Edit tour

Windows Analysis Report
7Xex8yR90g.exe

Overview

General Information

Sample name:	7Xex8yR90g.exe renamed because original name is a hash value
Original sample name:	8242342835f51d7321b9ef1db28b40a0N.exe
Analysis ID:	1483223
MD5:	8242342835f51d7321b9ef1db28b40a0
SHA1:	e863d41d7641b3b9dd9fb9f6a73c5e512a84f512
SHA256:	f9b6fbded3e18fa7e6d458d236bb28e14f7276209879d03a60a973b1f2723d49
Tags:	exe
Infos:

Detection

Mars Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

7Xex8yR90g.exe (PID: 4428 cmdline: "C:\Users\user\Desktop\7Xex8yR90g.exe" MD5: 8242342835F51D7321B9EF1DB28B40A0)

conhost.exe (PID: 1288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3792 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://94.228.166.55/924cf5c06b0c4fee.php", "Botnet": "default"}

Threatname: Vidar

{"C2 url": "http://94.228.166.55/924cf5c06b0c4fee.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.7Xex8yR90g.exe.1f0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.7Xex8yR90g.exe.1f0000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7Xex8yR90g.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://94.228.166.55/924cf5c06b0c4fee.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://94.228.166.55/924cf5c06b0c4fee.php", "Botnet": "default"}
Source: 2.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://94.228.166.55/924cf5c06b0c4fee.php"}

Multi AV Scanner detection for submitted file

Source: 7Xex8yR90g.exe

ReversingLabs: Detection: 100%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 7Xex8yR90g.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: 10
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: 07
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: 20
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: 24
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Sleep
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: user32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ntdll.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sscanf
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: http://94.228.166.55
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: /924cf5c06b0c4fee.php
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: /baf849bbe7c30324/
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: default
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalLock
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HeapFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Process32Next
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Process32First
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: LocalFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: FindClose
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ReadFile
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: WriteFile
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLastError
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: psapi.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SelectObject
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BitBlt
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetDC
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetOpenA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: StrStrA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RmStartSession
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RmRegisterResources
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RmGetList
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RmEndSession
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: PATH
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: NSS_Init
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: NSS_Shutdown
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: PK11_FreeSlot
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: PK11_Authenticate
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: C:\ProgramData\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: browser:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: profile:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: url:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: login:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: password:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Opera
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: OperaGX
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Network
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: cookies
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: .txt
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: TRUE
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: FALSE
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: autofill
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: history
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: cc
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: name:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: month:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: year:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: card:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Cookies
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Login Data
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Web Data
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: History
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: logins.json
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: usernameField
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: guid
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: plugins
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Local Extension Settings
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Sync Extension Settings
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: IndexedDB
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Opera Stable
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Opera GX Stable
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CURRENT
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: chrome-extension_
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Local State
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: chrome
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: opera
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: firefox
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: wallets
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ProductName
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: x32
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: x64
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ProcessorNameString
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DisplayName
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DisplayVersion
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Network Info:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - IP: IP?
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Country: ISO?
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: System Summary:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - HWID:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - OS:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Architecture:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - UserName:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Computer Name:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Local Time:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - UTC:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Language:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Keyboards:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Laptop:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Running Path:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - CPU:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Threads:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Cores:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - RAM:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Display Resolution:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - GPU:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: User Agents:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Installed Apps:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: All Users:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Current User:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Process List:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: system_info.txt
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: nss3.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \Temp\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: .exe
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: runas
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: open
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: /c start
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %DESKTOP%
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %APPDATA%
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %DOCUMENTS%
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %RECENT%
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: *.lnk
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: files
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \discord\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \Telegram Desktop\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: key_datas
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: map*
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Telegram
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Tox
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: *.tox
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: *.ini
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Password
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: 00000001
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: 00000002
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: 00000003
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: 00000004
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Pidgin
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \.purple\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: accounts.xml
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: token:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Valve\Steam
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SteamPath
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \config\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ssfn*
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: config.vdf
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DialogConfig.vdf
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: libraryfolders.vdf
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: loginusers.vdf
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \Steam\
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: browsers
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: done
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: soft
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: https
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: POST
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HTTP/1.1
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: hwid
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: build
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: token
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: file_name
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: file
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: message
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: screenshot.jpg
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Sleep
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: user32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ntdll.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: sscanf
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: http://94.228.166.55
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: /924cf5c06b0c4fee.php
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: /baf849bbe7c30324/
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: default
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalLock
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HeapFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Process32Next
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Process32First
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: LocalFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: FindClose
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ReadFile
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: WriteFile
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLastError
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: psapi.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SelectObject
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BitBlt
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipFree
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetDC
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetOpenA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: StrStrA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA

Source: 7Xex8yR90g.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7Xex8yR90g.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Code function: 0_2_002126FF FindFirstFileExW,

0_2_002126FF

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://94.228.166.55/924cf5c06b0c4fee.php
Source: Malware configuration extractor	URLs: http://94.228.166.55/924cf5c06b0c4fee.php

Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_001F46F6	0_2_001F46F6
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_00204362	0_2_00204362
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_0020C4D6	0_2_0020C4D6
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_002046AA	0_2_002046AA
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_00216C73	0_2_00216C73
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_0020DD0C	0_2_0020DD0C
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_00207F30	0_2_00207F30
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_00214FB0	0_2_00214FB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004043D0 appears 316 times
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: String function: 001FDC50 appears 54 times

Source: 7Xex8yR90g.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:120:WilError_03

Source: 7Xex8yR90g.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7Xex8yR90g.exe

ReversingLabs: Detection: 100%

Source: unknown	Process created: C:\Users\user\Desktop\7Xex8yR90g.exe "C:\Users\user\Desktop\7Xex8yR90g.exe"
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior

Source: 7Xex8yR90g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 7Xex8yR90g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 7Xex8yR90g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 7Xex8yR90g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 7Xex8yR90g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 7Xex8yR90g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 7Xex8yR90g.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 7Xex8yR90g.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 7Xex8yR90g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 7Xex8yR90g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 7Xex8yR90g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 7Xex8yR90g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 7Xex8yR90g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041A9AC LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_0041A9AC

Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_001FD416 push ecx; ret		0_2_001FD429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00418EE5 push ecx; ret		2_2_00418EF8

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess

graph_2-12341

Found evasive API chain (may stop execution after checking locale)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_2-12338

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 6.5 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Code function: 0_2_002126FF FindFirstFileExW,

0_2_002126FF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00401120 GetSystemInfo,

2_2_00401120

Source: RegAsm.exe, 00000002.00000002.2009318303.000000000161A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: VMwareVMware

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Code function: 0_2_00201A53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00201A53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_0041A9AC

Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_0020EBC0 mov eax, dword ptr fs:[00000030h]	0_2_0020EBC0
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_00208A8C mov ecx, dword ptr fs:[00000030h]	0_2_00208A8C
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_0020EC04 mov eax, dword ptr fs:[00000030h]	0_2_0020EC04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004175D0 mov eax, dword ptr fs:[00000030h]	2_2_004175D0

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Code function: 0_2_002138E7 GetProcessHeap,

0_2_002138E7

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_00201A53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00201A53
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_001FDA85 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001FDA85
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_001FDBE1 SetUnhandledExceptionFilter,	0_2_001FDBE1
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: 0_2_001FDC95 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001FDC95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B5E7 SetUnhandledExceptionFilter,	2_2_0041B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041936E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041936E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00418BFD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00418BFD

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Code function: 0_2_00E8018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00E8018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 637000	Jump to behavior
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1006008	Jump to behavior

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Code function: 0_2_001FD865 cpuid

0_2_001FD865

Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: EnumSystemLocalesW,	0_2_0020D0B6
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_002154FF
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: GetLocaleInfoW,	0_2_0020D61C
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: GetLocaleInfoW,	0_2_002156FA
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: EnumSystemLocalesW,	0_2_002157A1
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: EnumSystemLocalesW,	0_2_002157EC
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: EnumSystemLocalesW,	0_2_00215887
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00215912
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: GetLocaleInfoW,	0_2_00215B65
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00215C8E
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: GetLocaleInfoW,	0_2_00215D94
Source: C:\Users\user\Desktop\7Xex8yR90g.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00215E63

Source: C:\Users\user\Desktop\7Xex8yR90g.exe

Code function: 0_2_001FD06A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_001FD06A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00415720 GetUserNameA,

2_2_00415720

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7Xex8yR90g.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7Xex8yR90g.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7Xex8yR90g.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7Xex8yR90g.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Native API	1 DLL Side-Loading	411 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	411 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	223 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
7Xex8yR90g.exe	100%	ReversingLabs	Win32.Trojan.LummaC
7Xex8yR90g.exe	100%	Avira	HEUR/AGEN.1317001
7Xex8yR90g.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://94.228.166.55/924cf5c06b0c4fee.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://94.228.166.55/924cf5c06b0c4fee.php	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483223
Start date and time:	2024-07-26 21:16:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7Xex8yR90g.exe renamed because original name is a hash value
Original Sample Name:	8242342835f51d7321b9ef1db28b40a0N.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 39 Number of non-executed functions: 72
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 7Xex8yR90g.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.35667831500931
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7Xex8yR90g.exe
File size:	407'040 bytes
MD5:	8242342835f51d7321b9ef1db28b40a0
SHA1:	e863d41d7641b3b9dd9fb9f6a73c5e512a84f512
SHA256:	f9b6fbded3e18fa7e6d458d236bb28e14f7276209879d03a60a973b1f2723d49
SHA512:	002f48324339b69e4b6c8ba50e51691bbb98d7348ad58552b10fbaccf4b86a225219da94e44af7bef1f967dbb7a9f9261c2c5ead47305522b7d0008c2a0dee34
SSDEEP:	6144:o70P7uQo6KCDoQcU3oXo89vQGovkCCiQrZjn+SCYS6E/bCdjPjTuYgp5FkEKtx:MmKCDoQcUNYzrZz+D5/bCdTu7W3tx
TLSH:	6184D02176C1C4B3D763113709A4D6B9AA7DB8300E729E9FA3950EAFCF30581DB3165A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..M..HM..HM..H.`.I_..H.`.I...H.`.I[..H...I_..H.`.IJ..HM..H...H...I...H...IU..H...IL..H...IL..H...HL..H...IL..HRichM..H.......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40d742
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x668B013F [Sun Jul 7 20:57:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	55c0acf36986dbee7526009f420c04cb

Entrypoint Preview

Instruction
call 00007FE0893ADE1Dh
jmp 00007FE0893AD4F9h
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FE0893ADF0Fh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FE0893ADEF9h
int3
int3
int3
int3
push ebx
push esi
mov eax, dword ptr [esp+18h]
or eax, eax
jne 00007FE0893AD69Ah
mov ecx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+0Ch]
div ecx
mov edx, ebx
jmp 00007FE0893AD6C3h
mov ecx, eax
mov ebx, dword ptr [esp+14h]
mov edx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
shr ecx, 1
rcr ebx, 1
shr edx, 1
rcr eax, 1
or ecx, ecx
jne 00007FE0893AD676h
div ebx
mov esi, eax
mul dword ptr [esp+18h]
mov ecx, eax
mov eax, dword ptr [esp+14h]
mul esi
add edx, ecx
jc 00007FE0893AD690h
cmp edx, dword ptr [esp+10h]
jnbe 00007FE0893AD68Ah
jc 00007FE0893AD689h
cmp eax, dword ptr [esp+0Ch]
jbe 00007FE0893AD683h
dec esi
xor edx, edx
mov eax, esi
pop esi
pop ebx
retn 0010h
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
mov eax, dword ptr [esp+14h]
or eax, eax
jne 00007FE0893AD69Ah
mov ecx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
xor edx, edx
div ecx
mov eax, dword ptr [esp+08h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x37dc0	0x4c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x37e0c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x65000	0x2528	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x34c68	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x34cc0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x34ba8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2c000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a768	0x2a800	4bc49662af4528377450033774ea73ea	False	0.5639073988970589	data	6.6474208482966795	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c000	0xc720	0xc800	69d556a4047cc38422fbb6cc4384b18b	False	0.412890625	data	4.949683576573524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39000	0x2aadc	0x29a00	a5e05371442cefd30e20c03f1a9254aa	False	0.9648085585585585	data	7.965244663997813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x1e0	0x200	e331b9e1b1a6d18839f7ba6e089ca0c7	False	0.52734375	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x65000	0x2528	0x2600	5a5b618d609bad0f4e8989761be715be	False	0.7481496710526315	data	6.507110253400118	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x64060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

USER32.dll

OffsetRect

KERNEL32.dll

CreateFileW, HeapSize, SetStdHandle, WaitForSingleObject, CreateThread, VirtualAlloc, FreeConsole, RaiseException, InitOnceBeginInitialize, InitOnceComplete, CloseHandle, WaitForSingleObjectEx, GetCurrentThreadId, GetExitCodeThread, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, GetProcessHeap, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, WriteConsoleW

Exports

Name	Ordinal	Address
DestroyObjects	1	0x408891

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	15:16:52
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\7Xex8yR90g.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7Xex8yR90g.exe"
Imagebase:	0x1f0000
File size:	407'040 bytes
MD5 hash:	8242342835F51D7321B9EF1DB28B40A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:16:52
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:16:52
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf20000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	0.7%
Signature Coverage:	3.7%
Total number of Nodes:	856
Total number of Limit Nodes:	48

Executed Functions

Function 00E8018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00E800FF,00E800EF), ref: 00E802FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00E8030F
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 00E8032D
ReadProcessMemory.KERNELBASE(00000094,?,00E80143,00000004,00000000), ref: 00E80351
VirtualAllocEx.KERNELBASE(00000094,?,?,00003000,00000040), ref: 00E8037C
WriteProcessMemory.KERNELBASE(00000094,00000000,?,?,00000000,?), ref: 00E803D4
WriteProcessMemory.KERNELBASE(00000094,00400000,?,?,00000000,?,00000028), ref: 00E8041F
WriteProcessMemory.KERNELBASE(00000094,?,?,00000004,00000000), ref: 00E8045D
Wow64SetThreadContext.KERNEL32(00000098,00FE0000), ref: 00E80499
ResumeThread.KERNELBASE(00000098), ref: 00E804A8

Strings

aryA, xrefs: 00E801D3
VirtualAlloc, xrefs: 00E80254
ResumeThread, xrefs: 00E802C9
SetThreadContext, xrefs: 00E802B3
ress, xrefs: 00E80217
GetP, xrefs: 00E8020F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00E802FB
VirtualAllocEx, xrefs: 00E8028D
CreateProcessA, xrefs: 00E80241
ReadProcessMemory, xrefs: 00E8027A
GetThreadContext, xrefs: 00E80267
WriteProcessMemory, xrefs: 00E802A0
TerminateProcess, xrefs: 00E8038B
Load, xrefs: 00E801CB

Memory Dump Source

Source File: 00000000.00000002.2008548298.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_7Xex8yR90g.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction ID: 4dc3fff55bb4b5fd7599c317765bf55589d71f329c2721514d54b7ab9cd3c163
Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction Fuzzy Hash: 5DB1F67264128AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB341D774FA418B94

Function 001F46F6 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001F14FB: __EH_prolog3_catch.LIBCMT ref: 001F1502
Part of subcall function 001F14FB: _strlen.LIBCMT ref: 001F1514

OffsetRect.USER32(00000000,00000000,00000000), ref: 001F47F9

Part of subcall function 001F3DE6: __EH_prolog3_catch.LIBCMT ref: 001F3DED

Part of subcall function 001F68AD: _Deallocate.LIBCONCRT ref: 001F68BC

_Deallocate.LIBCONCRT ref: 001F48F1

Strings

`-%, xrefs: 001F4863
Zatlat, xrefs: 001F4740
`-%, xrefs: 001F48C8

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: DeallocateH_prolog3_catch$OffsetRect_strlen
String ID: Zatlat$`-%$`-%
API String ID: 4231566263-1362805709
Opcode ID: 01670947ede5fd85a47be88702fff9c2ca02968853204ab92a84646c3c92dfed
Instruction ID: 5ffd9ce1b1f2c649e5b4c174073f052ba9235fd4f55cb82369bed366f28983b8
Opcode Fuzzy Hash: 01670947ede5fd85a47be88702fff9c2ca02968853204ab92a84646c3c92dfed
Instruction Fuzzy Hash: 6F71C07150C3889FC314EF68D88567FBBE4AF99304F500A2EFAD583282DB74D9098B56

Function 0020EBC0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbbdb32136ce8b2d215cf4e377abeb6293306163ee6a3ef70c84ab1ebc94ce3
Instruction ID: 1327db1900b0b39df738c9d67bcf5c6a82ed8e5e2f440c7ea84c558b9497bac0
Opcode Fuzzy Hash: 6fbbdb32136ce8b2d215cf4e377abeb6293306163ee6a3ef70c84ab1ebc94ce3
Instruction Fuzzy Hash: 33F0A032A21334EBCF22CB4CD405A9973A8EB04B65F120096E902E7181C2B0DE50CBD0

Function 0020D27F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,0020D38C,?,?,001F8B9B,00000000,?,?,0020D5F6,00000021,FlsSetValue,002209B4,002209BC,001F8B9B), ref: 0020D340

Strings

api-ms-, xrefs: 0020D2D6
ext-ms-, xrefs: 0020D2EA

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c3d75ae7d97ddb51cff076c14e3b47dfbe908bd5820e6994a08a7fe36174abec
Instruction ID: ad2ae7ccf9de3638910ad1e43574d9ccd51e1d5d630014dd3694ba0ca59afd91
Opcode Fuzzy Hash: c3d75ae7d97ddb51cff076c14e3b47dfbe908bd5820e6994a08a7fe36174abec
Instruction Fuzzy Hash: 42212771A62312ABC7229FA4BC85A9A77589B423A0F210150ED05A72D2DB30FE10CED2

Function 001F2DAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001F2DB8
int.LIBCPMT ref: 001F2DCB

Part of subcall function 001F400A: std::_Lockit::_Lockit.LIBCPMT ref: 001F401B
Part of subcall function 001F400A: std::_Lockit::~_Lockit.LIBCPMT ref: 001F4035

std::_Facet_Register.LIBCPMT ref: 001F2DFE
std::_Lockit::~_Lockit.LIBCPMT ref: 001F2E14

Strings

d)%, xrefs: 001F2DC3

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: d)%
API String ID: 459529453-3218993474
Opcode ID: 037c846c8966f21cda2deb3944d0ae3091458f6c78d533d9d6d7a0a6103fc507
Instruction ID: acfda896078929487308af15e2bbb43b702884d338590cc33dba14081a485435
Opcode Fuzzy Hash: 037c846c8966f21cda2deb3944d0ae3091458f6c78d533d9d6d7a0a6103fc507
Instruction Fuzzy Hash: BA01A27250061CEBCB14AB64DC458FE7769EF91764F340159FB06AB291DF30AE42C794

Function 001F344C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001F3453
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001F348B

Part of subcall function 001F9E2B: _Yarn.LIBCPMT ref: 001F9E4A
Part of subcall function 001F9E2B: _Yarn.LIBCPMT ref: 001F9E6E

Strings

bad locale name, xrefs: 001F3499

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: b210fd67326a5067d342724666aaf906fbefd279a00f61cfb8efaf53f0d231c8
Instruction ID: e342c4b8401f093f52380446752dca8b51b6bce50b524d097934c02d94d2893d
Opcode Fuzzy Hash: b210fd67326a5067d342724666aaf906fbefd279a00f61cfb8efaf53f0d231c8
Instruction Fuzzy Hash: 37F01DB2505B449E83319F6A9481453FBE4BE29610354CA6FE1DEC3A11D730A504CBAA

Function 0020580B Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,?,002056AF,00000000,?,00000000), ref: 00205854
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,001F6B38,?,00000000,?,?,?), ref: 00205860
__dosmaperr.LIBCMT ref: 00205867

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 020fa354eeae8cef330500fd309889f0ea0d488b4749bd59af60f5a86f66dad9
Instruction ID: 99cb27c016f186b4df1e6bd2c22db10d3585e8e2a4cfa47a02149bb868e1eafc
Opcode Fuzzy Hash: 020fa354eeae8cef330500fd309889f0ea0d488b4749bd59af60f5a86f66dad9
Instruction Fuzzy Hash: C8014C7652172AAFDF259FA0DC06AAF7BA5EF04350F108158FC0196192EB71CEA0DF90

Function 001F96F8 Relevance: 4.5, APIs: 3, Instructions: 33
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 001F9704
GetExitCodeThread.KERNEL32(?,?), ref: 001F971D
FindCloseChangeNotification.KERNELBASE(?), ref: 001F972F

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ChangeCloseCodeExitFindNotificationObjectSingleThreadWait
String ID:
API String ID: 3816883391-0
Opcode ID: 8302906b403d85d630cdb3c87833dad064d1dd8adb8c7f929adb03cf962b71d7
Instruction ID: 1e22694657252bc9836a92c68983a40f33b2453bd23db25fe0564abb5db96edb
Opcode Fuzzy Hash: 8302906b403d85d630cdb3c87833dad064d1dd8adb8c7f929adb03cf962b71d7
Instruction Fuzzy Hash: BEF05E36554218EBDB206F68EC09BA93BA8EB15770F344310FA25D61E0D770DE409A80

Function 00205764 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0020B4A1: GetLastError.KERNEL32(001F8B9B,?,00206483,0020DBFC,?,?,001FE744,?,?,?,?,?,001F379B,001F8B9B,?,?), ref: 0020B4A5
Part of subcall function 0020B4A1: SetLastError.KERNEL32(00000000,001F8B9B), ref: 0020B547

CloseHandle.KERNEL32(?,?,?,0020589B,?,?,0020570D,00000000), ref: 00205795
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,0020589B,?,?,0020570D,00000000), ref: 002057AB
ExitThread.KERNEL32 ref: 002057B4

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 9c287a2e15e54541c22148c6a0fea18beaaf81fb6a4607f6f7368b9caaa62c13
Instruction ID: 3ad1d4c1335153d7dc2ca72346b54c87b5a59f699373de8dcef50ae68fe2467f
Opcode Fuzzy Hash: 9c287a2e15e54541c22148c6a0fea18beaaf81fb6a4607f6f7368b9caaa62c13
Instruction Fuzzy Hash: F0F05434411F22EBDB215F65D85CB67B6A86F05360F688610B829D21F2DB20DD61DE90

Function 00208A18 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00208A12,00000016,00201A52,?,?,B1BFA320,00201A52,?), ref: 00208A29
TerminateProcess.KERNEL32(00000000,?,00208A12,00000016,00201A52,?,?,B1BFA320,00201A52,?), ref: 00208A30
ExitProcess.KERNEL32 ref: 00208A42

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 32ce2962e248c5a88c616a9df25561bf47b0d769cfd493a637898b8fb6ddc87c
Instruction ID: 7c30a3bda8bc4d4ca670744db3570439add9a4cea3525e41bef5e2d75d14b4ad
Opcode Fuzzy Hash: 32ce2962e248c5a88c616a9df25561bf47b0d769cfd493a637898b8fb6ddc87c
Instruction Fuzzy Hash: A1D09E35150204FFCF616FA0ED0DA8A3F26AF643917158012B94956472DF3199A19E91

Function 001FA63A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001FA59B: GetModuleHandleExW.KERNEL32(00000002,00000000,?,?,?,001FA5ED,00000000,?,001FA62E,00000000,?,001F6444,00000000), ref: 001FA5A7

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,B1BFA320,?,?,?,0021B3CE,000000FF), ref: 001FA6A1

Part of subcall function 001F82EE: std::_Throw_Cpp_error.LIBCPMT ref: 001F830F

Part of subcall function 001F9774: ReleaseSRWLockExclusive.KERNEL32(001F59A0,?,001F59A8,?,?,?,?,?,?,?,?,?,?,?,?,001F13D2), ref: 001F9788

Strings

$,%, xrefs: 001FA663

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
String ID: $,%
API String ID: 3627539351-2989525191
Opcode ID: dddccbb25e28d5edbeff152f9e25df373748d680a2beed235771f3f3139f7905
Instruction ID: 379aefb3c197cebb7c98036bbd5f959a380395d53903577d143acbe04f197e7b
Opcode Fuzzy Hash: dddccbb25e28d5edbeff152f9e25df373748d680a2beed235771f3f3139f7905
Instruction Fuzzy Hash: 8C1138726006089BCB267F25EC45A3D77A8EF56B31F15451AFA06D72E1CF39D800C65A

Function 00210930 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0021007A: GetConsoleOutputCP.KERNEL32(B1BFA320,00000000,00000000,00000000), ref: 002100DD

WriteFile.KERNEL32(?,00000000,?,00227CA0,00000000,0000000C,00000000,00000000,?,00000000,00227CA0,00000010,002073AD,00000000,00000000,00000000), ref: 00210A99
GetLastError.KERNEL32(?,00000000), ref: 00210AA3

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: ef686f7b600154f82c036c7974b41b6d69cbba401cc1434e0527c8a1b2a9c2f6
Instruction ID: a0b27e4f298b5b30d7671ae1a294d8e22d58a21f25a44a0eb6ac6d2e5ddba2f7
Opcode Fuzzy Hash: ef686f7b600154f82c036c7974b41b6d69cbba401cc1434e0527c8a1b2a9c2f6
Instruction Fuzzy Hash: 7461B771D24249AEDF11CFA8C8C4EEEBBF9AF29318F144045E904A7252D3B1D9E5CB60

Function 001F14FB Relevance: 3.1, APIs: 2, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 001F1502
_strlen.LIBCMT ref: 001F1514

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch_strlen
String ID:
API String ID: 3133806014-0
Opcode ID: 1f9044bd18656c1715738ab2383d5f54a03d9b6582c84c73f6d6ba2eae03da16
Instruction ID: 9faf3a68044b1dc395912bdf2038703beae3f3be86ad4d6db907093104f55889
Opcode Fuzzy Hash: 1f9044bd18656c1715738ab2383d5f54a03d9b6582c84c73f6d6ba2eae03da16
Instruction Fuzzy Hash: A6517171E00518DFCB14DF68C8809BCBBF2AF89324B294259EA25EB2A2D771DD41CB51

Function 001FC375 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Fputc.LIBCPMT ref: 001FC44E

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: dd8703c62aafdfa4e53624adf071c9fd01dbb25cd06f55076ef98c4c64afd240
Instruction ID: 2d44df8fd6e1211f7295a25b489f04bd07c231dbd27e5b4cd2b383e2f9332231
Opcode Fuzzy Hash: dd8703c62aafdfa4e53624adf071c9fd01dbb25cd06f55076ef98c4c64afd240
Instruction Fuzzy Hash: E8414C3690021EEBCB18DF69C6808FEB7B9FF08350B148526E641A7640DB31ED55EBD0

Function 00210532 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00210A7F,00000000,00000000,00000000,?,0000000C,00000000), ref: 002105CE
GetLastError.KERNEL32(?,00210A7F,00000000,00000000,00000000,?,0000000C,00000000,00000000,?,00000000,00227CA0,00000010,002073AD,00000000,00000000), ref: 002105F4

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8ac31fcbe67ac275d457471c7fabbdef9246333cf396afa19bfb13ae47aa5180
Instruction ID: cc03c9dbfad4a0763e66070a1dee4e24f5bc6a83d2ff76145646b83f3ca6ecd2
Opcode Fuzzy Hash: 8ac31fcbe67ac275d457471c7fabbdef9246333cf396afa19bfb13ae47aa5180
Instruction Fuzzy Hash: E121A030A10219ABCF15CF19DD80AE9B7FAFB5C301F6440A9E906D7211D670DE86CF64

Function 0020DA7D Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0020DAC9
GetFileType.KERNELBASE(00000000), ref: 0020DADB

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 0f8ed1500e959a13be556a443c82879160558ca7ccada5ac0bb5a6481229affc
Instruction ID: abfbb449bbef95616fb8c2c0a2f9cc4d0c7103616e339be7a9f4e3a8e46019bc
Opcode Fuzzy Hash: 0f8ed1500e959a13be556a443c82879160558ca7ccada5ac0bb5a6481229affc
Instruction Fuzzy Hash: 7E1103367297424AC7308EBE9C88632BA95AB5A374B39070AD1B6C65F3C770D8A1D640

Function 001F86F5 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F3136: _strlen.LIBCMT ref: 001F314E

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,0000000006:1@0000000005:@), ref: 001F873A

Strings

0000000006:1@0000000005:@, xrefs: 001F8707

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: AllocVirtual_strlen
String ID: 0000000006:1@0000000005:@
API String ID: 3554592677-176982251
Opcode ID: 167fe7331a1a0e619f035d70f3602801842fa377f3e7558f46d4d8551ce37cae
Instruction ID: e06a7aad36c7942eecb01390aad8f3e416e72c3d9849bcb5ceee3d0ce53dd04c
Opcode Fuzzy Hash: 167fe7331a1a0e619f035d70f3602801842fa377f3e7558f46d4d8551ce37cae
Instruction Fuzzy Hash: DF119131A4020CABCB14FBA4EC56FFE77749FA5760F244128F605B61C1DF7499068669

Function 002056AF Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(002277F0,0000000C), ref: 002056C2
ExitThread.KERNEL32 ref: 002056C9

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 8b65fd7f767051dd156f332860df0fa9a010636e4345d7f8ca7c9f21d281d535
Instruction ID: cdc08f27972980cb182683b470f3e9bfe22b42a3d56f54a40fd9eec8b430c70d
Opcode Fuzzy Hash: 8b65fd7f767051dd156f332860df0fa9a010636e4345d7f8ca7c9f21d281d535
Instruction Fuzzy Hash: 9CF0AF71990705AFDB14AFB0D80AA6E7B78EF15300F208149F4169B2E3CF755960CFA1

Function 001F82AF Relevance: 3.0, APIs: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001F82BA
std::_Throw_Cpp_error.LIBCPMT ref: 001F82E8

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: Cpp_errorCurrentThreadThrow_std::_
String ID:
API String ID: 350343453-0
Opcode ID: fd1357e52a5e6188e71bc9d518b94213de1583fbe682ce0a4a4d257269a8a402
Instruction ID: 1a5184ce798a455be38294131c4e8b1eeb06293f62346a4b671457f546df2fc3
Opcode Fuzzy Hash: fd1357e52a5e6188e71bc9d518b94213de1583fbe682ce0a4a4d257269a8a402
Instruction Fuzzy Hash: 53E0D831601F089AD7302E159D02B77B6E5EFE1B21F11842FA79592481EB716441DB55

Function 001F88EE Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 001F88F5
FreeConsole.KERNELBASE(00000010), ref: 001F88FA

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ConsoleFreeH_prolog3_catch
String ID:
API String ID: 2618692183-0
Opcode ID: c7f3bed51f09b5ddddf57db6dc3fd81a10e1b92568aedf5fe3a9a3a8723c6391
Instruction ID: cd38069a8fb6b23003a0c410d0b5baaba6b0ac94281e238b4609fc3c456f6b59
Opcode Fuzzy Hash: c7f3bed51f09b5ddddf57db6dc3fd81a10e1b92568aedf5fe3a9a3a8723c6391
Instruction Fuzzy Hash: 25E0C23474030D42EF2177B0681B3BD24D16F60328F2406287721DB1D2DFB5DA406212

Function 001F83C2 Relevance: 3.0, APIs: 2, Instructions: 12synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000086F5,00000000,00000000,00000000), ref: 001F83CE
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001F83D7

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: df23f01b67da87562d7fbfb1512bd64e02018683b6a77fdf7ab9419186e77d54
Instruction ID: 9efc58d28948fd8c4581a7cb77b2edba80b0afc692050dddbd0bdce4c571065d
Opcode Fuzzy Hash: df23f01b67da87562d7fbfb1512bd64e02018683b6a77fdf7ab9419186e77d54
Instruction Fuzzy Hash: 09C048E4A84201BEAE0097A06C0CD77261CE6183753208A007921D12E0EE648C008634

Function 0020B350 Relevance: 2.6, APIs: 2, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0eca90188c8a94e1498a86757ee6cdb87b6da2dea26ea321988e370431073cae
Instruction ID: 5bdac37061b1902831679f29705db3395c3ece6c7484cd5329782c0c530fc00e
Opcode Fuzzy Hash: 0eca90188c8a94e1498a86757ee6cdb87b6da2dea26ea321988e370431073cae
Instruction Fuzzy Hash: D311A3712753066BD7322BB5ACCA92B77589B253A9B300274F910825D3DFA04C344964

Function 001FB01E Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0a065571fd36107d584ce04171bf7b5e39e7f1aaf95a198bc5eaf6d7028769
Instruction ID: d88205dff0d89e7e491694fa7c37cd811cf64978e4d54f2a517c887eaa3e2f8e
Opcode Fuzzy Hash: bb0a065571fd36107d584ce04171bf7b5e39e7f1aaf95a198bc5eaf6d7028769
Instruction Fuzzy Hash: 3331727291810EABCB14CF64D8D49FEB7B9BF09310F144269E611A3690DB31E954CBA0

Function 001F6CCB Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 001F6D96

Part of subcall function 001F3136: _strlen.LIBCMT ref: 001F314E

Part of subcall function 001F1C54: __EH_prolog3_catch.LIBCMT ref: 001F1C5B

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: DeallocateH_prolog3_catch_strlen
String ID:
API String ID: 3043132973-0
Opcode ID: 2453900fafcc164929209b5fa7e48ac727474e9884bea1b9ac61bfa39bf4e961
Instruction ID: 2fe60fd2bd366d014f85eb2c591ff8e14d71807c757a5112495a8b48ffc26d14
Opcode Fuzzy Hash: 2453900fafcc164929209b5fa7e48ac727474e9884bea1b9ac61bfa39bf4e961
Instruction Fuzzy Hash: C0219F31F0421CAADB04EFB9E8829FDB7B4EB58720F245219E611B7181DB755D81CBA4

Function 001F3EE3 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 001F3EEA

Part of subcall function 001F2DAC: std::_Lockit::_Lockit.LIBCPMT ref: 001F2DB8
Part of subcall function 001F2DAC: int.LIBCPMT ref: 001F2DCB
Part of subcall function 001F2DAC: std::_Lockit::~_Lockit.LIBCPMT ref: 001F2E14

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3_catchLockit::_Lockit::~_
String ID:
API String ID: 1693569656-0
Opcode ID: faf2d089db29fc02977670ea90f63ec8e3c89042d61c13bb5aeb6ed5e33bce9a
Instruction ID: 02c44ff34cf5c98af2446bcdc94921b0dcf77b1b8849ea8cfaa65fbe5afd80af
Opcode Fuzzy Hash: faf2d089db29fc02977670ea90f63ec8e3c89042d61c13bb5aeb6ed5e33bce9a
Instruction Fuzzy Hash: 57213D71A012199FCB14DFA4C5859EEFBF5FF58310B24416AE615B7251C731AE01CBA4

Function 0020D34A Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e10b339bf6663e0c2bd1831cbea8df0d1a05b7d2b1b5fa6adbe6a7a8f5254c
Instruction ID: 63636c68c72841f8dcc29f4320f99e39893a1dbff0761330a429b34134f664af
Opcode Fuzzy Hash: 45e10b339bf6663e0c2bd1831cbea8df0d1a05b7d2b1b5fa6adbe6a7a8f5254c
Instruction Fuzzy Hash: C70128377213129FDB169FADFC45A6A3396AB84320B248560FD04CB1DADA31D8108FD1

Function 001F2925 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 001F297A

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 7b837c0cb35a5c0a5b6434836e6af29e140a2b718bc337d5645bb0a69c1f624b
Instruction ID: 8e69fa3c96c2fd1f3662e823c6afa6c53015e4e47005ffae55fb878cae9b3b2a
Opcode Fuzzy Hash: 7b837c0cb35a5c0a5b6434836e6af29e140a2b718bc337d5645bb0a69c1f624b
Instruction Fuzzy Hash: 32F090B220530E6FD210AE11EC06E7BBB9CEB623A8F10441EF34456192DB72A85486B1

Function 0020CB1C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,001F8B9B,?,0020B4EE,00000001,00000364,001F8B9B,00000005,000000FF,?,001FE744,?,?,?,?), ref: 0020CB5D

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bbaf10e280ca15b16eebbc33ac9d37d9505e0da05c6ed56509c19fc7104c41b4
Instruction ID: fd4c0771afa26f4aaa8899a6d3641a3c9297677dd9d86c12f8e45ab6130a7ebb
Opcode Fuzzy Hash: bbaf10e280ca15b16eebbc33ac9d37d9505e0da05c6ed56509c19fc7104c41b4
Instruction Fuzzy Hash: 53F0E9719703266BDB216F26EC07B5A3758AF41B74B348321BC04971D3CA30D8308AE5

Function 0020DBB9 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,001F8B9B,?,?,001FE744,?,?,?,?,?,001F379B,001F8B9B,?,?,?,?), ref: 0020DBEB

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bb3fd2b5171616c051484bd86073f01db587a9b762fd0273861462f1666e8ad7
Instruction ID: 8bb8bd50124bff23d21fa638d67dfea35c90cff66db158b4e847dc1fed37f360
Opcode Fuzzy Hash: bb3fd2b5171616c051484bd86073f01db587a9b762fd0273861462f1666e8ad7
Instruction Fuzzy Hash: 92E065211763126BD7212EF59C08B6B7A5C9B417B4F260161BD45965D3CF60CC3185A5

Function 001F4B30 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 001F4B37

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 6fa7a9e716067004fbba4ed54e8435119fd05977637ef94957158dbee63bc4c8
Instruction ID: c38af705c8a8640b23d2f3c2b57e2cdc599b47b6aa4cd55401f4e0b85f42c91a
Opcode Fuzzy Hash: 6fa7a9e716067004fbba4ed54e8435119fd05977637ef94957158dbee63bc4c8
Instruction Fuzzy Hash: 96E08C709212098BDB10EFA0D5427FEB6B5BB50720F600218B251A71C1CF701B4487A3

Non-executed Functions

Function 00216C73 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00216E57

Strings

1#SNAN, xrefs: 00216D7F
1#INF, xrefs: 00216DA9
1#IND, xrefs: 00216D78
1#QNAN, xrefs: 00216D86

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f944c92d22e0f58be482936173f469b06ffc19d53fbfc31195b52e2805c46088
Instruction ID: a2d13ea744c4df04cd989b5823310c113e27854ca946ecbeff09764827009674
Opcode Fuzzy Hash: f944c92d22e0f58be482936173f469b06ffc19d53fbfc31195b52e2805c46088
Instruction Fuzzy Hash: 14D21971E282298FDB65CE28DD447EAB7F5EBA4304F1441EAD40DA7240EB74AED58F40

Function 00215C8E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00215FAC,00000002,00000000,?,?,?,00215FAC,?,00000000), ref: 00215D27
GetLocaleInfoW.KERNEL32(?,20001004,00215FAC,00000002,00000000,?,?,?,00215FAC,?,00000000), ref: 00215D50
GetACP.KERNEL32(?,?,00215FAC,?,00000000), ref: 00215D65

Strings

OCP, xrefs: 00215CE2
ACP, xrefs: 00215CAC

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 79fcf7c33c60a9c96e8ac4e5c547a039c947525be3f1bf1ce42d30626bb260dc
Instruction ID: cac0492bd25ff6430c52133dc5ced0f7d97779dea7dc46b9a39afda9abf34c57
Opcode Fuzzy Hash: 79fcf7c33c60a9c96e8ac4e5c547a039c947525be3f1bf1ce42d30626bb260dc
Instruction Fuzzy Hash: F221C961630926E6D7309F64E808AD772E6EBF0B50B6684E5E80AD7100E732DD91C390

Function 00215E63 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0020B350: GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
Part of subcall function 0020B350: SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00215F6F
IsValidCodePage.KERNEL32(00000000), ref: 00215FB8
IsValidLocale.KERNEL32(?,00000001), ref: 00215FC7
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0021600F
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0021602E

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 213669a9749c31efc3137d32e7241153effa51912930743e54ebbc2b104a87fc
Instruction ID: 9e71eb75cbb537ec898b9b83f0b9266def1502a251b041246ebe82f022521141
Opcode Fuzzy Hash: 213669a9749c31efc3137d32e7241153effa51912930743e54ebbc2b104a87fc
Instruction Fuzzy Hash: A2519371920626EFDB10DFA4DC45AEEB3F8FFA5700F1444A5B504D7191EB709A918B60

Function 002154FF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0020B350: GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
Part of subcall function 0020B350: SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

GetACP.KERNEL32(?,?,?,?,?,?,00209EF0,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002155C0
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00209EF0,?,?,?,00000055,?,-00000050,?,?), ref: 002155EB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0021574E

Strings

utf8, xrefs: 002156BD

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 1134832ea7383eb5399272b93cc2d70d20dd3266e52478ed45cd1a480691e300
Instruction ID: a0e729a79ea39f37621aaa4df639e75ad5208d6d99df4d3414cec16002c6feeb
Opcode Fuzzy Hash: 1134832ea7383eb5399272b93cc2d70d20dd3266e52478ed45cd1a480691e300
Instruction Fuzzy Hash: 1371F771620B16EADB24AF74DC46BE673EDEFA4700F6440A9F505D7181EB70E9A08B90

Function 0020DD0C Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0020DD99

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 75b648e633f190c86c236c7fc6c97fed487f58425f7dd828c5b9198bf3fd1d21
Instruction ID: 4b71f7dc58414d91fff5cf8637bd8f8745079f08c03b3a2acbc53a0f1e7bd53e
Opcode Fuzzy Hash: 75b648e633f190c86c236c7fc6c97fed487f58425f7dd828c5b9198bf3fd1d21
Instruction Fuzzy Hash: 1DB158329263469FDB158FA8C8817FEBBE5EF55310F15816AE801AB2C3D2749D61CB60

Function 001FDA85 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 001FDA91
IsDebuggerPresent.KERNEL32 ref: 001FDB5D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001FDB76
UnhandledExceptionFilter.KERNEL32(?), ref: 001FDB80

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3a431e6becad64829c5744c9db8bd5dae32c9b35bca6b69fbfc399d026ae4a62
Instruction ID: 265400f5fa9bd3117f1d4b85e26439bb78bd849a81fa14d13f118da1a1ea64f9
Opcode Fuzzy Hash: 3a431e6becad64829c5744c9db8bd5dae32c9b35bca6b69fbfc399d026ae4a62
Instruction Fuzzy Hash: 1231F679D0521CDBDB20EFA4E9497DDBBB8AF18304F1041AAE50DAB250EB719B848F45

Function 00215912 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0020B350: GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
Part of subcall function 0020B350: SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00215966
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002159B0
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00215A76

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 2ce619fc6d8aa3a451a3d4261ed5c460faa935517a855e2b1f6f6d46de5a872c
Instruction ID: 7a4767205c8202908614be96e305228a777b0c6dfccbd47a75b02019b73ada5e
Opcode Fuzzy Hash: 2ce619fc6d8aa3a451a3d4261ed5c460faa935517a855e2b1f6f6d46de5a872c
Instruction Fuzzy Hash: 3861A171560A27DFDB299F24CC82BEAB3E8EF64300F1441E9E916C6185E774DAE1CB50

Function 00201A53 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,001F8B9B), ref: 00201B4B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,001F8B9B), ref: 00201B55
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,001F8B9B), ref: 00201B62

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 24880b2bfb994a7ac242787eec150b486a86413d7d700c8e0b0516d020304dd5
Instruction ID: d0b0433688cdecc6dcc9dabe34ea0860c8ce282699cda593e4e1edc2498e4da5
Opcode Fuzzy Hash: 24880b2bfb994a7ac242787eec150b486a86413d7d700c8e0b0516d020304dd5
Instruction Fuzzy Hash: E331D67495121C9BCB21DF28DD897DCBBB4BF18310F5041DAE41CA6291EB709B958F44

Function 002157EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0020B350: GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
Part of subcall function 0020B350: SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

EnumSystemLocalesW.KERNEL32(00215912,00000001,00000000,?,-00000050,?,00215F43,00000000,?,?,?,00000055,?), ref: 0021585E

Strings

C_!, xrefs: 00215833

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID: C_!
API String ID: 2417226690-4241996622
Opcode ID: 2fdecbbac9faceb1114ca58d6c0b383423089781c4f58ee3bf2a3f34c687359c
Instruction ID: 20f2a430216b9b24a6cfcd621f08355f07ac0e99bc670bbfe14f7ddc5d13c3a7
Opcode Fuzzy Hash: 2fdecbbac9faceb1114ca58d6c0b383423089781c4f58ee3bf2a3f34c687359c
Instruction Fuzzy Hash: 4211063A2107019FDB189F39D8915BAB7D1FF90328B15446CE98747A40D3716992CB40

Function 00207F30 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328877cfbec143cfb10e340733355c27c4f7255f62cec1a1cc70739699e5e674
Instruction ID: 20cf16cbb48f75b99ac075a1dc9b0d0ff5254f2a2857a18a6c7741b791b52556
Opcode Fuzzy Hash: 328877cfbec143cfb10e340733355c27c4f7255f62cec1a1cc70739699e5e674
Instruction Fuzzy Hash: 53F15E71E1061A9FDF14CF68C880AAEB7B1FF88314F158269E959A7381DB30AD15CF94

Function 001FD06A Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,001FCBF5,?,00000000,00000000,?,001FCBB4,?,?,00000000,?,001F981C,?,?,00000000), ref: 001FD0A2
GetSystemTimeAsFileTime.KERNEL32(?,B1BFA320,?,?,0021B3B1,000000FF,?,001FCBF5,?,00000000,00000000,?,001FCBB4,?,?,00000000), ref: 001FD0A6

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 1c001ec6ab8a90f98b0b7403f8593b051cf6ac5411a49acd309d452e0a242599
Instruction ID: 1d820eb5e2ba7328b7f0ef6698c59331713b2af6599800140d9c93c8c6e19f4c
Opcode Fuzzy Hash: 1c001ec6ab8a90f98b0b7403f8593b051cf6ac5411a49acd309d452e0a242599
Instruction Fuzzy Hash: 6BF0A036A48A18EBC7129F54ED05BADB7B8F708B10F11422AE81293790DB3568008B84

Function 0020C4D6 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0020C4D1,?,?,00000008,?,?,00219233,00000000), ref: 0020C703

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0e33e59d853ec131d401de5efd644bbdb44251edef7c13b2b6a4b3b8c24e1c51
Instruction ID: 1f2c36bbd93e28e93ffef48a9f72f6a6f1a7e3bde7cdd926e29fc4248228e8c9
Opcode Fuzzy Hash: 0e33e59d853ec131d401de5efd644bbdb44251edef7c13b2b6a4b3b8c24e1c51
Instruction Fuzzy Hash: A2B13C756206098FD724CF28C486B657BA0FF45364F658658E899CF2E2C335E9A2CF40

Function 001FD865 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 001FD87B

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: caa5ce4a8c122736b20b8afc70970a179e3ca3e37c83e7d379b2da4648c59277
Instruction ID: 0fbdbef67778d7a01775a69cbb779a1ed294b4d0ff634edfef9953d062b15ef5
Opcode Fuzzy Hash: caa5ce4a8c122736b20b8afc70970a179e3ca3e37c83e7d379b2da4648c59277
Instruction Fuzzy Hash: F3517BB19002098BDB15CF98F8857BEB7F6FB48306F24842AD511EB290D7B59D40CB54

Function 002126FF Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535d6bcd6c3d62efffba69e292355d7573434850ed76900db01083e23cd90ff3
Instruction ID: 0361ae10892f6815839b5063d6816aff4f30c7b0596ed9f11b412431ec7cf6e3
Opcode Fuzzy Hash: 535d6bcd6c3d62efffba69e292355d7573434850ed76900db01083e23cd90ff3
Instruction Fuzzy Hash: 4541C5B5814219AFDF20DF69CC89AEABBF8EF55300F1442D9F418D3241DA359EA98F50

Function 002046AA Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00204838

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 00711911d6dd09d64c97408e2f3d49b769a09835586b42a01e32b69993276636
Instruction ID: c2a554048724d2257c6c4974a3a8e827bb818e37cabf67141f2d9bc6340c9a9d
Opcode Fuzzy Hash: 00711911d6dd09d64c97408e2f3d49b769a09835586b42a01e32b69993276636
Instruction Fuzzy Hash: 4DC1E2F0A2074A8FCB24EF58C490A7AB7B1AF06304F24C61DDA52972E3C730AD65CB50

Function 00215B65 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0020B350: GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
Part of subcall function 0020B350: SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00215BB9

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: af495c87065167e3f6378fdfb158ef21c11fe6a8b639ee0fb4e6080f3d4b6233
Instruction ID: 55ee28df4c151057e1daad6ef159a70b8b28a7e614f578daf321134133894ddf
Opcode Fuzzy Hash: af495c87065167e3f6378fdfb158ef21c11fe6a8b639ee0fb4e6080f3d4b6233
Instruction Fuzzy Hash: 2C21B672524617EBDB289F25DC41AFA73E8EF64314F1040BAF905C6141EB759DA48B90

Function 00204362 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 002044EC

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9c987fc7f4ab2134c0047946b64493224a35ad2b060bcba1d886876f09638e66
Instruction ID: 304bba47ede8299dafcd2fd8566dc81ffd9fdf22ffa3cb0d14850911c7747cfd
Opcode Fuzzy Hash: 9c987fc7f4ab2134c0047946b64493224a35ad2b060bcba1d886876f09638e66
Instruction Fuzzy Hash: 72B1D0F092070B8BCB28FF6884956BEBBB5AB01300F64865ED752972C3D771AD61CB51

Function 00215D94 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0020B350: GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
Part of subcall function 0020B350: SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00215B2E,00000000,00000000,?), ref: 00215DC0

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 7acde789c31496469952f7b4363c0e7aa3ba5dc124d7f25e090c19e9fdc9571c
Instruction ID: 6d69f604c35c7b28922b2298adf67a21963e796b859b6b27798388127f057bdd
Opcode Fuzzy Hash: 7acde789c31496469952f7b4363c0e7aa3ba5dc124d7f25e090c19e9fdc9571c
Instruction Fuzzy Hash: B0F0F932620522FBDB285B25D809AFA77A4EB90754F1544A9EC06A3180DA74FDA2CB90

Function 002156FA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0020B350: GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
Part of subcall function 0020B350: SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0021574E

Strings

utf8, xrefs: 002156BD

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 6fd23ac49f7649d509d9c0d2de806bb4934ef4df02b3c250ab69e697a1e28f34
Instruction ID: eca0e0b3082a2be6b7ebad9fda7602351c2aa4524145b66f028800e61a1362e1
Opcode Fuzzy Hash: 6fd23ac49f7649d509d9c0d2de806bb4934ef4df02b3c250ab69e697a1e28f34
Instruction Fuzzy Hash: 9CF02832620219EBC715AF34DC4AEFA73E8DF55310F1040B9B606D7281EA78AD028790

Function 00215887 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0020B350: GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
Part of subcall function 0020B350: SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

EnumSystemLocalesW.KERNEL32(00215B65,00000001,?,?,-00000050,?,00215F07,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 002158D1

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6178f6879cefe69dd94b6a47b932d359913f38813fa9014d112328f635574701
Instruction ID: 56dd4cebcc13c3bdbad8508340ce026374b5dac039758e3190a90a74b0e9a53f
Opcode Fuzzy Hash: 6178f6879cefe69dd94b6a47b932d359913f38813fa9014d112328f635574701
Instruction Fuzzy Hash: C4F0F6362107159FDB246F35D881AFA7BD1FFC0768F2A84ACF9468B680C671ACD1DA50

Function 0020D0B6 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002058DD: EnterCriticalSection.KERNEL32(-0005A85D,?,0020869F,00000000,002279F0,0000000C,00208666,?,?,0020CB4F,?,?,0020B4EE,00000001,00000364,001F8B9B), ref: 002058EC

EnumSystemLocalesW.KERNEL32(0020D0A9,00000001,00227C00,0000000C,0020D518,00000000), ref: 0020D0EE

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: b84debd1ec614b21f6578d556617d81d3a4981effbf38f1e1e8474ad7c97ba15
Instruction ID: 57941efb91c63d1c15f09a6a5ddd84dd2ff3cc0f959b5aea7286eb38381527fc
Opcode Fuzzy Hash: b84debd1ec614b21f6578d556617d81d3a4981effbf38f1e1e8474ad7c97ba15
Instruction Fuzzy Hash: D6F03C76A54304AFD701EF98E846B9D77F0EB08721F20402AF414972E1DBB54950CF40

Function 002157A1 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0020B350: GetLastError.KERNEL32(?,00000008,0020CE8D), ref: 0020B354
Part of subcall function 0020B350: SetLastError.KERNEL32(00000000,001F8B9B,00000005,000000FF), ref: 0020B3F6

EnumSystemLocalesW.KERNEL32(002156FA,00000001,?,?,?,00215F65,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002157D8

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7650e04cf73b7fad69b5cc66e4d4881594d405af0ca5264d29ad8a52ab2e2259
Instruction ID: 04fa490972d09473d0bb25ce033704d9167f4b936b37a728750bff69b1fff6bc
Opcode Fuzzy Hash: 7650e04cf73b7fad69b5cc66e4d4881594d405af0ca5264d29ad8a52ab2e2259
Instruction Fuzzy Hash: 76F0553A30030597CB149F39D8566AABFD4EFD2720B1A4098EA0A8B281C6719883CB90

Function 0020D61C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0020AA56,?,20001004,00000000,00000002,?,?,0020A058), ref: 0020D650

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 3d2e09c3c060658c0a04d0f0f9f2a0fc3ba552264d0c46376bd2046276102b93
Instruction ID: adecc54f52159fd10ae571fa962aec015cb0711a728fedfd3597a2520fe522d3
Opcode Fuzzy Hash: 3d2e09c3c060658c0a04d0f0f9f2a0fc3ba552264d0c46376bd2046276102b93
Instruction Fuzzy Hash: 86E04F35591218BBCF122FA0EC09A9E7F29EF447A0F108011FD09652A3CF728931AAD4

Function 001FDBE1 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000DBED,001FD5B3), ref: 001FDBE6

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b5362df1a1672080a28acabda6d87e09162c329d40dc54a338940d4c7c00b172
Instruction ID: e2b97d64970b86b97c394b1dd6db8ef961e8923c04e1de88f4762ab4ca4cf661
Opcode Fuzzy Hash: b5362df1a1672080a28acabda6d87e09162c329d40dc54a338940d4c7c00b172
Instruction Fuzzy Hash:

Function 002138E7 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 002138E7

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 145529458bfd02b003e21267f250fe23f77f063a5f6d0cb4190b3126f6f1654d
Instruction ID: 7f7e8fd8ccdf068c8b2778086b0a8160272e2675ee8995d5ff1d9dacffa8323c
Opcode Fuzzy Hash: 145529458bfd02b003e21267f250fe23f77f063a5f6d0cb4190b3126f6f1654d
Instruction Fuzzy Hash: AEA01132200200EF83008F30BE0C20A3AACAA082C232280A8A008C20A0EA3080808B08

Function 00214FB0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 5226c0ddec9e8c2ad195d09310e9c09f225f6b852bf3a34607cd3a4f7ad4d9c0
Instruction ID: c8ec62df179c4f69943aa679b7f937e6365b2ddb7b7f23472fd37f57a0ce1723
Opcode Fuzzy Hash: 5226c0ddec9e8c2ad195d09310e9c09f225f6b852bf3a34607cd3a4f7ad4d9c0
Instruction Fuzzy Hash: 50B12936520B12DBCB349F64CC82BF7B3E9EFA4308F1444ADE94786580E6B5A9D5CB50

Function 0020EC04 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f52d7548de73c2df35ffbc499fbf997fd1a510aea2d130e71c389f74e202ceb
Instruction ID: 5d917911cfbaac73aaba8f9d0a0edee6803e80c5cb363c7f7edcad0404057f86
Opcode Fuzzy Hash: 9f52d7548de73c2df35ffbc499fbf997fd1a510aea2d130e71c389f74e202ceb
Instruction Fuzzy Hash: A5E0EC72921328EBCB15DBD8D94598AF7ECEB45F50B1648ABF901D3192C271DE50CBD0

Function 00208A8C Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2f21aa9c1ecbffe2708fd8a0ab1a033b91d0d6599410b1735c5d2c8283de74
Instruction ID: 6b7ce74d2258e74df3ee76d90cfa33ec83d70c52e27dd51d311554fd79eff523
Opcode Fuzzy Hash: fe2f21aa9c1ecbffe2708fd8a0ab1a033b91d0d6599410b1735c5d2c8283de74
Instruction Fuzzy Hash: C5C08C34230F0046CF298D1886B13A63364B3D1792F80088EC5430BEC3CA2E9C93DA22

Function 00211AAA Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00211D23
@l , xrefs: 00211DD9

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID: $@l
API String ID: 0-2145061437
Opcode ID: 3ee044625a6727b8f201762c3b156c269b07f7ab8677930cf71408fd805818c2
Instruction ID: faa3af49837e0e14e2547fef2685d9504a5241f57728dcf806d0882b87049f40
Opcode Fuzzy Hash: 3ee044625a6727b8f201762c3b156c269b07f7ab8677930cf71408fd805818c2
Instruction Fuzzy Hash: 40B1F6B0E24246AFDB11CF98E845BEDBBF1AF69350F144158E60097292D7709EB1CF61

Function 001FD025 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 001FD02B
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 001FD039
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 001FD04A
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 001FD05B

Strings

GetTempPath2W, xrefs: 001FD050
kernel32.dll, xrefs: 001FD026
GetCurrentPackageId, xrefs: 001FD033
GetSystemTimePreciseAsFileTime, xrefs: 001FD03F

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: f30668bccfceaa879079a75402cc1ea43043da1f6850396eecb7c985c3de6e3d
Instruction ID: d709c91135fc4b781ed488a23f5144f1505428345689809cfc56c058f700132d
Opcode Fuzzy Hash: f30668bccfceaa879079a75402cc1ea43043da1f6850396eecb7c985c3de6e3d
Instruction Fuzzy Hash: 71E0EC39AB1320EB83156F70BC0D9C67AF8AA3F7123108116F40DD26E0DBB404568BA4

Function 002009B2 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00200AD1
___TypeMatch.LIBVCRUNTIME ref: 00200BDF
_UnwindNestedFrames.LIBCMT ref: 00200D31
CallUnexpected.LIBVCRUNTIME ref: 00200D4C

Strings

csm, xrefs: 002009EF
csm, xrefs: 00200A5C
csm, xrefs: 00200B08

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: d8213d6b7899c3d3cd85f8dfb9f988d7427f0645617b858c989489f84c73d2cc
Instruction ID: cadaf28e7cc4535fc4cff81aee9052122d25bc12607b89cd6aeeec48448a5360
Opcode Fuzzy Hash: d8213d6b7899c3d3cd85f8dfb9f988d7427f0645617b858c989489f84c73d2cc
Instruction Fuzzy Hash: 47B1367182030AAFEF24DFA4C8C1AAEBBB5AF14314F14415AE9116B293D771DA61CF91

Function 001FA784 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001FA78B
std::_Lockit::_Lockit.LIBCPMT ref: 001FA795
int.LIBCPMT ref: 001FA7AC

Part of subcall function 001F400A: std::_Lockit::_Lockit.LIBCPMT ref: 001F401B
Part of subcall function 001F400A: std::_Lockit::~_Lockit.LIBCPMT ref: 001F4035

codecvt.LIBCPMT ref: 001FA7CF
std::_Facet_Register.LIBCPMT ref: 001FA7E6
std::_Lockit::~_Lockit.LIBCPMT ref: 001FA806

Strings

H-%, xrefs: 001FA7A0

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID: H-%
API String ID: 712880209-3940977602
Opcode ID: 6981335e426c4bf397ab0783a6cf88a6c583be426d150b33113d14233b3f32d0
Instruction ID: d6eff34b9b3ea266863a6c7252d801e14ba1791c3048ea5696242196d126589a
Opcode Fuzzy Hash: 6981335e426c4bf397ab0783a6cf88a6c583be426d150b33113d14233b3f32d0
Instruction Fuzzy Hash: AE11D3B190121C9FCB05EFA8D8016BEB7F5EF64310F644419E609A7391DFB4AE068B92

Function 00219A2A Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(01024DA0,01024DA0,?,7FFFFFFF,?,00219CFA,01024DA0,01024DA0,?,01024DA0,?,?,?,?,01024DA0,?), ref: 00219AD0
__alloca_probe_16.LIBCMT ref: 00219B8B
__alloca_probe_16.LIBCMT ref: 00219C1A
__freea.LIBCMT ref: 00219C65
__freea.LIBCMT ref: 00219C6B
__freea.LIBCMT ref: 00219CA1
__freea.LIBCMT ref: 00219CA7
__freea.LIBCMT ref: 00219CB7

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 53b8956054c67988d13664e55e9be16aa81c1337de12c1abdfd76adf0fe2d41c
Instruction ID: 0e25fa4c259184d900e820020d1405ddd67ad45630523b63678e580e08e71457
Opcode Fuzzy Hash: 53b8956054c67988d13664e55e9be16aa81c1337de12c1abdfd76adf0fe2d41c
Instruction Fuzzy Hash: 3C714B32A2420A5BDF20DF549C61BEF7BFAAF69714F240016E945A7282D735DDE08BD0

Function 001FCCBE Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 001FCD07
__alloca_probe_16.LIBCMT ref: 001FCD33
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 001FCD72
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001FCD8F
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 001FCDCE
__alloca_probe_16.LIBCMT ref: 001FCDEB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001FCE2D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 001FCE50

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 2ceed716acd98af5c36406cbeabaaf42561a67bcdaceaa07cc51dc4697adc3e0
Instruction ID: e23d08a2e4515f688e3566d9fb71900c2f11d57181f6ca429e7a9b93d2d7cf58
Opcode Fuzzy Hash: 2ceed716acd98af5c36406cbeabaaf42561a67bcdaceaa07cc51dc4697adc3e0
Instruction Fuzzy Hash: 91519C7291020EABEF209F64DD45FBF7FA9EB94B50F214424BA1596191DB309C10EBE0

Function 00200480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002004B7
___except_validate_context_record.LIBVCRUNTIME ref: 002004BF
_ValidateLocalCookies.LIBCMT ref: 00200548
__IsNonwritableInCurrentImage.LIBCMT ref: 00200573
_ValidateLocalCookies.LIBCMT ref: 002005C8

Strings

csm, xrefs: 0020055D

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f68380d513e2a529a7d06bc6c62990882e70cc7e37d91220d2fd9f30c408a8a5
Instruction ID: af15c7340553aa7dc5412b34e56c1189fc4aed84b680a2814624017973cfb66a
Opcode Fuzzy Hash: f68380d513e2a529a7d06bc6c62990882e70cc7e37d91220d2fd9f30c408a8a5
Instruction Fuzzy Hash: D3419C34A20309ABDB10DF68CC85BAEBBB5BF45324F548055E9185B2D3D731AA25CF91

Function 001FBB2D Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001FBB34
std::_Lockit::_Lockit.LIBCPMT ref: 001FBB3E
int.LIBCPMT ref: 001FBB55

Part of subcall function 001F400A: std::_Lockit::_Lockit.LIBCPMT ref: 001F401B
Part of subcall function 001F400A: std::_Lockit::~_Lockit.LIBCPMT ref: 001F4035

codecvt.LIBCPMT ref: 001FBB78
std::_Facet_Register.LIBCPMT ref: 001FBB8F
std::_Lockit::~_Lockit.LIBCPMT ref: 001FBBAF

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 8379fb8fa115fffbbea06c316bd23b14b3450b412711e542200c95f187c4cd17
Instruction ID: 9a3dd9b7377b120b11c30d10cdcc9ac9bf83c5cf9f75ed44d991cec9e36951da
Opcode Fuzzy Hash: 8379fb8fa115fffbbea06c316bd23b14b3450b412711e542200c95f187c4cd17
Instruction Fuzzy Hash: FA11EE7291021C9BCB01EF68D8467BE77B9BFA4325F244409EA05A7291DFB0AA058B94

Function 00200644 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0020063B,001FED6A,001F9554,B1BFA320,?,?,?,?,0021B1A7,000000FF), ref: 00200652
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00200660
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00200679
SetLastError.KERNEL32(00000000,?,0020063B,001FED6A,001F9554,B1BFA320,?,?,?,?,0021B1A7,000000FF), ref: 002006CB

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b804793c454351bb13b8406b4bca2b79aff6b6ab6db63a86af02daa2644e672d
Instruction ID: 6bb9e4ed1eb440691e5a13f5fb6860ce7f051761eff20ed3f913981a7ceba808
Opcode Fuzzy Hash: b804793c454351bb13b8406b4bca2b79aff6b6ab6db63a86af02daa2644e672d
Instruction Fuzzy Hash: 2F01DD321393139FF7152AB4BCCA66A364AE751376F30032AF510410E3EFA35D715548

Function 001F2D33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001F2D3F
int.LIBCPMT ref: 001F2D52

Part of subcall function 001F400A: std::_Lockit::_Lockit.LIBCPMT ref: 001F401B
Part of subcall function 001F400A: std::_Lockit::~_Lockit.LIBCPMT ref: 001F4035

std::_Facet_Register.LIBCPMT ref: 001F2D85
std::_Lockit::~_Lockit.LIBCPMT ref: 001F2D9B

Strings

h)%, xrefs: 001F2D4A

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: h)%
API String ID: 459529453-3066497062
Opcode ID: d3ebac731a55864eab05066d0cd43a7b2e97bebe1f7f4a8dcd98be2eb2d36817
Instruction ID: 70dbc3fd80fbb78434802b428b4f3b635a6172dc7568de35f2eb02c281f517fd
Opcode Fuzzy Hash: d3ebac731a55864eab05066d0cd43a7b2e97bebe1f7f4a8dcd98be2eb2d36817
Instruction Fuzzy Hash: B301267250011CEBCB14ABA4D805CBE7768EFA1724F200109FB15AB380EF30AE02CB84

Function 001F2E25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001F2E31
int.LIBCPMT ref: 001F2E44

Part of subcall function 001F400A: std::_Lockit::_Lockit.LIBCPMT ref: 001F401B
Part of subcall function 001F400A: std::_Lockit::~_Lockit.LIBCPMT ref: 001F4035

std::_Facet_Register.LIBCPMT ref: 001F2E77
std::_Lockit::~_Lockit.LIBCPMT ref: 001F2E8D

Strings

l)%, xrefs: 001F2E3C

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: l)%
API String ID: 459529453-2983108858
Opcode ID: 6635550815556ec34c1370fbfe6973ba5d69c3f9815a93754b4e0baff1709eb0
Instruction ID: a15cd2714b20a85997f277f5f024bbd3810304eac855d8139e85b3fa06fcec04
Opcode Fuzzy Hash: 6635550815556ec34c1370fbfe6973ba5d69c3f9815a93754b4e0baff1709eb0
Instruction Fuzzy Hash: CD01267250151CABCB14EB64D8058FE7768EFA0764F340209FB05AB391EF70AE02CB84

Function 001F2E9E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001F2EAA
int.LIBCPMT ref: 001F2EBD

Part of subcall function 001F400A: std::_Lockit::_Lockit.LIBCPMT ref: 001F401B
Part of subcall function 001F400A: std::_Lockit::~_Lockit.LIBCPMT ref: 001F4035

std::_Facet_Register.LIBCPMT ref: 001F2EF0
std::_Lockit::~_Lockit.LIBCPMT ref: 001F2F06

Strings

p)%, xrefs: 001F2EB5

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: p)%
API String ID: 459529453-2767387374
Opcode ID: bf6161016de909570ae885cdcd9b607802279fde84ece50f38e9c093016bd087
Instruction ID: 81c4f168646c010e372e5a129a52884a52d471743c5092346808c37570a45aa1
Opcode Fuzzy Hash: bf6161016de909570ae885cdcd9b607802279fde84ece50f38e9c093016bd087
Instruction Fuzzy Hash: D101A27290151CABCB18EB68D8058BE77B8DF91364F240159FB059B291EF349E028794

Function 00208AAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B1BFA320,?,?,00000000,0021B3CE,000000FF,?,00208A3E,?,?,00208A12,00000016), ref: 00208AE3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00208AF5
FreeLibrary.KERNEL32(00000000,?,00000000,0021B3CE,000000FF,?,00208A3E,?,?,00208A12,00000016), ref: 00208B17

Strings

CorExitProcess, xrefs: 00208AED
mscoree.dll, xrefs: 00208ADC

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f13eda520b13c2859830ccb497dff5661c0a65724e2b770e9a3bf676d88a9f0a
Instruction ID: 6511cf7b7fee2aafecbe8eabe61ce37ebb3a6052d7e97f1b7edac6d20799f743
Opcode Fuzzy Hash: f13eda520b13c2859830ccb497dff5661c0a65724e2b770e9a3bf676d88a9f0a
Instruction Fuzzy Hash: 3701A775954629FBDB119F90DC09FEEB7B9FB08B15F104525F811E22D0DF749910CA90

Function 0020FAB1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0020FB38
__alloca_probe_16.LIBCMT ref: 0020FBF9
__freea.LIBCMT ref: 0020FC60

Part of subcall function 0020DBB9: RtlAllocateHeap.NTDLL(00000000,001F8B9B,?,?,001FE744,?,?,?,?,?,001F379B,001F8B9B,?,?,?,?), ref: 0020DBEB

__freea.LIBCMT ref: 0020FC75
__freea.LIBCMT ref: 0020FC85

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: cd5a6c286e2e2086261c75e3baff2ba125063b6bdc1bccd109df0e5825521e50
Instruction ID: 50b878246e5466619a088f0dffefb32deff42c9f3c39b4d393b36c4333ed0954
Opcode Fuzzy Hash: cd5a6c286e2e2086261c75e3baff2ba125063b6bdc1bccd109df0e5825521e50
Instruction Fuzzy Hash: 6851B47266030AABEB35DEA4CD82DBB36A9EB44714B150139FD08D6592E770DD20DA60

Function 001F9792 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001F97A6
AcquireSRWLockExclusive.KERNEL32(00000000,?,001F82F7,?,?,001F599E), ref: 001F97C5
AcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,001F82F7,?,?,001F599E), ref: 001F97F3
TryAcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,001F82F7,?,?,001F599E), ref: 001F984E
TryAcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,001F82F7,?,?,001F599E), ref: 001F9865

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 25fcb749b6923dcd7c7043420cb74ce256a2753fc11494c06f29b865222d6c1d
Instruction ID: 866459910677e9840a695ef802ea50dd2aa73d8ce9aa70864d416ff2efced91b
Opcode Fuzzy Hash: 25fcb749b6923dcd7c7043420cb74ce256a2753fc11494c06f29b865222d6c1d
Instruction Fuzzy Hash: E5415D7590060EDFCB24EF66D485ABAB3F5FF4A390B20892AD646D7540D730E984CBA0

Function 001F9D2D Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001F9D34
std::_Lockit::_Lockit.LIBCPMT ref: 001F9D3F
std::_Lockit::~_Lockit.LIBCPMT ref: 001F9DAD

Part of subcall function 001F9E90: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001F9EA8

std::locale::_Setgloballocale.LIBCPMT ref: 001F9D5A
_Yarn.LIBCPMT ref: 001F9D70

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 08814ec8b1e1ab20a34319ca3592e5202de9fcb3b29585103cfca770c9759e76
Instruction ID: 28b713f45f56e6ad3fd165b2a8b2f7811c4019c10cf971eb9fd95c04ecfd26e8
Opcode Fuzzy Hash: 08814ec8b1e1ab20a34319ca3592e5202de9fcb3b29585103cfca770c9759e76
Instruction Fuzzy Hash: 3001F275A402289BC70AFF20E81967D7BB2FFA5340B24405DEA1257382CF74AE42CBC5

Function 00201747 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,002016F8,?,?,00000000,?,?,?,00201822,00000002,FlsGetValue,0021E2C8,FlsGetValue), ref: 00201754
GetLastError.KERNEL32(?,002016F8,?,?,00000000,?,?,?,00201822,00000002,FlsGetValue,0021E2C8,FlsGetValue,?,?,00200665), ref: 0020175E
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00201786

Strings

api-ms-, xrefs: 0020176B

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 3286ec3d92f47ed1941910bd112559edeaff677910dd3ad9b0c72c33e8154bc0
Instruction ID: 5259c42e1225fb8cd433d10f684f479fe39da313e0eb3e10b1f1cccc02f40080
Opcode Fuzzy Hash: 3286ec3d92f47ed1941910bd112559edeaff677910dd3ad9b0c72c33e8154bc0
Instruction Fuzzy Hash: 9BE012702E0309B7EF101F50EC4ABA83B599B14B54F208120F90DE44E1DB6199B49985

Function 0021007A Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(B1BFA320,00000000,00000000,00000000), ref: 002100DD

Part of subcall function 002121FC: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0020FC56,?,00000000,-00000008), ref: 002122A8

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00210338
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00210380
GetLastError.KERNEL32 ref: 00210423

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 8aa23a05e90f5ecc17fbfc9fa2cdeb56e3275fbc88e64ac4f53db4868268fdee
Instruction ID: 2dbd252325df0599b97ea572a4ade8b650257f2c56e1136f4eb2c30f24ebdd23
Opcode Fuzzy Hash: 8aa23a05e90f5ecc17fbfc9fa2cdeb56e3275fbc88e64ac4f53db4868268fdee
Instruction Fuzzy Hash: 7BD168B5E102489FCB11CFA8D8C4AEDBBF5FF18310F28816AE915E7251D770A996CB50

Function 0020075B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00200822
___AdjustPointer.LIBCMT ref: 00200845
___AdjustPointer.LIBCMT ref: 002008E1

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7a823ddaace9f9d802c2e2dc63e1a42705255662905796db0c35f259247aae66
Instruction ID: c45d5096ebb40ac34234423450e82187381320646f8eac22c50a292d79033e28
Opcode Fuzzy Hash: 7a823ddaace9f9d802c2e2dc63e1a42705255662905796db0c35f259247aae66
Instruction Fuzzy Hash: 6F51D171A25306AFFB289F90D885BBAB7A4FF54700F14842DE905875E2DB71AD60CBD0

Function 002124BC Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 002121FC: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0020FC56,?,00000000,-00000008), ref: 002122A8

GetLastError.KERNEL32 ref: 00212520
__dosmaperr.LIBCMT ref: 00212527
GetLastError.KERNEL32(?,?,?,?), ref: 00212561
__dosmaperr.LIBCMT ref: 00212568

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: d11dd2cfeb8db600bcca0db515994e9f9ff751578b3fedc0a812258f7b4e4d04
Instruction ID: fcc80d327ec93d34a72d75360e674ec5271bb56f4ff2e20317bdd8157ed9819a
Opcode Fuzzy Hash: d11dd2cfeb8db600bcca0db515994e9f9ff751578b3fedc0a812258f7b4e4d04
Instruction Fuzzy Hash: 7421D671620306FFCB34AFA5DC908ABBBEAEF243607908518F95593151D730ECB48B90

Function 00208496 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d99357a6622b0368e7106a2842cef80fdd52a773982ef0fc7c716404f7859a
Instruction ID: cc45cc5b3d8b926b9b86863e531fda63c379c708df3318e7963ade1b3d560f02
Opcode Fuzzy Hash: 28d99357a6622b0368e7106a2842cef80fdd52a773982ef0fc7c716404f7859a
Instruction Fuzzy Hash: B021A171220306AFDB20AF64DC849AB7BE9EF003647518914F999972D3EF30ED708B90

Function 00213452 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0021345A

Part of subcall function 002121FC: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0020FC56,?,00000000,-00000008), ref: 002122A8

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00213492
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002134B2

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 2ec61a38b815fcadee20479f372d5c5d85ce2692f8306408be05a2f7d2b0fc6e
Instruction ID: 4e5ff2c10ef79b6d10d8dc990e8480d7708739c94d404400ba597b081b614f67
Opcode Fuzzy Hash: 2ec61a38b815fcadee20479f372d5c5d85ce2692f8306408be05a2f7d2b0fc6e
Instruction Fuzzy Hash: 191108F19312157FEB22A7B16C8ECEF79DDCE663943204124F905D1102EE74CEA046B0

Function 001F2C41 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001F2C4D
int.LIBCPMT ref: 001F2C60

Part of subcall function 001F400A: std::_Lockit::_Lockit.LIBCPMT ref: 001F401B
Part of subcall function 001F400A: std::_Lockit::~_Lockit.LIBCPMT ref: 001F4035

std::_Facet_Register.LIBCPMT ref: 001F2C93
std::_Lockit::~_Lockit.LIBCPMT ref: 001F2CA9

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 75df507e1fe22ee751240ecc2c369219fb6f153e34891a5760a66db4d832f96a
Instruction ID: 4073c3353a969380d2477b51b5904b77de6bd2d3f4da26adc9b9e65b77ede45e
Opcode Fuzzy Hash: 75df507e1fe22ee751240ecc2c369219fb6f153e34891a5760a66db4d832f96a
Instruction Fuzzy Hash: CA01F27290111CABCB18EB64D8158BE7B78EFA1764B240219FB05AB291EF309E028784

Function 001F2CBA Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001F2CC6
int.LIBCPMT ref: 001F2CD9

Part of subcall function 001F400A: std::_Lockit::_Lockit.LIBCPMT ref: 001F401B
Part of subcall function 001F400A: std::_Lockit::~_Lockit.LIBCPMT ref: 001F4035

std::_Facet_Register.LIBCPMT ref: 001F2D0C
std::_Lockit::~_Lockit.LIBCPMT ref: 001F2D22

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 7c2a7d76a1c4dce110a0f7a1bf5e891187f78d50cd6a3e0649a654cd73d5360b
Instruction ID: 09ed06b0a47c6b2d4b97e4f3c47edc7e8762a3610a9d3a5737e188a1f9a64c88
Opcode Fuzzy Hash: 7c2a7d76a1c4dce110a0f7a1bf5e891187f78d50cd6a3e0649a654cd73d5360b
Instruction Fuzzy Hash: 6101F27250061CEBCB14ABA4D8058BEB768EF91364F340159FB159B281EF309E4287A4

Function 0021985F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00218615,00000000,00000001,00000000,00000000,?,00210477,00000000,00000000,00000000), ref: 00219876
GetLastError.KERNEL32(?,00218615,00000000,00000001,00000000,00000000,?,00210477,00000000,00000000,00000000,00000000,00000000,?,002109FE,00000000), ref: 00219882

Part of subcall function 00219848: CloseHandle.KERNEL32(FFFFFFFE,00219892,?,00218615,00000000,00000001,00000000,00000000,?,00210477,00000000,00000000,00000000,00000000,00000000), ref: 00219858

___initconout.LIBCMT ref: 00219892

Part of subcall function 0021980A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00219839,00218602,00000000,?,00210477,00000000,00000000,00000000,00000000), ref: 0021981D

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00218615,00000000,00000001,00000000,00000000,?,00210477,00000000,00000000,00000000,00000000), ref: 002198A7

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 5737eceff194ba4a1f78f94404b3cdbafc39088c6f96b36894050fce292ff57d
Instruction ID: eb47e3ecee0f029d1c5861e08bc3c9a0dd1d556f2854f0ed8a01b89df661f569
Opcode Fuzzy Hash: 5737eceff194ba4a1f78f94404b3cdbafc39088c6f96b36894050fce292ff57d
Instruction Fuzzy Hash: 7FF03736490155BBCF222F95EC0CAC93FA5FF1A3A1B154110F91885130CA3288B0DF90

Function 00200D57 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00200D7C

Strings

MOC, xrefs: 00200D8E
RCC, xrefs: 00200D96

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: fc2eba5100fe37cba23ad518938e1823c0b809f6565e9dc40f387459e04321c0
Instruction ID: 733079fe64a117c9978e83783ceaabfd8ffa755c5915d7200c6eaa603debb2d6
Opcode Fuzzy Hash: fc2eba5100fe37cba23ad518938e1823c0b809f6565e9dc40f387459e04321c0
Instruction Fuzzy Hash: 6641387191020AAFEF15DF94DC81BAE7BB5FF48304F148559FA08762A2D335A960DB50

Function 001F9615 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 001F969D
RaiseException.KERNEL32(?,?,?,001F864E,?,?,?,?,?,?,?,?,?,?,001F864E,00000001), ref: 001F96C2

Part of subcall function 001FE79C: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,001F8BA9,?,00227068,?,0000000006:1@0000000005:@), ref: 001FE7FC

Part of subcall function 00201F23: IsProcessorFeaturePresent.KERNEL32(00000017,00201A52,?,002019C1,001F8B9B,00000016,00201BD0,?,?,?,?,?,00000000,?,?), ref: 00201F3F

Strings

csm, xrefs: 001F9651

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: f009f7e49e7b68afc93d65bf36ac6b3552ad9b282c065302fd8077896067ff91
Instruction ID: 47d7da83fefc48ba32a16601d0af3988677b5a57fdea4e72c53e17990b7e941e
Opcode Fuzzy Hash: f009f7e49e7b68afc93d65bf36ac6b3552ad9b282c065302fd8077896067ff91
Instruction Fuzzy Hash: A121AF31D0121CABCF25EFD5D845ABEB7B9AF14720F14041AE606EB660DB30AD45CB81

Function 001F2AB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32(?,00000000,00000000,00000000,00000000,00000028,?,001F52C7,0025295C,?,00000028,001F63A8,00000028,00000028,?,001F6518), ref: 001F2AC8
InitOnceComplete.KERNEL32(?,00000000,00000000,?,001F52C7,0025295C,?,00000028,001F63A8,00000028,00000028,?,001F6518,001F49E3,00000000,00000001), ref: 001F2AE6

Strings

H)%, xrefs: 001F2AE1

Memory Dump Source

Source File: 00000000.00000002.2007700127.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2007667141.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007739846.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007768798.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2007820814.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_7Xex8yR90g.jbxd

Yara matches

Similarity

API ID: InitOnce$BeginCompleteInitialize
String ID: H)%
API String ID: 51270584-2391428806
Opcode ID: 8b0602dcf98087865dbdc0caf6ff5c45cd7dc155bad7de4ad09cc2941905101d
Instruction ID: 97104f2da3120f5a53e5f9030ef330d9d3d2c73f0894ca88368d3e986b8f9bc3
Opcode Fuzzy Hash: 8b0602dcf98087865dbdc0caf6ff5c45cd7dc155bad7de4ad09cc2941905101d
Instruction Fuzzy Hash: 66E06D7090222CFA8B306BA1EC0DDFB3E6CFF057907104014FA05D2454EB749A01E6E0

Analysis Process: RegAsm.exePID: 3792, Parent PID: 4428COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.3%
Total number of Nodes:	1439
Total number of Limit Nodes:	18

Executed Functions

Function 00415720 Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041576F

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ff341ca2485ce75d8ca8b4895e1ba19bee9f4f2c9a5c364ee356505f83e2034c
Instruction ID: fb0e6887b18507a8360df8850ef64887ceecd31fd32c6e2cb66bf59abcbf9730
Opcode Fuzzy Hash: ff341ca2485ce75d8ca8b4895e1ba19bee9f4f2c9a5c364ee356505f83e2034c
Instruction Fuzzy Hash: E2F04FB1944608EBCB10DF98DD46BAEBBB8FB08721F10021AF615A2680C77415448BE1

Function 00401120 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00414947,0041E4C7), ref: 0040112A

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: a7c4ad7a45245c78411457a8aae732031052a62564fa7a9854ab3dd0ef33967d
Instruction ID: 5654751876d9203a98455e97ebb2cdec33529a1649c917b0838c613bd50292a7
Opcode Fuzzy Hash: a7c4ad7a45245c78411457a8aae732031052a62564fa7a9854ab3dd0ef33967d
Instruction Fuzzy Hash: 9AD05E7490160CDBCB24EFE09A496DDBB79AB0C711F001455DD0672240D6305441CA65

Function 004011E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 721940bddceabd09e7a22a1874063ddbad559e8aadbfb121420a8f9c72e410a4
Instruction ID: 790ec4d6eeec2f0dc411d0ded6d90965183085be92245a2b05edb6ec41bb63a3
Opcode Fuzzy Hash: 721940bddceabd09e7a22a1874063ddbad559e8aadbfb121420a8f9c72e410a4
Instruction Fuzzy Hash: 0601FFB0D40208FBDB10EBD0CD4AB9EB778AF54705F24405AE605B61D0D77855458B59

Function 004176E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,00414930), ref: 0041791A
LoadLibraryA.KERNELBASE(?,?,00414930), ref: 0041794F

Strings

NtQueryInformationProcess, xrefs: 00417A2A

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 1029625771-2781105232
Opcode ID: edc41c486c73209fe29b0a49e24866dd51b81ab44828690f739836faedfb6f2e
Instruction ID: ea941fe70d333bd79c2ba667982baca8a39bee8649eabf8ef2794d8e25bdaf96
Opcode Fuzzy Hash: edc41c486c73209fe29b0a49e24866dd51b81ab44828690f739836faedfb6f2e
Instruction Fuzzy Hash: 8BA14FB5910E00AFC375DFA8FE88A1637BBBB4C3217106519B60BC72A0D7759482DF55

Function 00414920 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401120: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00414947,0041E4C7), ref: 0040112A

Part of subcall function 004010D0: VirtualAllocExNuma.KERNELBASE(00000000,?,?,0041494C), ref: 004010F2

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226

GetUserDefaultLangID.KERNELBASE ref: 00414956

Part of subcall function 00415720: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041576F

Part of subcall function 004157B0: GetComputerNameA.KERNEL32(?,00000104), ref: 004157FF

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoLangMemoryNumaStatusSystemVirtual
String ID:
API String ID: 736289943-0
Opcode ID: 4f7ef2c71eb91229e7ae373baf6c6d29b9fb87ff9e34d6da5537cebc80361348
Instruction ID: c38b05ecb25792c20249c5c89c2b60808eb8a299d8fab61a246423dbd112778e
Opcode Fuzzy Hash: 4f7ef2c71eb91229e7ae373baf6c6d29b9fb87ff9e34d6da5537cebc80361348
Instruction Fuzzy Hash: AD315C71940208AACB14FBF2DC56BEE733AAF58348F50411EF112661D2DF785A818B6D

Function 00414850 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041E988,?), ref: 0041490A

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f5e36cd12a51ae680a947cead6980d9d7f72cef3edb0b117d6f6898e0a85ae73
Instruction ID: 0a1651ad7484662879aa6b78d62b143174ee3cb6ee1315efa2ac3206c72aa24e
Opcode Fuzzy Hash: f5e36cd12a51ae680a947cead6980d9d7f72cef3edb0b117d6f6898e0a85ae73
Instruction Fuzzy Hash: 5121FAB5D10209ABCF14EFE4E945AEEB7BABF4C300F04852EE516E3250EB345604CB69

Function 004157B0 Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 004157FF

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 427ee067d7557a8dd958476cf6c683832bbce3556a3e299bf2a0a6b1e8b6a2fc
Instruction ID: 6cf1fd53c786beb2c1615a04a07a3920453c59c76323e89f420815a02362f81b
Opcode Fuzzy Hash: 427ee067d7557a8dd958476cf6c683832bbce3556a3e299bf2a0a6b1e8b6a2fc
Instruction Fuzzy Hash: F60186B1E44608EBC720DF95DE45BEABBB8FB44751F10011AFA06E3290C3795941CBA5

Function 004010D0 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,0041494C), ref: 004010F2

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: f6278b5c68f5ffb6a33ba1ea485b1aac214440932dca370ae1e3c865b0252ec4
Instruction ID: 6ed2ff167a0b6f4e171b06faf37e7030b09d9d956d5a446bdb7a3213d1831e4b
Opcode Fuzzy Hash: f6278b5c68f5ffb6a33ba1ea485b1aac214440932dca370ae1e3c865b0252ec4
Instruction Fuzzy Hash: 6AE0867098530CFBEB20ABA0DE0EB0976689B08B06F101055F7097A1D0C6B429009A59

Function 00401060 Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,0041494C), ref: 00401073

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ea4f8485ffce1a6c69b8ae5c9f82f2fa57c2f46f4f54c1ff86e01909371c657e
Instruction ID: d6f10d961bdd3346436d2f5e9e7134fa9a4a54fa336e7859eb55749a310f2e10
Opcode Fuzzy Hash: ea4f8485ffce1a6c69b8ae5c9f82f2fa57c2f46f4f54c1ff86e01909371c657e
Instruction Fuzzy Hash: 19F027B1681208BBE7249AB4AC49FAFF39CA705B04F304559F985E3390D6719F00CAA4

Non-executed Functions

Function 0041936E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041A666
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A67B
UnhandledExceptionFilter.KERNEL32(0041D690), ref: 0041A686
GetCurrentProcess.KERNEL32(C0000409), ref: 0041A6A2
TerminateProcess.KERNEL32(00000000), ref: 0041A6A9

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6bf7682afb6d8dbebff2f52ede0b53c16104900d82106410403a613429f015c3
Instruction ID: 3bf40617ca31318f22f05e73492665b9c2615933019aa7c646c7410b41e430ec
Opcode Fuzzy Hash: 6bf7682afb6d8dbebff2f52ede0b53c16104900d82106410403a613429f015c3
Instruction Fuzzy Hash: B321CFB4A11A04EFC720EF65FD847947BA5FB0C319BD0803AE40887264E7B45AC28F5D

Function 0041AD4A Relevance: 129.2, APIs: 86, Instructions: 188
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0041AD5E

Part of subcall function 00418A67: HeapFree.KERNEL32(00000000,00000000,?,00418978,00000000,00422C38,004189BF,?,?,?,00418A2F,00422C38,?,8,B,0041B7F3,8,B), ref: 00418A7D
Part of subcall function 00418A67: GetLastError.KERNEL32(?,?,00418978,00000000,00422C38,004189BF,?,?,?,00418A2F,00422C38,?,8,B,0041B7F3,8,B), ref: 00418A8F

_free.LIBCMT ref: 0041AD66
_free.LIBCMT ref: 0041AD6E
_free.LIBCMT ref: 0041AD76
_free.LIBCMT ref: 0041AD7E
_free.LIBCMT ref: 0041AD86
_free.LIBCMT ref: 0041AD8D
_free.LIBCMT ref: 0041AD95
_free.LIBCMT ref: 0041AD9D
_free.LIBCMT ref: 0041ADA5
_free.LIBCMT ref: 0041ADAD
_free.LIBCMT ref: 0041ADB5
_free.LIBCMT ref: 0041ADBD
_free.LIBCMT ref: 0041ADC5
_free.LIBCMT ref: 0041ADCD
_free.LIBCMT ref: 0041ADD5
_free.LIBCMT ref: 0041ADE0
_free.LIBCMT ref: 0041ADE8
_free.LIBCMT ref: 0041ADF0
_free.LIBCMT ref: 0041ADF8
_free.LIBCMT ref: 0041AE00
_free.LIBCMT ref: 0041AE08
_free.LIBCMT ref: 0041AE10
_free.LIBCMT ref: 0041AE18
_free.LIBCMT ref: 0041AE20
_free.LIBCMT ref: 0041AE28
_free.LIBCMT ref: 0041AE30
_free.LIBCMT ref: 0041AE38
_free.LIBCMT ref: 0041AE40
_free.LIBCMT ref: 0041AE48
_free.LIBCMT ref: 0041AE50
_free.LIBCMT ref: 0041AE58
_free.LIBCMT ref: 0041AE66
_free.LIBCMT ref: 0041AE71
_free.LIBCMT ref: 0041AE7C
_free.LIBCMT ref: 0041AE87
_free.LIBCMT ref: 0041AE92
_free.LIBCMT ref: 0041AE9D
_free.LIBCMT ref: 0041AEA8
_free.LIBCMT ref: 0041AEB3
_free.LIBCMT ref: 0041AEBE
_free.LIBCMT ref: 0041AEC9
_free.LIBCMT ref: 0041AED4
_free.LIBCMT ref: 0041AEDF
_free.LIBCMT ref: 0041AEEA
_free.LIBCMT ref: 0041AEF5
_free.LIBCMT ref: 0041AF00
_free.LIBCMT ref: 0041AF0B
_free.LIBCMT ref: 0041AF19
_free.LIBCMT ref: 0041AF24
_free.LIBCMT ref: 0041AF2F
_free.LIBCMT ref: 0041AF3A
_free.LIBCMT ref: 0041AF45
_free.LIBCMT ref: 0041AF50
_free.LIBCMT ref: 0041AF5B
_free.LIBCMT ref: 0041AF66
_free.LIBCMT ref: 0041AF71
_free.LIBCMT ref: 0041AF7C
_free.LIBCMT ref: 0041AF87
_free.LIBCMT ref: 0041AF92
_free.LIBCMT ref: 0041AF9D
_free.LIBCMT ref: 0041AFA8
_free.LIBCMT ref: 0041AFB3
_free.LIBCMT ref: 0041AFBE
_free.LIBCMT ref: 0041AFCC
_free.LIBCMT ref: 0041AFD7
_free.LIBCMT ref: 0041AFE2
_free.LIBCMT ref: 0041AFED
_free.LIBCMT ref: 0041AFF8
_free.LIBCMT ref: 0041B003
_free.LIBCMT ref: 0041B00E
_free.LIBCMT ref: 0041B019
_free.LIBCMT ref: 0041B024
_free.LIBCMT ref: 0041B02F
_free.LIBCMT ref: 0041B03A
_free.LIBCMT ref: 0041B045
_free.LIBCMT ref: 0041B050
_free.LIBCMT ref: 0041B05B
_free.LIBCMT ref: 0041B066
_free.LIBCMT ref: 0041B071
_free.LIBCMT ref: 0041B07F
_free.LIBCMT ref: 0041B08A
_free.LIBCMT ref: 0041B095
_free.LIBCMT ref: 0041B0A0
_free.LIBCMT ref: 0041B0AB
_free.LIBCMT ref: 0041B0B6

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: bd53e233f0d03b40c249cc71735c843a5be27039ca8159180e4194d4a002c6fe
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: 7F71D631431B00DFD7627B32ED03ADA7EA27F04384F304A1FB1D620536AE266AE59759

Function 0040F920 Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 363
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strtok_s.MSVCRT ref: 0040F9EB
memset.MSVCRT ref: 0040FDA7

Part of subcall function 004167B0: malloc.MSVCRT ref: 004167B8
Part of subcall function 004167B0: strncpy.MSVCRT ref: 004167D3

strtok_s.MSVCRT ref: 0040FD49

Strings

<Port>, xrefs: 0040FA96
password: , xrefs: 0040FCCB
url: , xrefs: 0040FC47
browser: FileZilla, xrefs: 0040FC29
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040F974
<Host>, xrefs: 0040FA4C
<Pass encoding="base64">, xrefs: 0040FB2A
login: , xrefs: 0040FC9A
profile: null, xrefs: 0040FC38
<User>, xrefs: 0040FAE0

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$mallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 2676359353-555421843
Opcode ID: 6aabf572ed382ee09d367e8f8101b8ec4fe61848a25cf5ef6d5f756fff2462cb
Instruction ID: 7976c24c085ce95d0d3806a1bd210927e9112773adbae4baebf1d20f2d0aea97
Opcode Fuzzy Hash: 6aabf572ed382ee09d367e8f8101b8ec4fe61848a25cf5ef6d5f756fff2462cb
Instruction Fuzzy Hash: C1D15075900208ABCB14FBE1DD56EEE7739AF14305F50442EF502B6191EF38AA89CB69

Function 00413970 Relevance: 21.1, APIs: 4, Strings: 10, Instructions: 119COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413987
memset.MSVCRT ref: 00413A0D
memset.MSVCRT ref: 00413A93
memset.MSVCRT ref: 00413B19

Strings

msal.cache, xrefs: 00413AE4
Azure\.azure, xrefs: 004139D3
\.IdentityService\, xrefs: 00413ACD
*.*, xrefs: 00413A5E
\.azure\, xrefs: 004139C1
vBA, xrefs: 004139EE, 00413A74, 00413AFA, 00413B22, 004139F1, 00413A77, 00413AFD
Azure\.IdentityService, xrefs: 00413ADF
Azure\.aws, xrefs: 00413A59
*.*, xrefs: 004139D8
\.aws\, xrefs: 00413A47

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$vBA
API String ID: 2221118986-3203047241
Opcode ID: f99a1c978ec400aed53fc4aeec21fe9dbeeaa349f41ca42d3a61e1ed00d303d6
Instruction ID: c1ddf549a3185eee1cf366a17899702eaf285fd5c84bb07dd93c5e47f306484d
Opcode Fuzzy Hash: f99a1c978ec400aed53fc4aeec21fe9dbeeaa349f41ca42d3a61e1ed00d303d6
Instruction Fuzzy Hash: 1F41E8B9A4020867CB10FBB1DD4BFDD77399B54708F0004A9BA4A660C1FEB897D4CB99

Function 00415000 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 0041500E
OpenProcess.KERNEL32(001FFFFF,00000000,0041523D,0041E289), ref: 0041504C
memset.MSVCRT ref: 0041509A
??_V@YAXPAX@Z.MSVCRT ref: 004151EE

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 004150BC
=RA, xrefs: 004151DE, 004150A9, 004150AC
=RA, xrefs: 00415041

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcessmemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$=RA$=RA
API String ID: 1606381396-2611623248
Opcode ID: 5408a6fdec579d4e8794376ce2b54233cef3db923b30dd2742b599a838c73704
Instruction ID: 3d2114f900441ae6779428b499920d18cd927d595516dea7e75ef008834ef850
Opcode Fuzzy Hash: 5408a6fdec579d4e8794376ce2b54233cef3db923b30dd2742b599a838c73704
Instruction Fuzzy Hash: 9B516DB0D00218DFDB24EB90DC95BEEB775AF48304F1041AEE11566281EB786AC8CF5D

Function 00405630 Relevance: 12.5, APIs: 2, Strings: 6, Instructions: 493COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00405B93
memcpy.MSVCRT ref: 00405BCB

Strings

", xrefs: 00405AE6
", xrefs: 004059A5
------, xrefs: 004058DB
BHhf, xrefs: 00405898
------, xrefs: 00405A1C
------, xrefs: 00405766

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: "$"$------$------$------$BHhf
API String ID: 3510742995-139268881
Opcode ID: d8e6dd6a8b5d6a296bb9701e9e48709a091b0a019164f255e5a3a51bdccc2c48
Instruction ID: 7bc56bd7008279cffeafecc701a892dd96ebdc034ac279f9d55c1fdb42abf425
Opcode Fuzzy Hash: d8e6dd6a8b5d6a296bb9701e9e48709a091b0a019164f255e5a3a51bdccc2c48
Instruction Fuzzy Hash: 6A12F071820118ABCB15EFA1DC95FEEB379BF14704F1041AEB10662091EF786A89CF69

Function 0041A063 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041A06F

Part of subcall function 0041934C: __getptd_noexit.LIBCMT ref: 0041934F
Part of subcall function 0041934C: __amsg_exit.LIBCMT ref: 0041935C

__amsg_exit.LIBCMT ref: 0041A08F
__lock.LIBCMT ref: 0041A09F
InterlockedDecrement.KERNEL32(?), ref: 0041A0BC
_free.LIBCMT ref: 0041A0CF
InterlockedIncrement.KERNEL32(00424530), ref: 0041A0E7

Strings

0EB, xrefs: 0041A0D5, 0041A0DD

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: 0EB
API String ID: 3470314060-3472271230
Opcode ID: ab0ea71207d29a33da4758858cc2f3310f2abfdd7e021ef5217a10f467ab084c
Instruction ID: 76282fdaf3b8c19a36a251396487ec24a99463cd9570642b7e7b2ba8c7c514a5
Opcode Fuzzy Hash: ab0ea71207d29a33da4758858cc2f3310f2abfdd7e021ef5217a10f467ab084c
Instruction Fuzzy Hash: 5A018632A427119BC721EF7594497CE7F60AF08714F51401BE814A7280DB2C69D18BDE

Function 00412630 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

%s%s, xrefs: 00412818
%s\%s\%s, xrefs: 004127BB
%s\*, xrefs: 0041263D
%s\%s, xrefs: 004126F4
%s\%s, xrefs: 004127DD

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 0-2524465048
Opcode ID: 5e0f23735c823d7341d52953dcacf576fe4b34b3c017a92124451107c7e3d789
Instruction ID: cb8c73ae0fa23ec5bc4c6471165f6cae956c3bc494efd63fff728c58d7a03a5e
Opcode Fuzzy Hash: 5e0f23735c823d7341d52953dcacf576fe4b34b3c017a92124451107c7e3d789
Instruction Fuzzy Hash: 709192B1A00618ABDB24EBA4CD85FEE7379BF58300F04459DF50A92181EB749BC5CF65

Function 004012D0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7
memset.MSVCRT ref: 004014D0

Strings

SOFTWARE\monero-project\monero-core, xrefs: 004012F5
wallet_path, xrefs: 004012F0
\Monero\wallet.keys, xrefs: 0040134D
.keys, xrefs: 0040132B

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2221118986-218353709
Opcode ID: 5cabfe073c2fae5f2355a97b7a6f3856c3ba4f59f8fb87468531855ea9d1ec65
Instruction ID: 1b332567489456fb62c760348c8647518560d1585b7d5e50cdfb220c40b478b1
Opcode Fuzzy Hash: 5cabfe073c2fae5f2355a97b7a6f3856c3ba4f59f8fb87468531855ea9d1ec65
Instruction Fuzzy Hash: F15151B19401189BCB25FB61DD92AED733D9F54304F4041EEB60A62091EE785BC9CF6D

Function 004193C0 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004193CE

Part of subcall function 00418E61: __mtinitlocknum.LIBCMT ref: 00418E77
Part of subcall function 00418E61: __amsg_exit.LIBCMT ref: 00418E83
Part of subcall function 00418E61: EnterCriticalSection.KERNEL32(00000000,00000000,?,00419269,0000000D,?,?,00418BEF,00418A8D,?,?,00418978,00000000,00422C38,004189BF), ref: 00418E8B

DecodePointer.KERNEL32(00422B40,00000020,00419511,00000000,00000001,00000000,?,00419533,000000FF,?,00418E88,00000011,00000000,?,00419269,0000000D), ref: 0041940A
DecodePointer.KERNEL32(?,00419533,000000FF,?,00418E88,00000011,00000000,?,00419269,0000000D,?,?,00418BEF,00418A8D), ref: 0041941B

Part of subcall function 004191E2: EncodePointer.KERNEL32(00000000,0041A9D2,00424DC8,00000314,00000000,?,?,?,?,?,00419728,00424DC8,Microsoft Visual C++ Runtime Library,00012010), ref: 004191E4

DecodePointer.KERNEL32(-00000004,?,00419533,000000FF,?,00418E88,00000011,00000000,?,00419269,0000000D,?,?,00418BEF,00418A8D), ref: 00419441
DecodePointer.KERNEL32(?,00419533,000000FF,?,00418E88,00000011,00000000,?,00419269,0000000D,?,?,00418BEF,00418A8D), ref: 00419454
DecodePointer.KERNEL32(?,00419533,000000FF,?,00418E88,00000011,00000000,?,00419269,0000000D,?,?,00418BEF,00418A8D), ref: 0041945E

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 6787e4a62188f966182c1abd02db5d80c923dbbedc8b6710139852f0a565a2ad
Instruction ID: ec45cbb63e575e7dfa4a739f1c8945c5b3cdfef98aadd4b1d2212cafd0e9415b
Opcode Fuzzy Hash: 6787e4a62188f966182c1abd02db5d80c923dbbedc8b6710139852f0a565a2ad
Instruction Fuzzy Hash: 7E31F770A0430ADADF109FA9D9956DDBAF1BB49314F14802BE445A6290CBBD4C82CF69

Function 00414E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00414E4F
??_U@YAPAXI@Z.MSVCRT ref: 00414E7D

Part of subcall function 00414B00: strlen.MSVCRT ref: 00414B11
Part of subcall function 00414B00: strlen.MSVCRT ref: 00414B35

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00414EC2
??_V@YAXPAX@Z.MSVCRT ref: 00414FE3

Part of subcall function 00414D10: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00414D28

Strings

@, xrefs: 00414ED6

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 91b2ae15c4c849b549ef5c59baf7caa3ea964161e284581303b129ce0e8bce8f
Instruction ID: b0bbf0b6c3750b47cc488a957d558671af21addf7bbdc9c64f8f4371bbb237c3
Opcode Fuzzy Hash: 91b2ae15c4c849b549ef5c59baf7caa3ea964161e284581303b129ce0e8bce8f
Instruction Fuzzy Hash: 765108B5E04109EBDB04CF98D881AEFB7B6FF88304F108519F919A7344D738AA51CBA5

Function 00419DC7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00419DD3

Part of subcall function 0041934C: __getptd_noexit.LIBCMT ref: 0041934F
Part of subcall function 0041934C: __amsg_exit.LIBCMT ref: 0041935C

__getptd.LIBCMT ref: 00419DEA
__amsg_exit.LIBCMT ref: 00419DF8
__lock.LIBCMT ref: 00419E08
__updatetlocinfoEx_nolock.LIBCMT ref: 00419E1C

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 37b2352c4fb0e4768deab2e0261b02f8975124246e1bc660967e8be418fd72b0
Instruction ID: 3b7c04d60f0ed2116800135477a66f5436a0bf7a158807113c67b1e310743546
Opcode Fuzzy Hash: 37b2352c4fb0e4768deab2e0261b02f8975124246e1bc660967e8be418fd72b0
Instruction Fuzzy Hash: 25F06232A01710EBD721BBA698137CD3690AB00B28F65420FF404A72D2CF6C5DC18A5E

Function 00415FD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00416042
__aulldiv.LIBCMT ref: 00416050

Strings

%d MB, xrefs: 00416073
@, xrefs: 0041601D

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: %d MB$@
API String ID: 3732870572-3474575989
Opcode ID: 854f6f18041aef9052c10d726e8fe1c6cf7f394222e00842828e43ac8fd55494
Instruction ID: 86a0d1c95250957502f9069e218e2e702108611cd08c93e7abb5f400dcac6395
Opcode Fuzzy Hash: 854f6f18041aef9052c10d726e8fe1c6cf7f394222e00842828e43ac8fd55494
Instruction Fuzzy Hash: E2214DB1E40608ABDB10DFD5CD45FEEBBB9FB48B14F10410AF605BB280C77999018BA9

Function 00409810 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040982B
memset.MSVCRT ref: 0040985E

Strings

v10, xrefs: 00409822
@, xrefs: 00409867

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memcmpmemset
String ID: @$v10
API String ID: 1065087418-24753345
Opcode ID: be7a7bf30e8dfa2c74541271a7926a37dcea6f90517c6e88833ccdca67e744b3
Instruction ID: fc4e448515f09bb5da9a5ac1c9e7ff8d15c4cfdf5233ea8e25c6de54a2f7759e
Opcode Fuzzy Hash: be7a7bf30e8dfa2c74541271a7926a37dcea6f90517c6e88833ccdca67e744b3
Instruction Fuzzy Hash: B2410871900208ABDB04DF95C895BEEB7B5BF44704F10812DF909AB295DB78A985CB98

Function 00406CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406D14
task.LIBCPMTD ref: 00406F55

Part of subcall function 00408C40: vsprintf_s.MSVCRT ref: 00408C5B

Strings

Password, xrefs: 00406E01

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memsettaskvsprintf_s
String ID: Password
API String ID: 2675463923-3434357891
Opcode ID: a0cf22f0caf7218a01e8e3ba9f5175e45e8d8716ca8a0ec26cca2d0c8a9108e8
Instruction ID: a8ebb56f113b74727cc5d985c2ec7289bfcadc6b8ecbef954b02f85ed49113f4
Opcode Fuzzy Hash: a0cf22f0caf7218a01e8e3ba9f5175e45e8d8716ca8a0ec26cca2d0c8a9108e8
Instruction Fuzzy Hash: AA613EB5D0425C9BDB24DB50CC45BDAB7B8BF48304F0081EAE64AA6281DB746FC9CF95

Function 00410AC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00410B08
strtok_s.MSVCRT ref: 00410C92

Strings

block, xrefs: 00410AD7

Memory Dump Source

Source File: 00000002.00000002.2008201264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: block
API String ID: 3330995566-2199623458
Opcode ID: 8316f14ca9ff6f9b828477e3767543a3f6e36db89bb659a220fdaa77001074a8
Instruction ID: 4317100fa9659050eb711cd2864b3395f4f015c4d44f906a7fe8c0eb3a643ef8
Opcode Fuzzy Hash: 8316f14ca9ff6f9b828477e3767543a3f6e36db89bb659a220fdaa77001074a8
Instruction Fuzzy Hash: FB516374A44209EFEB14DF91DA44BEE7775BF54304F10815AE802A7240E7B8D9C6CF9A

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7Xex8yR90g.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
7Xex8yR90g.exe

Function 00E8018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 001F46F6 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208
COMMON

Function 0020D27F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 001F2DAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Function 001F344C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Function 0020580B Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 001F96F8 Relevance: 4.5, APIs: 3, Instructions: 33
threadCOMMON

Function 00205764 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 00208A18 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 001FA63A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Function 00210930 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Function 001F14FB Relevance: 3.1, APIs: 2, Instructions: 134
COMMON

Function 001FC375 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Function 00210532 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE