cc
Instruction ID: df4e9db96cb6acd8ac73aa202534f62390bec5d0d5b60dc3af7e324634bdf2d2
Opcode Fuzzy Hash: e8b9ff206b320f0578a341a42519d4f734ebc3301f6a2c9922d4326d385199cc
Instruction Fuzzy Hash: FD31E475E00209EFDF11EF94D849BEDBBB4BF09355F204064EA02A72A0E7749A91CF61

Function 02FA38A1 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02FA38AD

Part of subcall function 02FA2B51: __getptd_noexit.LIBCMT ref: 02FA2B54
Part of subcall function 02FA2B51: __amsg_exit.LIBCMT ref: 02FA2B61

__amsg_exit.LIBCMT ref: 02FA38CD
__lock.LIBCMT ref: 02FA38DD
InterlockedDecrement.KERNEL32(?), ref: 02FA38FA
_free.LIBCMT ref: 02FA390D
InterlockedIncrement.KERNEL32(02FB03C0), ref: 02FA3925

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 30e2c737b5092a237ab80e14c8a0e858504931a921b7e50d9c262da97fa6e65d
Instruction ID: 9d98f42d602e6c9b98fc9efeaa7812f40873e3e56688de1f00cbde68c3e5e188
Opcode Fuzzy Hash: 30e2c737b5092a237ab80e14c8a0e858504931a921b7e50d9c262da97fa6e65d
Instruction Fuzzy Hash: 3A0126F2E41725EBD721AB6498B470EB371BF047D0F050048EE04A7680CB30A601CFD1

Function 02F97659 Relevance: 8.8, APIs: 7, Instructions: 98stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 02F976B3

Part of subcall function 02F92F92: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F92FBC

lstrcat.KERNEL32(?,00000000), ref: 02F976D8
lstrcat.KERNEL32(?,?), ref: 02F976F7
lstrcat.KERNEL32(?,?), ref: 02F9770B
lstrcat.KERNEL32(?), ref: 02F9771E
lstrcat.KERNEL32(?,?), ref: 02F97732
lstrcat.KERNEL32(?), ref: 02F97745

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F92F4C: GetFileAttributesA.KERNEL32(00000000,?,02F81C1A,?,?,?,02FA5200), ref: 02F92F5B

Part of subcall function 02F9738D: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02F9739D
Part of subcall function 02F9738D: RtlAllocateHeap.NTDLL(00000000), ref: 02F973A4
Part of subcall function 02F9738D: wsprintfA.USER32 ref: 02F973BF
Part of subcall function 02F9738D: FindFirstFileA.KERNEL32(?,?), ref: 02F973D6

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 2540262943-0
Opcode ID: 123567412e52804157e83bcd48561018549629b3e09f85380402d5176b461a8c
Instruction ID: 450c93b9cd5606ef8bedfc53f920f233327dae89c8b2897240cff8ac2db81fd4
Opcode Fuzzy Hash: 123567412e52804157e83bcd48561018549629b3e09f85380402d5176b461a8c
Instruction Fuzzy Hash: 5B31D7B294021DABDF14FBB4DC99EDE77BDAB08344F4444A2A709D2044EB74D6888FA1

Function 02FA3A02 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 02FA3A34
GetCPInfo.KERNEL32(?,?), ref: 02FA3A47
memset.MSVCRT ref: 02FA3A5F
setSBUpLow.LIBCMT ref: 02FA3B35

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: 72af1316eb2f4c892f6965ac4a6d2c14edc2625d14fb1848fbc251cfcc61d789
Instruction ID: fa5b4fea7edf6c6c3266e6f436bec53ccbf11c32999f4012c81fe8546693a021
Opcode Fuzzy Hash: 72af1316eb2f4c892f6965ac4a6d2c14edc2625d14fb1848fbc251cfcc61d789
Instruction Fuzzy Hash: A33129E1E052955BEB25AF34C8B437ABFA69F013C5F0485EADA96CF196C738C005CB50

Function 02FA3605 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02FA3611

Part of subcall function 02FA2B51: __getptd_noexit.LIBCMT ref: 02FA2B54
Part of subcall function 02FA2B51: __amsg_exit.LIBCMT ref: 02FA2B61

__getptd.LIBCMT ref: 02FA3628
__amsg_exit.LIBCMT ref: 02FA3636
__lock.LIBCMT ref: 02FA3646
__updatetlocinfoEx_nolock.LIBCMT ref: 02FA365A

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 8bbe1cce72b62f334afbeb2552eac481bb3c9ebbe4270f76648eee30a98925fd
Instruction ID: b16db6cf6222c977fd0605b8b32af5a60184aebedce2e016a701185b6fd16bf7
Opcode Fuzzy Hash: 8bbe1cce72b62f334afbeb2552eac481bb3c9ebbe4270f76648eee30a98925fd
Instruction Fuzzy Hash: A6F090F2E403149BE721BB7C9C76B0E73A2AF007E0F524289DA1A6B3D1CB74A5019F55

Function 00964DFF Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00964E0B

Part of subcall function 0096434B: __getptd_noexit.LIBCMT ref: 0096434E
Part of subcall function 0096434B: __amsg_exit.LIBCMT ref: 0096435B

__getptd.LIBCMT ref: 00964E22
__amsg_exit.LIBCMT ref: 00964E30
__lock.LIBCMT ref: 00964E40
__updatetlocinfoEx_nolock.LIBCMT ref: 00964E54

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 0a16d61427dd0ced875d63647838a8cae0625b6b0717d412d59fda75c559c5ee
Instruction ID: 49e02b12d3cdaf25f4ddaa71f119d021f173025939ce5765e5e404522ff22d54
Opcode Fuzzy Hash: 0a16d61427dd0ced875d63647838a8cae0625b6b0717d412d59fda75c559c5ee
Instruction Fuzzy Hash: 04F0B432E44710ABDB33BBF8D803B4D33E07F40720F61811AF4406B2D2CB255E419A5A

Function 02F81055 Relevance: 7.5, APIs: 5, Instructions: 32registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F81069
RtlAllocateHeap.NTDLL(00000000), ref: 02F81070
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 02F8108A
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 02F810A5
RegCloseKey.ADVAPI32(?), ref: 02F810AE

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 55ee063e8a4a846719aef61a004566e544a66e827cd458c60738d0e756f1c262
Instruction ID: 13be341c0fb0fb2999c3e4101a0eb4d171c1a08b1f4b1c9fd24e48006dbae26a
Opcode Fuzzy Hash: 55ee063e8a4a846719aef61a004566e544a66e827cd458c60738d0e756f1c262
Instruction Fuzzy Hash: C4F0F475980209BBDF01AFA0EC0AB9DBFB8FB08745F104060F601A5195D77196609B50

Function 02F9ACB7 Relevance: 7.5, APIs: 6, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000014), ref: 02F9ACB9
Sleep.KERNEL32(00000014), ref: 02F9ACC1
Sleep.KERNEL32(00000014), ref: 02F9ACC9
Sleep.KERNEL32(00000014), ref: 02F9ACD1
Sleep.KERNEL32(00000014), ref: 02F9ACD9
Sleep.KERNEL32(00000014), ref: 02F9ACE1

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a1cf97cd3c312f8e5f5a644fa782029d6ad7562be33d43eb183084f9be2795ec
Instruction ID: 5ad25ea5ba1cd5105fa7fa88654ccabb48f775d50ee0cc08c347db9c69edd155
Opcode Fuzzy Hash: a1cf97cd3c312f8e5f5a644fa782029d6ad7562be33d43eb183084f9be2795ec
Instruction Fuzzy Hash: 4DE09F315E115E7FDB0477D0A81DBD93E259B19745F144030A3069C1E5CAF141D49B31

Function 02F90F6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 02F90F80
??_U@YAPAXI@Z.MSVCRT ref: 02F90FA5

Part of subcall function 02F90C9B: strlen.MSVCRT ref: 02F90CA9
Part of subcall function 02F90C9B: strlen.MSVCRT ref: 02F90CC2

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 02F90FDE

Part of subcall function 02F90E69: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 02F90E7D

Strings

@, xrefs: 02F90FF2

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 9b825060fa661a2b5334f661a97c049a3dd1d3011f55dd5f43dfb8141955b659
Instruction ID: 9c067f1791b7bd8042052664d9d16221dbdc76679c349126ec9ee52731c2bae1
Opcode Fuzzy Hash: 9b825060fa661a2b5334f661a97c049a3dd1d3011f55dd5f43dfb8141955b659
Instruction Fuzzy Hash: D351E572D0414EEFEF04CF94D942AAEBBB6FB08744F108425FA28A6260D7369A51DF51

Function 02F8B585 Relevance: 6.3, APIs: 4, Instructions: 276filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F92D64: GetSystemTime.KERNEL32(?,02FA5200,?,?,?,?,?,?,?,?,?,02F84F38,?,00000014), ref: 02F92D8A

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F8B639
lstrlen.KERNEL32(00000000), ref: 02F8B878
lstrlen.KERNEL32(00000000), ref: 02F8B88C
DeleteFileA.KERNEL32(00000000), ref: 02F8B902

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F935B9: memset.MSVCRT ref: 02F935D4
Part of subcall function 02F935B9: OpenProcess.KERNEL32(00001001,00000000,?), ref: 02F9368A
Part of subcall function 02F935B9: TerminateProcess.KERNEL32(00000000,00000000), ref: 02F936A7
Part of subcall function 02F935B9: CloseHandle.KERNEL32(00000000), ref: 02F936B3

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy$lstrlen$FileProcesslstrcat$CloseCopyDeleteHandleOpenSystemTerminateTimememset
String ID:
API String ID: 3550353556-0
Opcode ID: 0170902d8165d497429c169e34b5f6cbfce42c1af06a8a53d9e75a2d2c794f2d
Instruction ID: d6e2f2542971cc3c4551485108d29d761dcdcbac4f4b470652cb933b9524541e
Opcode Fuzzy Hash: 0170902d8165d497429c169e34b5f6cbfce42c1af06a8a53d9e75a2d2c794f2d
Instruction Fuzzy Hash: DAA1AD7191011EAAEF15FBA0DCA5EEF737AAF14381F504175E60BE2090EF329A48CE51

Function 02F8B94A Relevance: 6.2, APIs: 4, Instructions: 245filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F92D64: GetSystemTime.KERNEL32(?,02FA5200,?,?,?,?,?,?,?,?,?,02F84F38,?,00000014), ref: 02F92D8A

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F8B9F8
lstrlen.KERNEL32(00000000), ref: 02F8BBC6
lstrlen.KERNEL32(00000000), ref: 02F8BBDA
DeleteFileA.KERNEL32(00000000), ref: 02F8BC50

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Part of subcall function 02F935B9: memset.MSVCRT ref: 02F935D4
Part of subcall function 02F935B9: OpenProcess.KERNEL32(00001001,00000000,?), ref: 02F9368A
Part of subcall function 02F935B9: TerminateProcess.KERNEL32(00000000,00000000), ref: 02F936A7
Part of subcall function 02F935B9: CloseHandle.KERNEL32(00000000), ref: 02F936B3

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy$lstrlen$FileProcesslstrcat$CloseCopyDeleteHandleOpenSystemTerminateTimememset
String ID:
API String ID: 3550353556-0
Opcode ID: 54b1d4a7f91f6c51fb5b7f734c413ab651ac6a0fd43c31476e1d649751816d83
Instruction ID: 775d6f62bbefd362c476c5ea71bf168b50818dfeecd0d13400517378f40857ad
Opcode Fuzzy Hash: 54b1d4a7f91f6c51fb5b7f734c413ab651ac6a0fd43c31476e1d649751816d83
Instruction Fuzzy Hash: E691AB7191011AAAEF15FBA0DC65EEF737AAF14385F500175E60BE2090EF329A49CF51

Function 02FA0255 Relevance: 6.1, APIs: 4, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,02FA0AC0,00000000), ref: 02FA02BA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 02FA030A

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 90c26c1415a0b1f833a8dfd249656465866b5d7774836a2ae63093776d972dca
Instruction ID: 409c2fbbe96f6851945bcc88851e0e387375684cb0382cf2607ec20016af6407
Opcode Fuzzy Hash: 90c26c1415a0b1f833a8dfd249656465866b5d7774836a2ae63093776d972dca
Instruction Fuzzy Hash: 0A51F071E00208AFDB04DFA8C885BEDBBF0AF08354F10C15AE925AB2A1D771A945CF64

Function 02F88093 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 02F880AD
memset.MSVCRT ref: 02F880DF
LocalAlloc.KERNEL32(00000040,?), ref: 02F8812D

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F91715: lstrlen.KERNEL32(02F860AC,?,?,02F860AC,02FA5200), ref: 02F9171F
Part of subcall function 02F91715: lstrcpy.KERNEL32(02FA5200,00000000), ref: 02F9176D

Part of subcall function 02F916B4: lstrcpy.KERNEL32(?,02F98CE8), ref: 02F916F4

Strings

@, xrefs: 02F880E7

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @
API String ID: 1400469952-2766056989
Opcode ID: 99954221d47abd12851d8adad8dca4d5f32dfa86ffb939f35f793da7ace0ca2f
Instruction ID: f771be4310976aba76fb0e9c081917d5013e228242287150ba907b4cca9fea25
Opcode Fuzzy Hash: 99954221d47abd12851d8adad8dca4d5f32dfa86ffb939f35f793da7ace0ca2f
Instruction Fuzzy Hash: 8D41B471A1020DEFEF04EFA4CC55BEDBBB6BF04384F444024EA1AAA190DB75AA55CF50

Function 02F935B9 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F935D4

Part of subcall function 02F92F18: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,02F93607,00000000), ref: 02F92F23
Part of subcall function 02F92F18: RtlAllocateHeap.NTDLL(00000000), ref: 02F92F2A
Part of subcall function 02F92F18: wsprintfW.USER32 ref: 02F92F3E

OpenProcess.KERNEL32(00001001,00000000,?), ref: 02F9368A
TerminateProcess.KERNEL32(00000000,00000000), ref: 02F936A7
CloseHandle.KERNEL32(00000000), ref: 02F936B3

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: a217a5eb45fa3d190fd61b20b2a65617ca2bbed2d7e1484e54341296813cd301
Instruction ID: a72f40ed6bef2263dcaf171d1c38b78c9943ea92f2a6c80080ec6f239a4a4bfa
Opcode Fuzzy Hash: a217a5eb45fa3d190fd61b20b2a65617ca2bbed2d7e1484e54341296813cd301
Instruction Fuzzy Hash: 2A31D371E4021CAFEF10EBE4CD49BDDBBB9AB08345F104065E606EA294DB749A89CF51

Function 0096509B Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 009650A7

Part of subcall function 0096434B: __getptd_noexit.LIBCMT ref: 0096434E
Part of subcall function 0096434B: __amsg_exit.LIBCMT ref: 0096435B

__amsg_exit.LIBCMT ref: 009650C7
__lock.LIBCMT ref: 009650D7
_free.LIBCMT ref: 00965107

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 412ba1f99cb2b625b598c99369b739e98dd4baf869d12b9fb5de685f2d1f30fb
Instruction ID: 6fed57b009e3a7edd24e15471fcc565386f7b56549ef4f97cb5f9598a098a672
Opcode Fuzzy Hash: 412ba1f99cb2b625b598c99369b739e98dd4baf869d12b9fb5de685f2d1f30fb
Instruction Fuzzy Hash: E601D231A05F21ABC720EB68E806B5D77B4BF01750F574115F804AB280DB34EA41CBD9

Function 02F93413 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02F9342E
GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F9344A
CloseHandle.KERNEL32(000000FF), ref: 02F93457

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: b044de33c0505e243018a84e4370bbfe44fdc453d6bd962d6889eb4ae83fe120
Instruction ID: 755a118f8a1d358f356f57afbe5b94be7373b7785dd13b556fa18e77eca278eb
Opcode Fuzzy Hash: b044de33c0505e243018a84e4370bbfe44fdc453d6bd962d6889eb4ae83fe120
Instruction Fuzzy Hash: D3F01D34E40208FBEF11AF74ED09B8D7BB5BB44754F21C2B0E652B51A4D7B096519F50

Function 02F91C63 Relevance: 6.0, APIs: 4, Instructions: 31memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F91C70
RtlAllocateHeap.NTDLL(00000000), ref: 02F91C77
GetLocalTime.KERNEL32(?), ref: 02F91C84
wsprintfA.USER32 ref: 02F91CB1

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: 2a6ba09994cae66a33171ff4eb8212fb5a40e2024606739f56e0df539d2afb7c
Instruction ID: 96ad182498a256e13113d94b4f38e041183c7ad1110b9c6179b32f4538c1bc98
Opcode Fuzzy Hash: 2a6ba09994cae66a33171ff4eb8212fb5a40e2024606739f56e0df539d2afb7c
Instruction Fuzzy Hash: 74F0B2B6940219BECB54EBE99909ABEBAFCBB0C606F000051FA41E1085E678CA90D771

Function 0095387B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 009538C8
__aulldiv.LIBCMT ref: 009538D6

Strings

@, xrefs: 009538A5

Memory Dump Source

Source File: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @
API String ID: 3732870572-2766056989
Opcode ID: e44640eb945edcdb330fccb508c3ea3b329ff7572ab2c3ac08101b3669067511
Instruction ID: e63c5512858eb90d130a4ecb1fd234d8b0a1281f7a1e7aa05c0a896f4e703c68
Opcode Fuzzy Hash: e44640eb945edcdb330fccb508c3ea3b329ff7572ab2c3ac08101b3669067511
Instruction Fuzzy Hash: 9D011EB0D40208FFEF00EBE0DC0ABAD7BB9BB01745F204454F711BA091D7B556159B54

Function 02F89C1A Relevance: 5.3, APIs: 4, Instructions: 265stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02F91668: lstrcpy.KERNEL32(?,00000000), ref: 02F916A7

Part of subcall function 02F9185B: lstrlen.KERNEL32(00000000,02FA8DAC,00000000,?,00000000), ref: 02F9186F
Part of subcall function 02F9185B: lstrcpy.KERNEL32(00000000,?), ref: 02F918A8
Part of subcall function 02F9185B: lstrcat.KERNEL32(00000000,00000000), ref: 02F918B4

Part of subcall function 02F917E0: lstrcpy.KERNEL32(00000000,?), ref: 02F9182C
Part of subcall function 02F917E0: lstrcat.KERNEL32(00000000,00000000), ref: 02F9183A

Part of subcall function 02F9177A: lstrcpy.KERNEL32(00000000,?), ref: 02F917D3

lstrlen.KERNEL32(00000000), ref: 02F89E0A

Part of subcall function 02F92FD6: LocalAlloc.KERNEL32(00000040,00000001), ref: 02F92FF2

StrStrA.SHLWAPI(00000000,02FA8EA0), ref: 02F89E36
lstrlen.KERNEL32(00000000), ref: 02F89F0D
lstrlen.KERNEL32(00000000), ref: 02F89F21

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID:
API String ID: 3306365304-0
Opcode ID: 3608464a673aebb2841350cac6d8acd5a9abd245727e47a8c9fd8e9b48f7a65f
Instruction ID: aeef3452bf596a795fe7ca24e5c0332678c9801eb89f737076f2eb49bc298e2d
Opcode Fuzzy Hash: 3608464a673aebb2841350cac6d8acd5a9abd245727e47a8c9fd8e9b48f7a65f
Instruction Fuzzy Hash: 22A1CE7290010AAAEF15FBA0DD55EEE777AAF14381F500175E60AB2090EF729A48CF61

Function 02F933A2 Relevance: 5.0, APIs: 4, Instructions: 35stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,?), ref: 02F933AC
lstrcpyn.KERNEL32(031C0E18,?,?), ref: 02F933CF
lstrlen.KERNEL32(?), ref: 02F933E5
wsprintfA.USER32 ref: 02F93403

Memory Dump Source

Source File: 00000000.00000002.2336025771.0000000002F81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02F81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f81000_file.jbxd

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID:
API String ID: 1206339513-0
Opcode ID: f01091b179c06a13a8f96cca3b29d5c88eaccf4fdb19c4ef4339656eea34c82b
Instruction ID: 77067cbfe1770a60a8ba941316fb01bea4f45c386636c6b6bcc08e2a7e816e51
Opcode Fuzzy Hash: f01091b179c06a13a8f96cca3b29d5c88eaccf4fdb19c4ef4339656eea34c82b
Instruction Fuzzy Hash: 3301E47695014CFFDF00DFA8CA49ADD7FB4EF08384F148454F9059A212C771EAA09B90

Source: https://steamcommunity.com/profiles/76561199730044335	Avira URL Cloud: Label: malware
Source: https://t.me/bu77un	Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F87E41 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_02F87E41
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8AB80 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_02F8AB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9302D CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_02F9302D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F87DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_02F87DC2

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199730044335
Source: Malware configuration extractor	URLs: https://t.me/bu77un

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_23ac2d3598194099bfea53d8620e685cbd9df63_2fa1aaae_46522aeb-fbd2-4ad7-8707-f1f3c121c621\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F85.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6283.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER62B3.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
file.exe

Function 02F9A76B Relevance: 208.8, APIs: 139, Instructions: 337
sleepstringlibraryCOMMON

Function 02F9B050 Relevance: 182.0, APIs: 121, Instructions: 507
libraryloaderCOMMON

Function 02F84AD5 Relevance: 19.7, APIs: 13, Instructions: 197
networkmemoryfileCOMMON

Function 02F9AAD6 Relevance: 105.2, APIs: 70, Instructions: 160
sleepCOMMON

Function 02F84E03 Relevance: 38.2, APIs: 25, Instructions: 713
stringnetworkmemoryCOMMON

Function 02F858C4 Relevance: 30.6, APIs: 20, Instructions: 565
networkstringmemoryCOMMON

Function 02FA095B Relevance: 25.1, APIs: 12, Strings: 2, Instructions: 617
COMMONLIBRARYCODE

Function 02F98FD9 Relevance: 22.2, APIs: 4, Strings: 8, Instructions: 1237
networksleepCOMMON

Function 02F9218B Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164
registryCOMMON

Function 02F91948 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 116
memorystringCOMMON

Function 02F843FA Relevance: 18.5, APIs: 12, Instructions: 451
networkstringfileCOMMON

Function 02F98167 Relevance: 17.2, APIs: 11, Instructions: 749
COMMON

Function 02F86312 Relevance: 16.7, APIs: 11, Instructions: 184
networkfileCOMMON

Function 02F84239 Relevance: 13.8, APIs: 11, Instructions: 73
memorystringCOMMON

Function 02F92081 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
memoryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre