Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1536228
MD5:	ccb3b74d378733c21fc584875b5a8b07
SHA1:	6779b4d3cfff750eeeeba77ec7abf4e206cc3931
SHA256:	0b1fadc136b71d5961664a2a1dc8e340c28324d3d8637667f1280bee4c3d12db
Tags:	exeuser-jstrosch
Infos:

Detection

HawkEye, MailPassView, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected HawkEye Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected HawkEye Keylogger

Yara detected MailPassView

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Changes the view of files in windows explorer (hidden files and folders)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious desktop.ini Action

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CCB3B74D378733C21FC584875B5A8B07)

vbc.exe (PID: 7944 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: D881DE17AA8F2E2C08CBB7B265F928F9)

vbc.exe (PID: 7968 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: D881DE17AA8F2E2C08CBB7B265F928F9)

WindowsUpdate.exe (PID: 8104 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: CCB3B74D378733C21FC584875B5A8B07)

WindowsUpdate.exe (PID: 1184 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: CCB3B74D378733C21FC584875B5A8B07)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
HawkEye Keylogger, HawkEye, HawkEye Reborn	HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new "loader capabilities" have been spotted. It is sold by its development team on dark web markets and hacking forums.	No Attribution	http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/ https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md	https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.1607673008.00000000024B6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000008.00000002.1610567858.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000008.00000002.1610355342.0000000005520000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000008.00000002.1609878742.0000000004421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x27906:$key: HawkEyeKeylogger 0x29be0:$salt: 099u787978786 0x27f56:$string1: HawkEye_Keylogger 0x28dea:$string1: HawkEye_Keylogger 0x29b32:$string1: HawkEye_Keylogger 0x28370:$string2: holdermail.txt 0x28392:$string2: holdermail.txt 0x282a6:$string3: wallet.dat 0x282c0:$string3: wallet.dat 0x282d8:$string3: wallet.dat 0x2970a:$string4: Keylog Records 0x29a24:$string4: Keylog Records 0x29c3c:$string5: do not script --> 0x278ec:$string6: \pidloc.txt 0x2794c:$string7: BSPLIT 0x2795e:$string7: BSPLIT
00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x27906:$key: HawkEyeKeylogger 0x29be0:$salt: 099u787978786 0x27f56:$string1: HawkEye_Keylogger 0x28dea:$string1: HawkEye_Keylogger 0x29b32:$string1: HawkEye_Keylogger 0x28370:$string2: holdermail.txt 0x28392:$string2: holdermail.txt 0x282a6:$string3: wallet.dat 0x282c0:$string3: wallet.dat 0x282d8:$string3: wallet.dat 0x2970a:$string4: Keylog Records 0x29a24:$string4: Keylog Records 0x29c3c:$string5: do not script --> 0x278ec:$string6: \pidloc.txt 0x2794c:$string7: BSPLIT 0x2795e:$string7: BSPLIT
00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x27fb2:$hawkstr1: HawkEye Keylogger 0x28e32:$hawkstr1: HawkEye Keylogger 0x29176:$hawkstr1: HawkEye Keylogger 0x292d4:$hawkstr1: HawkEye Keylogger 0x2943c:$hawkstr1: HawkEye Keylogger 0x296e2:$hawkstr1: HawkEye Keylogger 0x27b24:$hawkstr2: Dear HawkEye Customers! 0x291ca:$hawkstr2: Dear HawkEye Customers! 0x29324:$hawkstr2: Dear HawkEye Customers! 0x29490:$hawkstr2: Dear HawkEye Customers! 0x27c46:$hawkstr3: HawkEye Logger Details:
00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0xbdf6:$key: HawkEyeKeylogger 0xe0d0:$salt: 099u787978786 0xc446:$string1: HawkEye_Keylogger 0xd2da:$string1: HawkEye_Keylogger 0xe022:$string1: HawkEye_Keylogger 0xc860:$string2: holdermail.txt 0xc882:$string2: holdermail.txt 0xc796:$string3: wallet.dat 0xc7b0:$string3: wallet.dat 0xc7c8:$string3: wallet.dat 0xdbfa:$string4: Keylog Records 0xdf14:$string4: Keylog Records 0xe12c:$string5: do not script --> 0xbddc:$string6: \pidloc.txt 0xbe3c:$string7: BSPLIT 0xbe4e:$string7: BSPLIT
00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0xbdf6:$key: HawkEyeKeylogger 0xe0d0:$salt: 099u787978786 0xc446:$string1: HawkEye_Keylogger 0xd2da:$string1: HawkEye_Keylogger 0xe022:$string1: HawkEye_Keylogger 0xc860:$string2: holdermail.txt 0xc882:$string2: holdermail.txt 0xc796:$string3: wallet.dat 0xc7b0:$string3: wallet.dat 0xc7c8:$string3: wallet.dat 0xdbfa:$string4: Keylog Records 0xdf14:$string4: Keylog Records 0xe12c:$string5: do not script --> 0xbddc:$string6: \pidloc.txt 0xbe3c:$string7: BSPLIT 0xbe4e:$string7: BSPLIT
00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xc4a2:$hawkstr1: HawkEye Keylogger 0xd322:$hawkstr1: HawkEye Keylogger 0xd666:$hawkstr1: HawkEye Keylogger 0xd7c4:$hawkstr1: HawkEye Keylogger 0xd92c:$hawkstr1: HawkEye Keylogger 0xdbd2:$hawkstr1: HawkEye Keylogger 0xc014:$hawkstr2: Dear HawkEye Customers! 0xd6ba:$hawkstr2: Dear HawkEye Customers! 0xd814:$hawkstr2: Dear HawkEye Customers! 0xd980:$hawkstr2: Dear HawkEye Customers! 0xc136:$hawkstr3: HawkEye Logger Details:
00000008.00000002.1603365983.00000000005CA000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: file.exe PID: 7556	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: file.exe PID: 7556	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: file.exe PID: 7556	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: file.exe PID: 7556	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 7944	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: vbc.exe PID: 7968	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 8104	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 8104	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.file.exe.5c47da6.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.2.WindowsUpdate.exe.24b6f16.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.WindowsUpdate.exe.4424140.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.file.exe.33522a4.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.WindowsUpdate.exe.55b0ee8.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.file.exe.5c47da6.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.2.WindowsUpdate.exe.5520000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.WindowsUpdate.exe.4423258.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.2.WindowsUpdate.exe.44ac610.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.WindowsUpdate.exe.55b0000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.file.exe.4313248.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.file.exe.5c463a1.6.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.2.WindowsUpdate.exe.55b0000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.file.exe.4313248.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.file.exe.4313248.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.file.exe.432b468.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
8.2.WindowsUpdate.exe.5520000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.WindowsUpdate.exe.44ac610.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.file.exe.5bf053c.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
8.2.WindowsUpdate.exe.4423258.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.file.exe.5bf0000.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.file.exe.5bf0000.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
8.2.WindowsUpdate.exe.4424140.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.file.exe.432b468.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.file.exe.5bf053c.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.file.exe.5bf053c.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.file.exe.5bf0000.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.file.exe.5bf0000.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
8.2.WindowsUpdate.exe.490000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7556, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 142.251.173.109, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\file.exe, Initiated: true, ProcessId: 7556, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49800

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7556, TargetFilename: C:\Windows\assembly\Desktop.ini

Suricata Signatures

ETPRO MALWARE MSIL/Golroted.B or HawkEye External IP Check with minimal headers

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-17T18:07:55.724088+0200	2810703	2	Device Retrieving External IP Address Detected	192.168.2.9	49750	104.19.222.79	80	TCP
2024-10-17T18:07:56.692825+0200	2810703	2	Device Retrieving External IP Address Detected	192.168.2.9	49756	104.19.222.79	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00558554 EP_CryptHashStringW,	8_2_00558554
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00558544 EP_CryptHashFileW,	8_2_00558544
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0055854C EP_CryptHashStringA,	8_2_0055854C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00558534 EP_CryptHashBuffer,	8_2_00558534
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0055853C EP_CryptHashFileA,	8_2_0055853C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00558594 EP_CryptEncryptBuffer,	8_2_00558594
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0055859C EP_CryptEncryptBufferEx,	8_2_0055859C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_005585A4 EP_CryptDecryptBuffer,	8_2_005585A4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_005585AC EP_CryptDecryptBufferEx,	8_2_005585AC

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.19.222.79:443 -> 192.168.2.9:49756 version: TLS 1.0

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3830984984.0000000009596000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdb7 source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\symbols\dll\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbO[ source: file.exe, 00000002.00000002.3830984984.0000000009596000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\dll\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3822570770.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: file.exe, 00000002.00000002.3828060827.0000000004398000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000008.00000002.1607673008.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000008.00000002.1610567858.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, WindowsUpdate.exe, 00000008.00000002.1609878742.0000000004421000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000009.00000002.1711672680.0000000004418000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbo source: file.exe, 00000002.00000002.3822570770.0000000000C11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbI source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: file.exe, 00000002.00000002.3832442794.000000000A060000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0\| source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003300000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Runtime.Remoting.pdbc source: file.exe, 00000002.00000002.3832742558.000000000A450000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	6_2_00407E0E

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 057AD29Bh	2_2_057AD120
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov esp, ebp	2_2_0773F6C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13DBA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	2_2_09D16E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D141BA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D14108
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13D30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13D20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D1B860
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D14C35
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13FE5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D133E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13F44
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D1336C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13F3E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13ECA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13E46
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	2_2_09D13E00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	2_2_09D16E27

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 2.2.file.exe.33522a4.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49800 -> 142.251.173.109:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com

Source: Network traffic	Suricata IDS: 2810703 - Severity 2 - ETPRO MALWARE MSIL/Golroted.B or HawkEye External IP Check with minimal headers : 192.168.2.9:49750 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2810703 - Severity 2 - ETPRO MALWARE MSIL/Golroted.B or HawkEye External IP Check with minimal headers : 192.168.2.9:49756 -> 104.19.222.79:443

Source: global traffic

TCP traffic: 192.168.2.9:49800 -> 142.251.173.109:587

Source: unknown

HTTPS traffic detected: 104.19.222.79:443 -> 192.168.2.9:49756 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_030EB0B2 recv,

2_2_030EB0B2

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: vbc.exe, 00000006.00000002.1487732769.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.1487732769.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: 13.169.14.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: whatismyipaddress.com
Source: global traffic	DNS traffic detected: DNS query: smtp.gmail.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 17 Oct 2024 16:07:56 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffcf-mitigated: challenge

Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: WindowsUpdate.exe, 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000009.00000002.1710822613.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo.com/fooT
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000009.00000002.1710822613.00000000033BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: WindowsUpdate.exe, 00000008.00000002.1603365983.00000000005CA000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: vbc.exe, 00000006.00000002.1487732769.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: vbc.exe, 00000006.00000002.1488452725.0000000002666000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://whatismyipaddress.com
Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://whatismyipaddress.com/
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 8104, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

5_2_0040AC8A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00406069 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	5_2_00406069
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00405FC6 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	5_2_00405FC6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004072FB EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_004072FB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00407363 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	6_2_00407363

Source: Yara match	File source: 8.2.WindowsUpdate.exe.490000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1603365983.00000000005CA000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 8104, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

PE file has nameless sections

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_059F6BBE NtQuerySystemInformation,	2_2_059F6BBE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_059F69AA NtResumeThread,	2_2_059F69AA
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_059F6A52 NtWriteVirtualMemory,	2_2_059F6A52
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_059F6B8B NtQuerySystemInformation,	2_2_059F6B8B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_059F6A25 NtWriteVirtualMemory,	2_2_059F6A25

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\assembly\Desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_054D07E8	2_2_054D07E8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_054D07F8	2_2_054D07F8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_054D03F8	2_2_054D03F8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_054D0408	2_2_054D0408
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_057A6A40	2_2_057A6A40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_057A0070	2_2_057A0070
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_057A0047	2_2_057A0047
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0773CA38	2_2_0773CA38
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_07736C08	2_2_07736C08
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0773F008	2_2_0773F008
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0773E748	2_2_0773E748
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_07736BF8	2_2_07736BF8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_07730070	2_2_07730070
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_07730007	2_2_07730007
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404DDB	5_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_0040BD8A	5_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404E4C	5_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404EBD	5_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404F4E	5_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404419	6_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404516	6_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00413538	6_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004145A1	6_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040E639	6_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004337AF	6_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004399B1	6_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043DAE7	6_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00405CF6	6_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00403F85	6_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411F99	6_2_00411F99
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A0262	8_2_004A0262
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_02830408	8_2_02830408
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_028307E7	8_2_028307E7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_028307F8	8_2_028307F8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_028303F8	8_2_028303F8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_05756A40	8_2_05756A40
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_05750070	8_2_05750070
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_05750007	8_2_05750007
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_031D07F8	9_2_031D07F8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_031D03F8	9_2_031D03F8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_031D07EA	9_2_031D07EA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_031D0408	9_2_031D0408
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_05756A40	9_2_05756A40
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_05750070	9_2_05750070
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_05750007	9_2_05750007

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: String function: 004944AC appears 68 times

Source: file.exe, 00000002.00000002.3832442794.000000000A060000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs file.exe
Source: file.exe, 00000002.00000002.3828060827.0000000004398000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs file.exe
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs file.exe
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs file.exe
Source: file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs file.exe
Source: file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs file.exe
Source: file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs file.exe
Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamePhulli.exe0 vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: file.exe	Static PE information: Section: ZLIB complexity 1.0004534040178572
Source: file.exe	Static PE information: Section: ZLIB complexity 1.0003255208333333
Source: file.exe	Static PE information: Section: .data ZLIB complexity 0.9972468899880096
Source: WindowsUpdate.exe.2.dr	Static PE information: Section: ZLIB complexity 1.0004534040178572
Source: WindowsUpdate.exe.2.dr	Static PE information: Section: ZLIB complexity 1.0003255208333333
Source: WindowsUpdate.exe.2.dr	Static PE information: Section: .data ZLIB complexity 0.9972468899880096

Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, T7K8j40yAnyj77Wa8t.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@7/7@3/3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

6_2_00415AFD

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_030EA9DA AdjustTokenPrivileges,	2_2_030EA9DA
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_030EA9A3 AdjustTokenPrivileges,	2_2_030EA9A3
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0256A9DA AdjustTokenPrivileges,	8_2_0256A9DA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0256A9A3 AdjustTokenPrivileges,	8_2_0256A9A3
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_02AFA9DA AdjustTokenPrivileges,	9_2_02AFA9DA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_02AFA9A3 AdjustTokenPrivileges,	9_2_02AFA9A3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

6_2_00415F87

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

6_2_00411196

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,

5_2_0040ED0B

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\pid.txt

Jump to behavior

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

File created: C:\Users\user\AppData\Local\Temp\holdermail.txt

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, 00000006.00000002.1488398346.000000000260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: file.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptdll.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File written: C:\Windows\assembly\Desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Automated click: OK

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: file.exe

Static file information: File size 1744384 > 1048576

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: file.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x104a00

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3830984984.0000000009596000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdb7 source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\symbols\dll\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbO[ source: file.exe, 00000002.00000002.3830984984.0000000009596000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\dll\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3822570770.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: file.exe, 00000002.00000002.3828060827.0000000004398000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000008.00000002.1607673008.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000008.00000002.1610567858.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, WindowsUpdate.exe, 00000008.00000002.1609878742.0000000004421000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000009.00000002.1711672680.0000000004418000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbo source: file.exe, 00000002.00000002.3822570770.0000000000C11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbI source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: file.exe, 00000002.00000002.3832442794.000000000A060000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0\| source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: file.exe, 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Runtime.Remoting.pdb source: file.exe, 00000002.00000002.3825078969.0000000003300000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Runtime.Remoting.pdbc source: file.exe, 00000002.00000002.3832742558.000000000A450000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, T7K8j40yAnyj77Wa8t.cs	.Net Code: Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777259)),Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777257))})
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, T7K8j40yAnyj77Wa8t.cs	.Net Code: Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777259)),Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777257))})
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, T7K8j40yAnyj77Wa8t.cs	.Net Code: Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777259)),Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777257))})
Source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, T7K8j40yAnyj77Wa8t.cs	.Net Code: Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777259)),Type.GetTypeFromHandle(i6IvJQK7Bd6MyP8l2U.I0TFQV5Dk7OJU(16777257))})

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

5_2_00403C3D

Source: WindowsUpdate.exe.2.dr	Static PE information: real checksum: 0x2ffd9 should be: 0x1b9a3e
Source: file.exe	Static PE information: real checksum: 0x2ffd9 should be: 0x1b9a3e

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.2.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_02724CB5 push ebx; retf 0001h	2_2_02724CB9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_027305B1 push esp; retn 0001h	2_2_027305B2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_054D6192 push esi; iretd	2_2_054D6193
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_054D3E28 push edx; retf	2_2_054D3E29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00411879 push ecx; ret	5_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_004118A0 push eax; ret	5_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_004118A0 push eax; ret	5_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00442871 push ecx; ret	6_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00442A90 push eax; ret	6_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00442A90 push eax; ret	6_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00446E54 push eax; ret	6_2_00446E61
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0049A098 push ecx; mov dword ptr [esp], eax	8_2_0049A099
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0049A098 push ecx; mov dword ptr [esp], eax	8_2_0049A099
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0049A098 push ecx; mov dword ptr [esp], eax	8_2_0049A099
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0049A098 push ecx; mov dword ptr [esp], eax	8_2_0049A099
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00493198 push eax; ret	8_2_004931D4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0049A2C4 push ecx; mov dword ptr [esp], eax	8_2_0049A2C5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004B135C push ecx; mov dword ptr [esp], edx	8_2_004B135E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A9468 push ecx; mov dword ptr [esp], eax	8_2_004A9469
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004AC538 push ecx; mov dword ptr [esp], ecx	8_2_004AC53D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A96CC push ecx; mov dword ptr [esp], edx	8_2_004A96D1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A67E4 push 004A685Ah; ret	8_2_004A6852
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A685C push 004A6904h; ret	8_2_004A68FC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A98F4 push ecx; mov dword ptr [esp], edx	8_2_004A98F9
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A6906 push 004A6A54h; ret	8_2_004A6A4C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A7904 push 004A7951h; ret	8_2_004A7949
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0049692C push 0049697Dh; ret	8_2_00496975
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0049F98A push 0049F9FBh; ret	8_2_0049F9F3
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A9A54 push ecx; mov dword ptr [esp], edx	8_2_004A9A59
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0049FA04 push 0049FA38h; ret	8_2_0049FA30
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004A9A10 push ecx; mov dword ptr [esp], edx	8_2_004A9A15

Source: file.exe	Static PE information: section name: entropy: 7.9969468718881
Source: file.exe	Static PE information: section name: entropy: 7.925198071277456
Source: file.exe	Static PE information: section name: entropy: 7.259464038085116
Source: file.exe	Static PE information: section name: entropy: 7.999517806191356
Source: file.exe	Static PE information: section name: .data entropy: 7.983532029632699
Source: WindowsUpdate.exe.2.dr	Static PE information: section name: entropy: 7.9969468718881
Source: WindowsUpdate.exe.2.dr	Static PE information: section name: entropy: 7.925198071277456
Source: WindowsUpdate.exe.2.dr	Static PE information: section name: entropy: 7.259464038085116
Source: WindowsUpdate.exe.2.dr	Static PE information: section name: entropy: 7.999517806191356
Source: WindowsUpdate.exe.2.dr	Static PE information: section name: .data entropy: 7.983532029632699

Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, HGGcLEDOe2xwWaNbw7.cs	High entropy of concatenated method names: 'JBgmLHkktF', 'HXummqDCF1', 'aKPmSivMjT', 'xE3mOj5Mdi', 'aM1mvQT386', 'rKemjSFh8I', 'AStmtnmqrU', 'iLamUJS1rv', 'c2WmC7891v', 'WbTmeHsE8X'
Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, T7K8j40yAnyj77Wa8t.cs	High entropy of concatenated method names: 'w8wF3BPTgAkh73hHNVU', 'rDkDcuPzAyjYemyQM9d', 'AKnLFIMDwh', 'Ja1D2f1t5K1dWJWko21', 'DSm5qX1plhpj1sflOgl', 'n6KOXp16IqdMmfGOGan', 'bJx63M1UwG0dUqJMf95', 'bfeD6L1JLdGDCdcqjto', 'yEakYY1lr4sMIBfeZeF', 'vIB3Er1bVPDeYRBQLHU'
Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, Ft3NU8so0CaW6b1ZiJ.cs	High entropy of concatenated method names: 'Ft3sNU8o0', 'jaWg6b1Zi', 'OnCreateMainForm', 'mlReaYJYFj3TZPIYnG', 'WQohq56rondVgoIuAf', 'bVvw4cUxMIvo3hrv2x', 'Gx0oWWlXLE4puacaWW', 'FJvbiWbCIhtxmNXmFJ', 'J2CH4aOLrAKZDsJ4If', 'mX64njqkbMk5cSnx8c'
Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, Form1.cs	High entropy of concatenated method names: 'WZw2DLTqd', 'Dispose', 'OtTpkAY8y', 'QQWmGrndve', 'kCYm4ayuC8', 'UnhookWindowsHookEx', 'jFyh6kd0f', 'sBs9caGTO', 'iEHyonAl8', 'ItlYZXniZ'
Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, RunPE.cs	High entropy of concatenated method names: 'YC9gVtxKaP', 'LWGgEapB7w', 'L3kgnGhu79', 'CaXgGhbFqr', 'uZDg4Rcc8K', 'U4vgusHk1W', 'I8xgrYr8fu', 'QsEgxr4rH8', 'mdQgT0lJCs', 'PE'
Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, VY9oZVSlHjNlxU4CoP.cs	High entropy of concatenated method names: 'OqsuS4Zoo', 'm1crVkrvA', 'Equals', 'GetHashCode', 'Epmx2fgLA', 'ToString', 'rsqsvpKhBmTs0da7Y8', 'X8leKaLuoHJYQqnAtg', 'L2UrB8aF7O4lS4KUOm', 'TefVnLQJgAIT7qYBZx'
Source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, ilZXni4ZIYHALvG1SQ.cs	High entropy of concatenated method names: 'chogwkC7rm', 'zG1gs15ZVa', 'bQXgg7mo5y', 'qDZgLguZ5M', 'G9KgOwH3XX', 'xlRgvfqwsY', 'AJXgmP3KTq', 'xWEgSMwyE8', 'WndProc', 'Finalize'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, HGGcLEDOe2xwWaNbw7.cs	High entropy of concatenated method names: 'JBgmLHkktF', 'HXummqDCF1', 'aKPmSivMjT', 'xE3mOj5Mdi', 'aM1mvQT386', 'rKemjSFh8I', 'AStmtnmqrU', 'iLamUJS1rv', 'c2WmC7891v', 'WbTmeHsE8X'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, T7K8j40yAnyj77Wa8t.cs	High entropy of concatenated method names: 'w8wF3BPTgAkh73hHNVU', 'rDkDcuPzAyjYemyQM9d', 'AKnLFIMDwh', 'Ja1D2f1t5K1dWJWko21', 'DSm5qX1plhpj1sflOgl', 'n6KOXp16IqdMmfGOGan', 'bJx63M1UwG0dUqJMf95', 'bfeD6L1JLdGDCdcqjto', 'yEakYY1lr4sMIBfeZeF', 'vIB3Er1bVPDeYRBQLHU'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, Ft3NU8so0CaW6b1ZiJ.cs	High entropy of concatenated method names: 'Ft3sNU8o0', 'jaWg6b1Zi', 'OnCreateMainForm', 'mlReaYJYFj3TZPIYnG', 'WQohq56rondVgoIuAf', 'bVvw4cUxMIvo3hrv2x', 'Gx0oWWlXLE4puacaWW', 'FJvbiWbCIhtxmNXmFJ', 'J2CH4aOLrAKZDsJ4If', 'mX64njqkbMk5cSnx8c'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, Form1.cs	High entropy of concatenated method names: 'WZw2DLTqd', 'Dispose', 'OtTpkAY8y', 'QQWmGrndve', 'kCYm4ayuC8', 'UnhookWindowsHookEx', 'jFyh6kd0f', 'sBs9caGTO', 'iEHyonAl8', 'ItlYZXniZ'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, RunPE.cs	High entropy of concatenated method names: 'YC9gVtxKaP', 'LWGgEapB7w', 'L3kgnGhu79', 'CaXgGhbFqr', 'uZDg4Rcc8K', 'U4vgusHk1W', 'I8xgrYr8fu', 'QsEgxr4rH8', 'mdQgT0lJCs', 'PE'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, VY9oZVSlHjNlxU4CoP.cs	High entropy of concatenated method names: 'OqsuS4Zoo', 'm1crVkrvA', 'Equals', 'GetHashCode', 'Epmx2fgLA', 'ToString', 'rsqsvpKhBmTs0da7Y8', 'X8leKaLuoHJYQqnAtg', 'L2UrB8aF7O4lS4KUOm', 'TefVnLQJgAIT7qYBZx'
Source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, ilZXni4ZIYHALvG1SQ.cs	High entropy of concatenated method names: 'chogwkC7rm', 'zG1gs15ZVa', 'bQXgg7mo5y', 'qDZgLguZ5M', 'G9KgOwH3XX', 'xlRgvfqwsY', 'AJXgmP3KTq', 'xWEgSMwyE8', 'WndProc', 'Finalize'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, HGGcLEDOe2xwWaNbw7.cs	High entropy of concatenated method names: 'JBgmLHkktF', 'HXummqDCF1', 'aKPmSivMjT', 'xE3mOj5Mdi', 'aM1mvQT386', 'rKemjSFh8I', 'AStmtnmqrU', 'iLamUJS1rv', 'c2WmC7891v', 'WbTmeHsE8X'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, T7K8j40yAnyj77Wa8t.cs	High entropy of concatenated method names: 'w8wF3BPTgAkh73hHNVU', 'rDkDcuPzAyjYemyQM9d', 'AKnLFIMDwh', 'Ja1D2f1t5K1dWJWko21', 'DSm5qX1plhpj1sflOgl', 'n6KOXp16IqdMmfGOGan', 'bJx63M1UwG0dUqJMf95', 'bfeD6L1JLdGDCdcqjto', 'yEakYY1lr4sMIBfeZeF', 'vIB3Er1bVPDeYRBQLHU'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, Ft3NU8so0CaW6b1ZiJ.cs	High entropy of concatenated method names: 'Ft3sNU8o0', 'jaWg6b1Zi', 'OnCreateMainForm', 'mlReaYJYFj3TZPIYnG', 'WQohq56rondVgoIuAf', 'bVvw4cUxMIvo3hrv2x', 'Gx0oWWlXLE4puacaWW', 'FJvbiWbCIhtxmNXmFJ', 'J2CH4aOLrAKZDsJ4If', 'mX64njqkbMk5cSnx8c'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, Form1.cs	High entropy of concatenated method names: 'WZw2DLTqd', 'Dispose', 'OtTpkAY8y', 'QQWmGrndve', 'kCYm4ayuC8', 'UnhookWindowsHookEx', 'jFyh6kd0f', 'sBs9caGTO', 'iEHyonAl8', 'ItlYZXniZ'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, RunPE.cs	High entropy of concatenated method names: 'YC9gVtxKaP', 'LWGgEapB7w', 'L3kgnGhu79', 'CaXgGhbFqr', 'uZDg4Rcc8K', 'U4vgusHk1W', 'I8xgrYr8fu', 'QsEgxr4rH8', 'mdQgT0lJCs', 'PE'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, VY9oZVSlHjNlxU4CoP.cs	High entropy of concatenated method names: 'OqsuS4Zoo', 'm1crVkrvA', 'Equals', 'GetHashCode', 'Epmx2fgLA', 'ToString', 'rsqsvpKhBmTs0da7Y8', 'X8leKaLuoHJYQqnAtg', 'L2UrB8aF7O4lS4KUOm', 'TefVnLQJgAIT7qYBZx'
Source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, ilZXni4ZIYHALvG1SQ.cs	High entropy of concatenated method names: 'chogwkC7rm', 'zG1gs15ZVa', 'bQXgg7mo5y', 'qDZgLguZ5M', 'G9KgOwH3XX', 'xlRgvfqwsY', 'AJXgmP3KTq', 'xWEgSMwyE8', 'WndProc', 'Finalize'
Source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, HGGcLEDOe2xwWaNbw7.cs	High entropy of concatenated method names: 'JBgmLHkktF', 'HXummqDCF1', 'aKPmSivMjT', 'xE3mOj5Mdi', 'aM1mvQT386', 'rKemjSFh8I', 'AStmtnmqrU', 'iLamUJS1rv', 'c2WmC7891v', 'WbTmeHsE8X'
Source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, T7K8j40yAnyj77Wa8t.cs	High entropy of concatenated method names: 'w8wF3BPTgAkh73hHNVU', 'rDkDcuPzAyjYemyQM9d', 'AKnLFIMDwh', 'Ja1D2f1t5K1dWJWko21', 'DSm5qX1plhpj1sflOgl', 'n6KOXp16IqdMmfGOGan', 'bJx63M1UwG0dUqJMf95', 'bfeD6L1JLdGDCdcqjto', 'yEakYY1lr4sMIBfeZeF', 'vIB3Er1bVPDeYRBQLHU'
Source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, Ft3NU8so0CaW6b1ZiJ.cs	High entropy of concatenated method names: 'Ft3sNU8o0', 'jaWg6b1Zi', 'OnCreateMainForm', 'mlReaYJYFj3TZPIYnG', 'WQohq56rondVgoIuAf', 'bVvw4cUxMIvo3hrv2x', 'Gx0oWWlXLE4puacaWW', 'FJvbiWbCIhtxmNXmFJ', 'J2CH4aOLrAKZDsJ4If', 'mX64njqkbMk5cSnx8c'
Source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, Form1.cs	High entropy of concatenated method names: 'WZw2DLTqd', 'Dispose', 'OtTpkAY8y', 'QQWmGrndve', 'kCYm4ayuC8', 'UnhookWindowsHookEx', 'jFyh6kd0f', 'sBs9caGTO', 'iEHyonAl8', 'ItlYZXniZ'
Source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, RunPE.cs	High entropy of concatenated method names: 'YC9gVtxKaP', 'LWGgEapB7w', 'L3kgnGhu79', 'CaXgGhbFqr', 'uZDg4Rcc8K', 'U4vgusHk1W', 'I8xgrYr8fu', 'QsEgxr4rH8', 'mdQgT0lJCs', 'PE'
Source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, VY9oZVSlHjNlxU4CoP.cs	High entropy of concatenated method names: 'OqsuS4Zoo', 'm1crVkrvA', 'Equals', 'GetHashCode', 'Epmx2fgLA', 'ToString', 'rsqsvpKhBmTs0da7Y8', 'X8leKaLuoHJYQqnAtg', 'L2UrB8aF7O4lS4KUOm', 'TefVnLQJgAIT7qYBZx'
Source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, ilZXni4ZIYHALvG1SQ.cs	High entropy of concatenated method names: 'chogwkC7rm', 'zG1gs15ZVa', 'bQXgg7mo5y', 'qDZgLguZ5M', 'G9KgOwH3XX', 'xlRgvfqwsY', 'AJXgmP3KTq', 'xWEgSMwyE8', 'WndProc', 'Finalize'

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\Desktop\file.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_0040F64B

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file.exe PID: 7556, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5310000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 28D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 2B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 5390000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 558	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 947	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 973	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 5689	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window / User API: threadDelayed 758	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7588	Thread sleep time: -947000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7616	Thread sleep time: -973000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7848	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7852	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8064	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8072	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8072	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7588	Thread sleep time: -5689000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 8108	Thread sleep count: 188 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 8168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 8136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 1172	Thread sleep count: 758 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	6_2_00407E0E

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_059F7442 GetSystemInfo,

2_2_059F7442

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 140000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: WindowsUpdate.exe, 00000008.00000002.1607370163.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: WindowsUpdate.exe, 00000008.00000002.1603365983.00000000005CA000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: JwaWinBase]DLL_Loader_VirtualMachine(Win32TypesfZ
Source: WindowsUpdate.exe, 00000008.00000002.1603365983.0000000000490000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: VBoxService.exe
Source: WindowsUpdate.exe, WindowsUpdate.exe, 00000008.00000002.1603365983.00000000005B2000.00000040.00000001.01000000.0000000C.sdmp, WindowsUpdate.exe, 00000008.00000002.1603365983.00000000005CA000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: file.exe, 00000002.00000002.3822570770.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: WindowsUpdate.exe, WindowsUpdate.exe, 00000008.00000002.1603365983.00000000005B2000.00000040.00000001.01000000.0000000C.sdmp, WindowsUpdate.exe, 00000008.00000002.1603365983.00000000005CA000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: WindowsUpdate.exe, 00000008.00000002.1603365983.0000000000490000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWare
Source: WindowsUpdate.exe, 00000008.00000002.1603365983.00000000005B2000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: WindowsUpdate.exe, 00000009.00000002.1705391816.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

5_2_00403C3D

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_02733F39 mov eax, dword ptr fs:[00000030h]	2_2_02733F39
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_02733F39 mov eax, dword ptr fs:[00000030h]	2_2_02733F39
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_02723F8A mov eax, dword ptr fs:[00000030h]	8_2_02723F8A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_02723F8A mov eax, dword ptr fs:[00000030h]	8_2_02723F8A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_02723F88 mov eax, dword ptr fs:[00000030h]	8_2_02723F88
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_02723F88 mov eax, dword ptr fs:[00000030h]	8_2_02723F88
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_02933F90 mov eax, dword ptr fs:[00000030h]	9_2_02933F90
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_02933F90 mov eax, dword ptr fs:[00000030h]	9_2_02933F90

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 2.2.file.exe.33522a4.0.raw.unpack, CMemoryExecute.cs	.Net Code: Run contains injection code
Source: 2.2.file.exe.a060000.7.raw.unpack, CMemoryExecute.cs	.Net Code: Run contains injection code
Source: 2.2.file.exe.5c463a1.6.raw.unpack, CMemoryExecute.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 2.2.file.exe.33522a4.0.raw.unpack, CMemoryExecute.cs	Reference to suspicious API methods: VirtualAllocEx((IntPtr)array4[0], intPtr, (uint)(ptr2 + 80), 12288u, 64u)
Source: 2.2.file.exe.33522a4.0.raw.unpack, CMemoryExecute.cs	Reference to suspicious API methods: NtWriteVirtualMemory((IntPtr)array4[0], intPtr, (IntPtr)ptr5, (uint)(ptr2 + 84), IntPtr.Zero)
Source: 2.2.file.exe.33522a4.0.raw.unpack, CMemoryExecute.cs	Reference to suspicious API methods: NtSetContextThread((IntPtr)array4[1], (IntPtr)ptr4)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\file.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

6_2_0041604B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

5_2_0040724C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_00406278 GetVersionExA,

5_2_00406278

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000002.00000002.3822570770.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 8104, type: MEMORYSTR

Yara detected MailPassView

Source: Yara match	File source: 2.2.file.exe.5c47da6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.5c47da6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.4313248.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.5c463a1.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.4313248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.5bf0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.5bf053c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.5bf0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7944, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.WindowsUpdate.exe.24b6f16.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.4424140.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.55b0ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.4423258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.44ac610.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.55b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.55b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.5520000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.4423258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.4424140.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1607673008.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1610567858.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1610355342.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1609878742.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	5_2_004033D7

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.4313248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.432b468.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.5bf053c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.5bf0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.432b468.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.5bf053c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.5bf0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7968, type: MEMORYSTR

Remote Access Functionality

Detected HawkEye Rat

Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt HawkEyeKeylogger
Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: LHawkEye_Keylogger_Execution_Confirmed_
Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================DHawkEye_Keylogger_Stealer_Records_LHawkEye Keylogger \| Stealer Records \|
Source: file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegBHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: LHawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe, 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================DHawkEye_Keylogger_Stealer_Records_LHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe, 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegBHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000009.00000002.1710822613.00000000033BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegBHawkEye_Keylogger_Keylog_Records_

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 8104, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.WindowsUpdate.exe.24b6f16.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.4424140.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.55b0ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.5520000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.4423258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.24b6f16.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.55b0ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.44ac610.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.55b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.55b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.5520000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.44ac610.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.4423258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.4424140.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1607673008.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1610567858.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1610355342.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1609878742.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_059F1B0A bind,	2_2_059F1B0A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_059F1AD7 bind,	2_2_059F1AD7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_05861C32 bind,	8_2_05861C32
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0586186A listen,	8_2_0586186A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_05861BFF bind,	8_2_05861BFF
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0586182C listen,	8_2_0586182C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_03371C32 bind,	9_2_03371C32
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_0337186A listen,	9_2_0337186A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_0337182C listen,	9_2_0337182C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_03371BFF bind,	9_2_03371BFF

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	2 Credentials in Registry	1 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	511 Process Injection	4 Obfuscated Files or Information	1 Credentials In Files	1 Account Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	28 System Information Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	14 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	241 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	151 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	511 Process Injection	/etc/passwd and /etc/shadow	2 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	68%	ReversingLabs	Win32.Trojan.Malgent
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	68%	ReversingLabs	Win32.Trojan.Malgent

Source	Detection	Scanner	Label	Link
https://login.yahoo.com/config/login	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
whatismyipaddress.com	104.19.222.79	true	false	unknown
s-part-0036.t-0009.t-msedge.net	13.107.246.64	true	false	unknown
smtp.gmail.com	142.251.173.109	true	false	unknown
13.169.14.0.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://whatismyipaddress.com/	false		unknown
http://whatismyipaddress.com/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com/accounts/servicelogin	vbc.exe	false		unknown
https://login.yahoo.com/config/login	vbc.exe	false	URL Reputation: safe	unknown
https://whatismyipaddress.com	file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.site.com/logs.php	file.exe, 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.nirsoft.net/	vbc.exe, vbc.exe, 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://www.enigmaprotector.com/	WindowsUpdate.exe, 00000008.00000002.1603365983.00000000005CA000.00000040.00000001.01000000.0000000C.sdmp	false		unknown
http://foo.com/fooT	WindowsUpdate.exe, 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000009.00000002.1710822613.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.19.222.79	whatismyipaddress.com	United States		13335	CLOUDFLARENETUS	false
142.251.173.109	smtp.gmail.com	United States		15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1536228
Start date and time:	2024-10-17 18:06:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@7/7@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 74% Number of executed functions: 422 Number of non-executed functions: 226
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
12:07:55	API Interceptor	5611146x Sleep call for process: file.exe modified
17:07:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
17:08:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0036.t-0009.t-msedge.net	https://t.ly/k1aDE	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.64
	https://pg9t70xx.r.us-east-1.awstrack.me/L0/https:%2F%2Fjustworks.app.link%2F%3F%24deeplink_path=%2Falerts%2Ftime_off_requests%2F13a6b7f0-b2ae-4165-87b0-da6673653a54%26%24fallback_url=http%253A%252F%252Fwww.google.com.sg%252Furl%253Fsa%253Dt%2526esrc%253DYUM58NDu%2526source%253D%2526rct%253D304J%2526%2526cd%253D256Du%2526uact%2526url%253Damp%252Fs%252F%2573%2579%2573%2562%2569%257A%257A%252E%2569%256E%252F%252E%2564%2572%2565%256E%2574%256F%2570%252F%23dm1hbnRocmlwcmFnYWRhQG1vbnRyb3NlLWVudi5jb20=/1/0100019291d15735-3d3bd509-ef84-4bb4-a854-1b8c9d0b05f9-000000/-gk1ZN3uoUfApTKZkXOmptm9MGY=396	Get hash	malicious	Unknown	Browse	13.107.246.64
	Swift Payment 20241014839374.vbs	Get hash	malicious	Remcos	Browse	13.107.246.64
	https://mariomuka.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9YWpseE1GRT0mdWlkPVVTRVIwMTEwMjAyNFU0MjEwMDEzNA=#dkrasner@summitbhc.com	Get hash	malicious	Mamba2FA	Browse	13.107.246.64
	2ruQ74RStY.jar	Get hash	malicious	Branchlock Obfuscator	Browse	13.107.246.64
	https://9x.now.sh/CEqL	Get hash	malicious	Unknown	Browse	13.107.246.64
	http://msecompanystore.com	Get hash	malicious	Unknown	Browse	13.107.246.64
	SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Get hash	malicious	Unknown	Browse	13.107.246.64
	http://dat2.store	Get hash	malicious	Unknown	Browse	13.107.246.64
	http://host.cloudsonicwave.com	Get hash	malicious	Unknown	Browse	13.107.246.64
whatismyipaddress.com	HqvlYZC7Gf.exe	Get hash	malicious	Unknown	Browse	104.19.223.79

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Smalsporede.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	phish_alert_iocp_v1.4.48.eml	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://newsletter.yuppiechef.com/m/b22fbc43-5c9b-4512-8142-73d63b4fca71/ed8a7a2a-af07-4e9a-b6ac-66041aa91f60/0?url=https://deevapayon.com/wp-admin/includes/redirect#bWFyay5sZXdpc0Bsb2dpY2FsaXMuY29t?	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	r0000000NT_PDF.exe	Get hash	malicious	FormBook	Browse	104.21.5.125
	rJustificantedepago.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	1xWa9IgItt.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	spc.elf	Get hash	malicious	Mirai	Browse	104.24.135.190
	https://myabd.co.uk/main/arull.php?7088797967704b53693230746376534d744a54552f5654556f745373777631697371316263494d676b7831516341example.test@test.com	Get hash	malicious	Unknown	Browse	104.18.95.41
	http://www.fcc-movil.com/80th/enphem1sX2F0dG9ybmV5YXpAZmQub3Jn	Get hash	malicious	Phisher	Browse	104.26.12.31

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rJustificantedepago.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.19.222.79
	New Order_Purchase_202401017.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.19.222.79
	taskhostws.exe	Get hash	malicious	Snake Keylogger	Browse	104.19.222.79
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	104.19.222.79
	wethinkaboutthegreatsolutionforgreat.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	104.19.222.79
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	104.19.222.79
	SecuriteInfo.com.Win32.PWSX-gen.2892.1397.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.19.222.79
	SecuriteInfo.com.Win32.PWSX-gen.5562.5412.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.19.222.79
	Bestireno Transformados SL PEDIDO 268884.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.19.222.79
	Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.19.222.79

Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	916
Entropy (8bit):	5.257493803038381
Encrypted:	false
SSDEEP:	24:MLF2CpI329Iz52VMzffup2xAW2yAP26KTnKoO2+Z:MwQd9IzoaXuYxAJyAO6Ux+Z
MD5:	C09696D8391C9C603B234E1FFB496B72
SHA1:	16A627426F3432CEDFE3D6DAA1C7EE4ECA7B9208
SHA-256:	186CD2388E4FBCE6CE5CBDDC0A1ED90CB6CF18F56AC848455499CE2CCA5D8BD4
SHA-512:	99C795D50BE5FFD888BA0B3F24BA4DEF2C11011F6895A367273754130CDD987AE7321AE6D4B0977DB2B4A7BFF00E55A1450E8601C47D7D762AB2E776876C4554
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\850f3779d965bb8ff060698f13ee7ea0\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\holderwb.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1744384
Entropy (8bit):	7.990148903640185
Encrypted:	true
SSDEEP:	49152:cpc6JirvEsh7B4/6LXhzmgvznCZzzg0zsYv:cp0rvdh7Sm1Pwzzg0zsY
MD5:	CCB3B74D378733C21FC584875B5A8B07
SHA1:	6779B4D3CFFF750EEEEBA77EC7ABF4E206CC3931
SHA-256:	0B1FADC136B71D5961664A2A1DC8E340C28324D3D8637667F1280BEE4C3D12DB
SHA-512:	AB0739B93D6DB261CFB6A1EA0EFC759EAC6F883BA06DD2CA516BB9415A022215A1B35CCB5BAC0C5B90D37878E509E0BB4DA4645C312305B03A957B5BF61D2D58
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8...8...8.m.8...8...8..8...8...8...8#..8...8...8Rich...8........PE..L...!.._..........#...............................@...........................C..............................................P3.L.......L2.............................................................................................................................................@............p.......:..................@............@... ......................@............`...`...`...&..............@....rsrc....@.......4..................@............P*.........................@....data....P...P3..J...T..............@...........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\pid.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:jGn:y
MD5:	116CE3668C6D5C744252B9A1CB67B8D4
SHA1:	EEED2727F534B11536A2AD31F921D9093CB8EC5C
SHA-256:	361736A1EEA9BFFB2B5B83743DC051491462F8FEDCA2D58CF251D6FF0F917EF1
SHA-512:	2BA017F8D36415E700ACEB378B92569216464F7649F82C20B6D5CC689DD743592A7B7F2794CEF31F18B203AFA7CC1036F1AF867BB168D7A93C70A9FC6D80D607
Malicious:	false
Reputation:	low
Preview:	7556

C:\Users\user\AppData\Roaming\pidloc.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.9614063297218425
Encrypted:	false
SSDEEP:	3:oNqLED9J:oNqLExJ
MD5:	46AAE1E7B5C37C7351D935ADEF830CEA
SHA1:	BA892770E3559A6486A0C119E079B259DA8330E7
SHA-256:	1EEB76268B42F87AB1B4FF0E23A7F7D942DB59CE5A14FA179F8CF706A82B3107
SHA-512:	B3CB03D4F1576269D1572D36D06F5EA2FA081BAEE10E7019D2D33BEDC135FDBD5A57C7BCF3DC0D39A0297106E0832A5A8F0C1566F3B65BBD6486C70EB433E65F
Malicious:	false
Preview:	C:\Users\user\Desktop\file.exe

C:\Windows\assembly\Desktop.ini

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Windows desktop.ini
Category:	dropped
Size (bytes):	227
Entropy (8bit):	5.2735028737400205
Encrypted:	false
SSDEEP:	6:a1eZBXVNYTF0NwoScUbtSgyAXIWv7v5PMKq:UeZBFNYTswUq1r5zq
MD5:	F7F759A5CD40BC52172E83486B6DE404
SHA1:	D74930F354A56CFD03DC91AA96D8AE9657B1EE54
SHA-256:	A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C
SHA-512:	A50B7826BFE72506019E4B1148A214C71C6F4743C09E809EF15CD0E0223F3078B683D203200910B07B5E1E34B94F0FE516AC53527311E2943654BFCEADE53298
Malicious:	false
Preview:	; ==++==..; ..; Copyright (c) Microsoft Corporation. All rights reserved...; ..; ==--==..[.ShellClassInfo]..CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}..ConfirmFileOp=1..InfoTip=Contains application stability information...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.990148903640185
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'744'384 bytes
MD5:	ccb3b74d378733c21fc584875b5a8b07
SHA1:	6779b4d3cfff750eeeeba77ec7abf4e206cc3931
SHA256:	0b1fadc136b71d5961664a2a1dc8e340c28324d3d8637667f1280bee4c3d12db
SHA512:	ab0739b93d6db261cfb6a1ea0efc759eac6f883ba06dd2ca516bb9415a022215a1b35ccb5bac0c5b90d37878e509e0bb4da4645c312305b03a957b5bf61d2d58
SSDEEP:	49152:cpc6JirvEsh7B4/6LXhzmgvznCZzzg0zsYv:cp0rvdh7Sm1Pwzzg0zsY
TLSH:	6185337BA5AEFFD4E53211B4777703C0E5276C090896AADCB8C8B10490FC91BB5266DE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8...8...8.m.8...8...8...8...8...8...8#..8...8...8Rich...8........PE..L...!.._..........#........................

File Icon


Icon Hash:	4545545454545501

Static PE Info

General

Entrypoint:	0x40d810
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5FD40A21 [Sat Dec 12 00:09:05 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2edb88f7689ca448e9a88dda8c785c3c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00401000h
call 00007F35712D73E6h
call far 5DE5h : 8B10C483h
jmp 00007F3571701A85h
les esp, fword ptr [edi]
jnc 00007F35712D7370h
jle 00007F35712D740Ch
fcom st(0), st(7)
add ah, byte ptr [ebx]
outsd
or ebp, dword ptr [76EE37CBh]
imul ebx, dword ptr fs:[edi-74h], 0209941Bh
mov dh, F5h
xchg byte ptr [ecx+esi*2+53F103C3h], ah
wait
adc dl, byte ptr [edi-67h]
xchg eax, edx
dec eax
or eax, dword ptr [ebp+1E47550Eh]
push ecx
jl 00007F35712D73D4h
jnle 00007F35712D7457h
fucomip st(0), st(2)
test dword ptr [ebp+72898C98h], eax
xor dword ptr [edx], F9A2559Ch
jp 00007F35712D73D7h
add al, 35h
xchg eax, edx
mov al, byte ptr [73D70BEEh]

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x335000	0x24c	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x324c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1b1d0	0x1c
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x1a000	0xe000	7d0c482b31737e8bb97281e6b0452ffa	False	1.0004534040178572	data	7.9969468718881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x1b000	0x7000	0x3a00	19fc88db3cc01dcb0836d8dddb06cb2e	False	0.9739358836206896	data	7.925198071277456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x22000	0x4000	0x800	f5f7bd7c26b45ba1f1a2ab0cce8d0e00	False	0.876953125	data	7.259464038085116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x26000	0x66000	0x66000	a77d70086e722512dbd1ddac07e13b68	False	1.0003255208333333	data	7.999517806191356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8c000	0x4000	0x3400	6d43bc4601434fd0cba88e38faa0d160	False	0.10561899038461539	data	3.5463151796567316	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x90000	0x2a5000	0x29a00	e76ce3431682f34c2c0205ada90c9ea6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x335000	0x105000	0x104a00	219561a42605e5b5d48bb21703f5e925	False	0.9972468899880096	data	7.983532029632699	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8c2d4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.11559139784946236
RT_ICON	0x8c5bc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.28040540540540543
RT_ICON	0x8c6e4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.04016245487364621
RT_ICON	0x8cf8c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.05708092485549133
RT_ICON	0x8d4f4	0x353	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.2608695652173913
RT_ICON	0x8d848	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.020872420262664164
RT_ICON	0x8e8f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.05851063829787234
RT_RCDATA	0x28d58	0x62bea	data	1.0003238902432392
RT_RCDATA	0x8b944	0x20	data	1.34375
RT_GROUP_ICON	0x8ed58	0x68	data	0.7019230769230769
RT_VERSION	0x8edc0	0x2a0	data	0.44494047619047616
RT_MANIFEST	0x8f060	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
ole32.dll	OleInitialize
mscoree.dll	CorBindToRuntimeEx

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-17T18:07:55.724088+0200	2810703	ETPRO MALWARE MSIL/Golroted.B or HawkEye External IP Check with minimal headers	2	192.168.2.9	49750	104.19.222.79	80	TCP
2024-10-17T18:07:56.692825+0200	2810703	ETPRO MALWARE MSIL/Golroted.B or HawkEye External IP Check with minimal headers	2	192.168.2.9	49756	104.19.222.79	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 17, 2024 18:07:54.756500959 CEST	49750	80	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:54.761374950 CEST	80	49750	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:54.761879921 CEST	49750	80	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:54.762948036 CEST	49750	80	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:54.767765045 CEST	80	49750	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:55.722630978 CEST	80	49750	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:55.724026918 CEST	80	49750	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:55.724087954 CEST	49750	80	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:55.735879898 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:55.735908031 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:55.736002922 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:55.750036955 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:55.750056028 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.447290897 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.447381020 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:56.456578016 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:56.456614017 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.457031012 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.500895977 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:56.546197891 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:56.591403961 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.692836046 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.692960024 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.693001986 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.693025112 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:56.693028927 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.693042994 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.693092108 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:56.693100929 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.693269014 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:56.693387985 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.693588018 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.694058895 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:56.694072008 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.697993994 CEST	443	49756	104.19.222.79	192.168.2.9
Oct 17, 2024 18:07:56.698128939 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:07:56.702236891 CEST	49756	443	192.168.2.9	104.19.222.79
Oct 17, 2024 18:08:05.233905077 CEST	49750	80	192.168.2.9	104.19.222.79
Oct 17, 2024 18:08:05.246896982 CEST	80	49750	104.19.222.79	192.168.2.9
Oct 17, 2024 18:08:05.247008085 CEST	49750	80	192.168.2.9	104.19.222.79
Oct 17, 2024 18:08:05.248801947 CEST	49800	587	192.168.2.9	142.251.173.109
Oct 17, 2024 18:08:05.253662109 CEST	587	49800	142.251.173.109	192.168.2.9
Oct 17, 2024 18:08:05.253751040 CEST	49800	587	192.168.2.9	142.251.173.109
Oct 17, 2024 18:08:05.384062052 CEST	49800	587	192.168.2.9	142.251.173.109
Oct 17, 2024 18:08:05.394619942 CEST	587	49800	142.251.173.109	192.168.2.9
Oct 17, 2024 18:08:05.394674063 CEST	49800	587	192.168.2.9	142.251.173.109

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 17, 2024 18:07:54.662547112 CEST	64259	53	192.168.2.9	1.1.1.1
Oct 17, 2024 18:07:54.669775963 CEST	53	64259	1.1.1.1	192.168.2.9
Oct 17, 2024 18:07:54.733587980 CEST	52541	53	192.168.2.9	1.1.1.1
Oct 17, 2024 18:07:54.740287066 CEST	53	52541	1.1.1.1	192.168.2.9
Oct 17, 2024 18:08:05.233910084 CEST	57160	53	192.168.2.9	1.1.1.1
Oct 17, 2024 18:08:05.248008966 CEST	53	57160	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 17, 2024 18:07:54.662547112 CEST	192.168.2.9	1.1.1.1	0x3f83	Standard query (0)	13.169.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 17, 2024 18:07:54.733587980 CEST	192.168.2.9	1.1.1.1	0x9b96	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)	false
Oct 17, 2024 18:08:05.233910084 CEST	192.168.2.9	1.1.1.1	0x6648	Standard query (0)	smtp.gmail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 17, 2024 18:07:42.327053070 CEST	1.1.1.1	192.168.2.9	0x95c9	No error (0)	shed.dual-low.s-part-0036.t-0009.t-msedge.net	s-part-0036.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 17, 2024 18:07:42.327053070 CEST	1.1.1.1	192.168.2.9	0x95c9	No error (0)	s-part-0036.t-0009.t-msedge.net		13.107.246.64	A (IP address)	IN (0x0001)	false
Oct 17, 2024 18:07:54.669775963 CEST	1.1.1.1	192.168.2.9	0x3f83	Name error (3)	13.169.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 17, 2024 18:07:54.740287066 CEST	1.1.1.1	192.168.2.9	0x9b96	No error (0)	whatismyipaddress.com		104.19.222.79	A (IP address)	IN (0x0001)	false
Oct 17, 2024 18:07:54.740287066 CEST	1.1.1.1	192.168.2.9	0x9b96	No error (0)	whatismyipaddress.com		104.19.223.79	A (IP address)	IN (0x0001)	false
Oct 17, 2024 18:08:05.248008966 CEST	1.1.1.1	192.168.2.9	0x6648	No error (0)	smtp.gmail.com		142.251.173.109	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

whatismyipaddress.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49750	104.19.222.79	80	7556	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 17, 2024 18:07:54.762948036 CEST	71	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
Oct 17, 2024 18:07:55.722630978 CEST	779	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 17 Oct 2024 16:07:55 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Thu, 17 Oct 2024 17:07:55 GMT Location: https://whatismyipaddress.com/ Set-Cookie: __cf_bm=8I3pZ_4VrsoeIC1kjFU8GNAVHDsO3m5toe3.TLcTCCY-1729181275-1.0.1.1-IsdmMc1jXU6ukZFB9jqOqqCIyPsgYw69O9SfBYvoCfrXqLkQGKIuP6DQPg6LqWsf5JsYC3_qj3TDYSq3StQ0nw; path=/; expires=Thu, 17-Oct-24 16:37:55 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d418b5abd4b0bff-DFW alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Oct 17, 2024 18:07:55.724026918 CEST	779	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 17 Oct 2024 16:07:55 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Thu, 17 Oct 2024 17:07:55 GMT Location: https://whatismyipaddress.com/ Set-Cookie: __cf_bm=8I3pZ_4VrsoeIC1kjFU8GNAVHDsO3m5toe3.TLcTCCY-1729181275-1.0.1.1-IsdmMc1jXU6ukZFB9jqOqqCIyPsgYw69O9SfBYvoCfrXqLkQGKIuP6DQPg6LqWsf5JsYC3_qj3TDYSq3StQ0nw; path=/; expires=Thu, 17-Oct-24 16:37:55 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d418b5abd4b0bff-DFW alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49756	104.19.222.79	443	7556	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-17 16:07:56 UTC	71	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
2024-10-17 16:07:56 UTC	1256	IN	HTTP/1.1 403 Forbidden Date: Thu, 17 Oct 2024 16:07:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff cf-mitigated: challenge
2024-10-17 16:07:56 UTC	700	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 53 4b 77 54 41 52 47 31 66 54 4b 73 5a 71 57 4e 68 37 58 4d 57 30 35 79 46 6b 36 66 69 70 36 76 4a 66 67 6e 38 2f 37 6e 6a 4e 79 31 76 37 48 30 41 36 33 55 6b 74 78 6c 4b 53 74 64 42 33 71 36 72 78 43 67 69 32 76 36 7a 62 65 37 63 6e 44 55 65 52 72 44 44 32 63 59 4a 59 59 70 43 36 45 62 4d 67 4f 75 38 38 31 4c 49 48 54 45 7a 4d 51 4d 72 64 47 4d 45 54 2b 79 6e 42 34 30 35 42 66 59 77 37 35 71 73 52 4e 57 54 7a 38 34 75 77 5a 62 77 44 59 55 55 51 3d 3d 24 59 61 62 66 32 4e 33 63 76 34 35 65 72 70 54 4a 48 77 74 6b 6e 51 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: SKwTARG1fTKsZqWNh7XMW05yFk6fip6vJfgn8/7njNy1v7H0A63UktxlKStdB3q6rxCgi2v6zbe7cnDUeRrDD2cYJYYpC6EbMgOu881LIHTEzMQMrdGMET+ynB405BfYw75qsRNWTz84uwZbwDYUUQ==$Yabf2N3cv45erpTJHwtknQ==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-10-17 16:07:56 UTC	1369	IN	Data Raw: 32 33 63 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d Data Ascii: 23cc<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name=
2024-10-17 16:07:56 UTC	1369	IN	Data Raw: 75 4d 7a 67 34 4c 6a 51 77 4e 79 34 7a 4f 44 6b 75 4e 44 41 33 4c 6a 6b 35 4e 43 41 77 49 43 34 31 4f 54 59 74 4c 6a 51 77 4e 79 34 35 4f 44 51 74 4c 6a 4d 35 4e 79 34 7a 4f 53 30 78 4c 6a 41 31 4e 79 34 7a 4f 44 6b 74 4c 6a 59 31 49 44 41 74 4d 53 34 77 4e 54 59 74 4c 6a 4d 34 4f 53 30 75 4d 7a 6b 34 4c 53 34 7a 4f 44 6b 74 4c 6a 4d 35 4f 43 30 75 4f 54 67 30 49 44 41 74 4c 6a 55 35 4e 79 34 7a 4f 54 67 74 4c 6a 6b 34 4e 53 34 30 4d 44 59 74 4c 6a 4d 35 4e 79 41 78 4c 6a 41 31 4e 69 30 75 4d 7a 6b 33 49 69 38 2b 50 43 39 7a 64 6d 63 2b 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 63 6f 6e 74 61 69 6e 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 33 34 70 78 7d 40 6d Data Ascii: uMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+);background-repeat:no-repeat;background-size:contain;padding-left:34px}@m
2024-10-17 16:07:56 UTC	1369	IN	Data Raw: 63 37 45 6d 7a 74 36 79 71 73 61 6c 73 75 37 39 4d 53 74 41 30 7a 65 6e 30 67 33 41 6a 76 6f 64 55 77 70 79 2e 6a 58 64 39 64 69 50 6f 2e 57 70 46 5f 71 62 4c 75 6b 54 46 2e 33 52 67 72 42 45 64 6d 58 4b 6d 74 58 55 6f 63 58 63 69 74 72 78 75 58 6c 59 6b 5a 6b 4e 4d 74 71 78 70 4b 7a 54 76 50 34 6f 45 70 69 64 70 5a 4c 46 57 64 64 6c 4a 30 57 42 32 38 42 47 63 50 6a 37 34 34 6d 49 65 5f 57 5f 39 6c 68 57 51 51 6a 6c 44 53 4d 31 35 77 55 6a 51 64 4a 69 6e 6d 58 4b 6c 35 59 59 55 32 58 7a 51 52 6f 51 30 7a 76 51 63 6d 4b 4e 65 36 75 47 4b 6e 77 6b 6b 39 66 59 33 63 53 4d 58 77 70 48 6d 51 5f 4c 53 6e 72 62 65 68 42 36 71 34 65 5f 6e 34 72 31 4d 2e 5f 39 46 43 72 79 2e 4d 69 66 6c 54 77 38 74 77 74 41 56 74 72 32 59 46 6b 45 72 62 78 6a 71 36 61 39 5f 4d 33 Data Ascii: c7Emzt6yqsalsu79MStA0zen0g3AjvodUwpy.jXd9diPo.WpF_qbLukTF.3RgrBEdmXKmtXUocXcitrxuXlYkZkNMtqxpKzTvP4oEpidpZLFWddlJ0WB28BGcPj744mIe_W_9lhWQQjlDSM15wUjQdJinmXKl5YYU2XzQRoQ0zvQcmKNe6uGKnwkk9fY3cSMXwpHmQ_LSnrbehB6q4e_n4r1M._9FCry.MiflTw8twtAVtr2YFkErbxjq6a9_M3
2024-10-17 16:07:56 UTC	1369	IN	Data Raw: 72 42 37 76 6a 64 50 48 4d 67 76 6b 4d 71 74 43 56 4f 67 39 4a 42 56 2e 31 75 38 5a 4e 47 4c 71 6e 37 46 73 39 4f 72 34 7a 67 62 4e 71 55 31 31 6d 55 46 7a 43 57 57 38 6e 41 44 39 53 68 4b 7a 64 39 59 4d 33 56 37 76 43 46 61 52 6d 63 72 41 42 4c 66 63 79 50 4f 6e 72 52 4a 39 34 65 70 63 6d 31 56 71 68 6a 7a 44 6b 79 61 68 33 50 6f 6c 5a 52 64 55 6e 37 48 6d 44 36 59 57 58 58 52 38 79 45 78 74 6e 68 61 5f 79 31 75 35 5a 36 36 48 73 6e 6e 4e 4b 44 34 64 6e 62 50 75 34 66 5a 38 46 53 37 36 59 6d 6a 31 47 57 7a 2e 7a 4c 52 46 4f 4c 63 62 72 4e 62 4d 51 70 45 6d 63 5a 6e 67 71 76 48 64 54 35 79 33 78 48 30 67 2e 4e 5f 31 4c 70 5f 5f 44 64 6e 33 4e 31 65 6e 75 77 5a 74 67 35 68 4b 66 66 76 38 57 51 71 6b 46 6c 43 38 48 76 33 41 37 53 4f 35 4d 32 48 69 48 4b 71 Data Ascii: rB7vjdPHMgvkMqtCVOg9JBV.1u8ZNGLqn7Fs9Or4zgbNqU11mUFzCWW8nAD9ShKzd9YM3V7vCFaRmcrABLfcyPOnrRJ94epcm1VqhjzDkyah3PolZRdUn7HmD6YWXXR8yExtnha_y1u5Z66HsnnNKD4dnbPu4fZ8FS76Ymj1GWz.zLRFOLcbrNbMQpEmcZngqvHdT5y3xH0g.N_1Lp__Ddn3N1enuwZtg5hKffv8WQqkFlC8Hv3A7SO5M2HiHKq
2024-10-17 16:07:56 UTC	1369	IN	Data Raw: 67 62 4e 68 4e 72 45 59 4e 4e 35 70 74 46 49 38 50 4f 6a 72 54 47 34 73 33 48 75 35 5a 79 41 35 59 51 76 4b 54 78 51 4d 4e 66 77 67 71 34 4a 6e 5f 35 74 71 42 68 43 48 52 56 6e 75 76 4c 6a 51 57 47 6d 65 52 52 7a 43 77 4e 35 56 63 4d 51 62 74 6e 79 43 4d 6b 49 30 47 77 58 31 71 61 33 56 49 45 69 4f 33 32 46 42 79 34 6f 70 5a 74 38 2e 58 6b 68 54 5a 46 35 55 54 39 42 34 6c 78 42 5a 39 59 35 73 4b 55 6c 68 4b 38 4f 67 30 59 34 49 41 6c 54 38 75 75 59 46 31 45 78 68 53 63 37 31 68 6e 4a 5a 46 50 4c 65 6a 64 53 4c 6f 32 6b 53 30 46 75 77 70 30 55 37 55 6b 38 4f 48 32 44 44 35 74 43 6f 48 51 45 54 36 75 62 55 6c 72 67 61 41 37 6c 66 74 44 35 59 4f 4d 36 46 33 78 6c 49 37 4f 76 6b 4d 37 4c 43 43 5f 6c 51 56 4c 6c 70 52 50 53 71 64 61 62 4c 39 48 49 71 4d 2e 39 Data Ascii: gbNhNrEYNN5ptFI8POjrTG4s3Hu5ZyA5YQvKTxQMNfwgq4Jn_5tqBhCHRVnuvLjQWGmeRRzCwN5VcMQbtnyCMkI0GwX1qa3VIEiO32FBy4opZt8.XkhTZF5UT9B4lxBZ9Y5sKUlhK8Og0Y4IAlT8uuYF1ExhSc71hnJZFPLejdSLo2kS0Fuwp0U7Uk8OH2DD5tCoHQET6ubUlrgaA7lftD5YOM6F3xlI7OvkM7LCC_lQVLlpRPSqdabL9HIqM.9
2024-10-17 16:07:56 UTC	1369	IN	Data Raw: 67 48 54 4e 2e 70 72 77 73 46 55 58 44 30 48 5f 54 77 57 61 4a 56 44 70 4b 5a 65 64 34 54 64 53 4d 63 53 73 7a 58 2e 31 6d 4b 68 51 45 6e 2e 4e 79 38 53 71 72 38 42 49 4b 6e 77 74 49 55 4b 69 6b 48 75 37 68 61 63 59 70 37 57 61 66 72 6d 53 6c 52 38 4a 32 5a 47 69 73 61 72 6f 73 6c 2e 34 46 47 6f 47 77 61 55 52 53 63 52 39 39 45 77 54 63 44 36 41 6c 54 55 74 6a 78 44 6a 46 6b 44 2e 5a 6b 50 4f 57 77 4e 57 69 6c 77 6f 71 47 68 68 5a 62 64 69 44 30 7a 5f 75 64 67 48 55 39 50 49 51 42 71 51 6a 59 4e 67 48 69 68 70 58 32 6f 42 6a 39 6c 53 50 53 65 54 35 6a 52 6d 44 68 35 7a 38 4f 66 78 37 4c 39 70 5f 5a 35 69 55 44 78 59 6c 5a 69 6e 38 77 6a 4e 76 6f 38 77 4c 4a 68 54 4b 49 70 5f 6c 31 68 36 43 2e 77 41 70 78 37 51 44 6b 36 30 70 71 30 44 79 70 79 53 72 43 33 Data Ascii: gHTN.prwsFUXD0H_TwWaJVDpKZed4TdSMcSszX.1mKhQEn.Ny8Sqr8BIKnwtIUKikHu7hacYp7WafrmSlR8J2ZGisarosl.4FGoGwaURScR99EwTcD6AlTUtjxDjFkD.ZkPOWwNWilwoqGhhZbdiD0z_udgHU9PIQBqQjYNgHihpX2oBj9lSPSeT5jRmDh5z8Ofx7L9p_Z5iUDxYlZin8wjNvo8wLJhTKIp_l1h6C.wApx7QDk60pq0DypySrC3
2024-10-17 16:07:56 UTC	958	IN	Data Raw: 61 31 59 45 2b 39 78 33 4a 31 78 43 51 68 79 72 69 35 7a 56 43 36 77 71 41 6a 70 37 62 36 43 72 63 55 43 36 65 63 6c 36 49 41 3d 27 2c 7d 7d 3b 76 61 72 20 63 70 6f 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 63 70 6f 2e 73 72 63 20 3d 20 27 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 68 2f 62 2f 6f 72 63 68 65 73 74 72 61 74 65 2f 63 68 6c 5f 70 61 67 65 2f 76 31 3f 72 61 79 3d 38 64 34 31 38 62 36 32 64 61 34 32 34 36 34 61 27 3b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 68 61 73 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 69 6e 64 65 78 4f 66 Data Ascii: a1YE+9x3J1xCQhyri5zVC6wqAjp7b6CrcUC6ecl6IA=',}};var cpo = document.createElement('script');cpo.src = '/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8d418b62da42464a';window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf
2024-10-17 16:07:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	2
Start time:	12:07:47
Start date:	17/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	1'744'384 bytes
MD5 hash:	CCB3B74D378733C21FC584875B5A8B07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.3828060827.0000000004311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.3829547092.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: HawkEye, Description: unknown, Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.3825159403.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:07:58
Start date:	17/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Imagebase:	0x400000
File size:	1'173'928 bytes
MD5 hash:	D881DE17AA8F2E2C08CBB7B265F928F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:07:58
Start date:	17/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Imagebase:	0x400000
File size:	1'173'928 bytes
MD5 hash:	D881DE17AA8F2E2C08CBB7B265F928F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:08:08
Start date:	17/10/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0x400000
File size:	1'744'384 bytes
MD5 hash:	CCB3B74D378733C21FC584875B5A8B07
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1607673008.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1610567858.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1610355342.0000000005520000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1609878742.0000000004421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: HawkEye, Description: unknown, Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.1609372667.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.1603365983.00000000005CA000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:08:16
Start date:	17/10/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0x400000
File size:	1'744'384 bytes
MD5 hash:	CCB3B74D378733C21FC584875B5A8B07
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	92%
Signature Coverage:	8%
Total number of Nodes:	263
Total number of Limit Nodes:	22

Executed Functions

Function 059F1AD7 Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1B6B

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 7cb2d469fa840317b6bd075b57051f3477d80800bb0f01ae134db76e60371c90
Instruction ID: c648f96a6ff5c7b77d05fd65a5abc660f99d7c532a82edef65a30c6888565195
Opcode Fuzzy Hash: 7cb2d469fa840317b6bd075b57051f3477d80800bb0f01ae134db76e60371c90
Instruction Fuzzy Hash: FC219175409380AFE7128F61CC44FA6BFBCEF46624F0984DBE944CB192D665A509C7B1

Function 030EA9A3 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 030EAA23

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: e19ba69fde8728e1c8d0cbd20775d76214566c39fc7553723214f4d58821fff6
Instruction ID: 7eb45f36508a74ee338d82cf377aa58556eefd501de6729e0fb1c104f4699dbd
Opcode Fuzzy Hash: e19ba69fde8728e1c8d0cbd20775d76214566c39fc7553723214f4d58821fff6
Instruction Fuzzy Hash: 9A2191755097C09FDB22CF25DC44B52BFF4AF06210F0D84DAE9858B163D2719908DB62

Function 059F1B0A Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1B6B

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: b70f10ed1725a16e9766d3f93a6da400a9a570d3495c91d90e04e54d5f91781d
Instruction ID: 674a211702b9d80bab9e85a6c18e1af3c5ea6ffe071100c3c3c092e4bbba9f64
Opcode Fuzzy Hash: b70f10ed1725a16e9766d3f93a6da400a9a570d3495c91d90e04e54d5f91781d
Instruction Fuzzy Hash: 9611BF71504240EFEB20CF11DC84FA6FBACEF45625F0884AAEE499B245E774E504CBB6

Function 059F6A25 Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 059F6A90

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: c3dbdad6265a95d7f299d31f3199c93c5920b97ca8a39389ae23c66641d0097f
Instruction ID: 1a40a093d10015fc896c619ec8634f27fafd44ba59ad734d78cf1db6eea3157a
Opcode Fuzzy Hash: c3dbdad6265a95d7f299d31f3199c93c5920b97ca8a39389ae23c66641d0097f
Instruction Fuzzy Hash: 56117F71408380AFDB218F55DC44B62FFB8FF46320F08889AED888B252C275A458DB61

Function 059F6B8B Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 059F6BF9

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 556bb0f8613d073c5e0e1027f0c34490effc29879a802991d978b6561ceb9bf6
Instruction ID: 070dda9ddbf5bf9c9ae487bb90f8a2427ffeb87b9a8b8e9266c00d0b547e00e8
Opcode Fuzzy Hash: 556bb0f8613d073c5e0e1027f0c34490effc29879a802991d978b6561ceb9bf6
Instruction Fuzzy Hash: 721193754097C09FDB228F11DC45F62FFB4EF46324F0984CAEA844B163D275A918DB62

Function 030EA9DA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 030EAA23

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 918f57946048d64b55315b7ec010ede67b8185de68a1be4182e569897757f1ef
Instruction ID: f4dcf6683d7308039ef4c3cb037b361ad230f82738876f550d39631bb6c5d8a1
Opcode Fuzzy Hash: 918f57946048d64b55315b7ec010ede67b8185de68a1be4182e569897757f1ef
Instruction Fuzzy Hash: 4411A0316013409FEB20CF15D984B66FBE4EF08220F0C88AADD498B651D731E418CFA2

Function 059F6A52 Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 059F6A90

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: c7334b1a4e9b4c9227a115239edf5e156d730573dadd7f9ece4a922ac650ce26
Instruction ID: 41a219c370f389ca520262e3d28cf15e752c65fa519e46f92bfd8cb16c528242
Opcode Fuzzy Hash: c7334b1a4e9b4c9227a115239edf5e156d730573dadd7f9ece4a922ac650ce26
Instruction Fuzzy Hash: A3018C31404340DFEB20CF55D844B66FBA4EF04220F18C89ADE494B212D376E018CBB2

Function 030EB0B2 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 030EB0ED

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: f4b33be07c3f8ade9ae7ea571c800a2da15bb54f231c0e34b920a2b9448e8fc1
Instruction ID: 544eddbd1a137d64848d0e302e6a8b1ec3b3850f39b9290ae1e3e546b70a2efb
Opcode Fuzzy Hash: f4b33be07c3f8ade9ae7ea571c800a2da15bb54f231c0e34b920a2b9448e8fc1
Instruction Fuzzy Hash: A801B1355092409FEB20CF59D884B65FBE4EF04320F08C8DADE894B251D375A014CBA2

Function 059F69AA Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 059F69DF

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b74073ce0cf64632d1b144610a0a0863b4e230443e0fe72594bb46b85e058337
Instruction ID: 3bf9f5328aed392872acf447e61c3179a3ddeea723ab54d27e63b4a20b3e901b
Opcode Fuzzy Hash: b74073ce0cf64632d1b144610a0a0863b4e230443e0fe72594bb46b85e058337
Instruction Fuzzy Hash: DC018B318043409FEB10CF15D884B65FBA4EF05320F08C8AADE499F252D679A444CBA2

Function 059F7442 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F7474

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 14365a332e1abea4a3cbcd9921071a9e98039c4e4215a99a53e1555fd64785f4
Instruction ID: 649572444f8d99a4fe65f5e16a57000af0535c2ff65928e14635fca3881826c7
Opcode Fuzzy Hash: 14365a332e1abea4a3cbcd9921071a9e98039c4e4215a99a53e1555fd64785f4
Instruction Fuzzy Hash: 3E01AD308042409FEF10CF55D884B65FFA5EF45334F08C8AADE488F252D679A404CBA2

Function 059F6BBE Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 059F6BF9

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0b3d20ba915050b0c0ef4cb98b60a9aebe90e9c1d527bc1379f368bb5ae4a38a
Instruction ID: f7651d8dad9834efc2b64d3f965273d39de548d1af71f972ba80c389b6cca222
Opcode Fuzzy Hash: 0b3d20ba915050b0c0ef4cb98b60a9aebe90e9c1d527bc1379f368bb5ae4a38a
Instruction Fuzzy Hash: E9018B314047409FEB20CF05D884B66FFA4FF08724F08C49ADE894B222C376A458CBA2

Function 07736C08 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

k, xrefs: 07736E5E

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: d1e3b14f2dfe6a03b0e36240f1e6e507e40b53ed8db0d1cfc60c4049339af407
Instruction ID: 6dbdcd385c13ea053e64f80e3ef9310e7634b1bf206f38b6329281b532ab6328
Opcode Fuzzy Hash: d1e3b14f2dfe6a03b0e36240f1e6e507e40b53ed8db0d1cfc60c4049339af407
Instruction Fuzzy Hash: F471C2B5E15628CFEB64DF2ACC447DABBB2EB89300F0081EA950DA7255DB355E85CF40

Function 07736BF8 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

k, xrefs: 07736E5E

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: b0722c4733ce432b8b7209ae69e0abd9f7754d45965b73c051fec172e327e3e0
Instruction ID: f027feae99d9ed1c85d5eebded74eadd0115526d37950c3c6f1a43c7ce2f2aa3
Opcode Fuzzy Hash: b0722c4733ce432b8b7209ae69e0abd9f7754d45965b73c051fec172e327e3e0
Instruction Fuzzy Hash: 0061F6B5E01628CFEB68DF26D8447DABBF2EB89300F1081EA950DA7255DB355E85CF40

Function 057A6A40 Relevance: 1.0, Instructions: 999COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5da9a4239b2e3804505d0e97ea3cf220d1456edbaf2beff1cc66d879de01d9
Instruction ID: 460044f162b7530f7164e95618a25d78e3ed7e32a310af7cc734585fb0d6c51c
Opcode Fuzzy Hash: 7e5da9a4239b2e3804505d0e97ea3cf220d1456edbaf2beff1cc66d879de01d9
Instruction Fuzzy Hash: 07B2BF75E002288FDB64DF69C984BD9BBB2FF89300F1581E9D549AB221DB319E81DF41

Function 0773CA38 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515b36fe6443e8a610774c3c3df94fa74fe8f2ecb0f3b19a4aa0d0a8b550107d
Instruction ID: 4e7337a8250bbb9eb433521871b8b00c6a59527021e69ef9e586c5424fcd28c4
Opcode Fuzzy Hash: 515b36fe6443e8a610774c3c3df94fa74fe8f2ecb0f3b19a4aa0d0a8b550107d
Instruction Fuzzy Hash: 1AF105B4E05219CFEB24DF69C84479DBBF2BB8A340F1085AAD50DB7281DB344A85CF21

Function 09D16E27 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d7efa1cd2472d41000f1f78dc357fd8c62e65e23ad16c2ced10565e8f86d53
Instruction ID: a2e43f3f4cc2d706c03f8f4b9361e88be12d26b3e400bb5db543501d2abb906f
Opcode Fuzzy Hash: 40d7efa1cd2472d41000f1f78dc357fd8c62e65e23ad16c2ced10565e8f86d53
Instruction Fuzzy Hash: F97166B1E05208DFEB05DFA4D9586EEBBF2EF89300F50812AE505AB790DB394845CF91

Function 09D16E60 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924404a593a06e96d44fdf99f3bc6b80299d6242bbb929c8dceaa5b4c31dca09
Instruction ID: 788e2ce394bc18ed7d6d5b9818624c327fc21a6f876374f2cc8d974eac880940
Opcode Fuzzy Hash: 924404a593a06e96d44fdf99f3bc6b80299d6242bbb929c8dceaa5b4c31dca09
Instruction Fuzzy Hash: B96133B1E01208DFDB04EFA5D9586EEBBF2EB89300F50812AE505B7394DB398941CF91

Function 0773F008 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b392d8e5fa66e512b58d4b530a9113db12c5b8d2e65b670f300f46351e5149
Instruction ID: deb5a96f384fd14860705995dec9255114186dc6ab81c5db171c99ac2540f170
Opcode Fuzzy Hash: 65b392d8e5fa66e512b58d4b530a9113db12c5b8d2e65b670f300f46351e5149
Instruction Fuzzy Hash: 2C41E8B1E0561CCFEB14CFAAC94479EFBF6AF89381F14C0AAC509AB255D77449858F01

Function 09D13DBA Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00e24b1fd5f070266a847f78de59386c51faaff9725f0d3af5b6e21a361b3f8
Instruction ID: b8511c49fd24d69fc3f12ca53ae9351d2900c8b94bbcbc42be1abe318052ee3e
Opcode Fuzzy Hash: f00e24b1fd5f070266a847f78de59386c51faaff9725f0d3af5b6e21a361b3f8
Instruction Fuzzy Hash: B001E575D89228DFCB60DFA5E9487ECFBB4BB4A340F1051AAD01DA3240C7708A84CF01

Function 07737727 Relevance: 3.9, Strings: 3, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 07738EA6
k, xrefs: 07736E5E
|, xrefs: 07738E77

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: K$k$|
API String ID: 0-713580124
Opcode ID: 4d537a3eedbcae2c02510fa111d7e0d384259624a206bf127f273654ffa6064c
Instruction ID: 832c031503b9f4534fa0a505863e17fc55fd72b18d61d3ea1f3cbaa67eff6228
Opcode Fuzzy Hash: 4d537a3eedbcae2c02510fa111d7e0d384259624a206bf127f273654ffa6064c
Instruction Fuzzy Hash: C651F2B5A06228CFEB60DF24D8487EAB7B1EB89341F0081EA960DA7251CB355E84DF04

Function 07736E90 Relevance: 3.9, Strings: 3, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k, xrefs: 07736E5E
i, xrefs: 077392EC
Q, xrefs: 0773931B

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: Q$i$k
API String ID: 0-2156888278
Opcode ID: 08b5c4ce4b3d0dad9009bf583598ab612834b3789efcf33b496910aeedff59ce
Instruction ID: 40b2775cf3589ca04da098913135708a0e720cd70e2ee672ad7b97e4c6817c67
Opcode Fuzzy Hash: 08b5c4ce4b3d0dad9009bf583598ab612834b3789efcf33b496910aeedff59ce
Instruction Fuzzy Hash: A05103B5A06628CFEB60DF24D8487EAB7B1FB89345F0081E9D50DA7252DB365E84CF40

Function 077379E1 Relevance: 3.9, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 07737A10
k, xrefs: 07736E5E
<, xrefs: 077379E1

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: -$<$k
API String ID: 0-3604635971
Opcode ID: f8a69cf2f77fa89b32834a056e62fec05fbf4ad16994155caa9ad9c7423f9ec3
Instruction ID: 488d010a4a5641f1f580c38df72e31f1a48624f2822ddda446cd82e630740c45
Opcode Fuzzy Hash: f8a69cf2f77fa89b32834a056e62fec05fbf4ad16994155caa9ad9c7423f9ec3
Instruction Fuzzy Hash: 574106B5A06228CFEB60DF24D9487EAB7B1EB89341F1081E9D50DA7351CB365E84DF00

Function 09D18333 Relevance: 3.1, Strings: 2, Instructions: 642
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@Rl, xrefs: 09D18A51
), xrefs: 09D19196

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: )$:@Rl
API String ID: 0-2259024697
Opcode ID: 9f78f6906d003b47cb90ebca7b0c3d4c9a6c1084f753fef28349bc14bb6f6e62
Instruction ID: 645b48f089a4ae62317c95c53f449a1b950909eb0fa532967729006f255c1630
Opcode Fuzzy Hash: 9f78f6906d003b47cb90ebca7b0c3d4c9a6c1084f753fef28349bc14bb6f6e62
Instruction Fuzzy Hash: 4A72BFB4A412289FEB64DF24D888BEDB7B2EB89304F0081E9D50DA7250DB755EC0DF41

Function 09D128FB Relevance: 2.9, Strings: 2, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2yl, xrefs: 09D12E22
2yl, xrefs: 09D12736

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 2yl$2yl
API String ID: 0-2680383736
Opcode ID: 939b99f2913c1d0b9a3b7386d1cf34f631ee71a979915f4e497fffb52e8a1ed4
Instruction ID: d63c3e186439f0bbf93ea079d4d9a1fe800e0a8ee4120c38c1d2d9607418e5db
Opcode Fuzzy Hash: 939b99f2913c1d0b9a3b7386d1cf34f631ee71a979915f4e497fffb52e8a1ed4
Instruction Fuzzy Hash: 3402F2B1E42228DFDB20DFA4D9887EDBBF1AB89300F5081A9D61DA7654DB355E84CF40

Function 09D18899 Relevance: 2.9, Strings: 2, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@Rl, xrefs: 09D18A51
), xrefs: 09D19196

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: )$:@Rl
API String ID: 0-2259024697
Opcode ID: ad2f0899b6f2d35c8f99e44386c88d3234b4960f335cf50cc1e0b5843e82481e
Instruction ID: dd253690f97286a1fb8a39ff312c7f327911ae723abbd9d3c43aa64f238ac7f0
Opcode Fuzzy Hash: ad2f0899b6f2d35c8f99e44386c88d3234b4960f335cf50cc1e0b5843e82481e
Instruction Fuzzy Hash: B5228FB4A412288FEBA4DF24D944BEDB7B2EB89304F0081EA990DA7350DB755EC1DF41

Function 09D12D51 Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2yl, xrefs: 09D12E22
2yl, xrefs: 09D12736

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 2yl$2yl
API String ID: 0-2680383736
Opcode ID: a7ea6001e11c48a132b833192add401267576f4a15e05b92e643789b0f397280
Instruction ID: c3495a59668f9854089db5c9c122372a8744037e0477f610c843f7409bc3c4bc
Opcode Fuzzy Hash: a7ea6001e11c48a132b833192add401267576f4a15e05b92e643789b0f397280
Instruction Fuzzy Hash: A9814571E42228DFEB20DFA4D9847DDBBB1AB89300F5094AAD20DB7744DB354E888F55

Function 09D12595 Relevance: 2.7, Strings: 2, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2yl, xrefs: 09D125BC
2yl, xrefs: 09D12736

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 2yl$2yl
API String ID: 0-2680383736
Opcode ID: b883f721159afee70c989b86694fd16e202662e06bc06a2a241ebead19e7d6aa
Instruction ID: 6cc08221379324f7c855026c5044c98f8df8ef02eb5080bf35fadd60de29ba5a
Opcode Fuzzy Hash: b883f721159afee70c989b86694fd16e202662e06bc06a2a241ebead19e7d6aa
Instruction Fuzzy Hash: B6612270D42228CFEB20DFA4D984BDDBBB1AB89340F5094AAC51AB7744DB354E88CF54

Function 077377BE Relevance: 2.6, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k, xrefs: 07736E5E
", xrefs: 077384BF

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: "$k
API String ID: 0-4009759466
Opcode ID: 84246d76a3a7a8e72739ba65a5e20aa16a011a4b144220dcf8312bade5e417e9
Instruction ID: cde9246dc21cee81f01b243b4bf748e7f89db7ea170b9beb63b490b2daa5b98a
Opcode Fuzzy Hash: 84246d76a3a7a8e72739ba65a5e20aa16a011a4b144220dcf8312bade5e417e9
Instruction Fuzzy Hash: F551F4B5A06628CFEB60DF24D9487EAB7B1EB89341F1041EAD50DA7351DB365E84DF00

Function 077377F3 Relevance: 2.6, Strings: 2, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q, xrefs: 07737857
k, xrefs: 07736E5E

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: Q$k
API String ID: 0-3115828451
Opcode ID: 578d41f9762f567813d4ed094a294165d354107698dd71c22901e96235cdc4ae
Instruction ID: 1ee9fbce16841c43dce22db252a02e3c964b729a69293202b38d319e248e12d9
Opcode Fuzzy Hash: 578d41f9762f567813d4ed094a294165d354107698dd71c22901e96235cdc4ae
Instruction Fuzzy Hash: 3651F4B5A06228CFEB60DF24D9487EAB7B2EB89345F0081E9D50DA7351DB365E84DF00

Function 07736ECB Relevance: 2.6, Strings: 2, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k, xrefs: 07736E5E
\, xrefs: 07736EDA

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: \$k
API String ID: 0-2976864176
Opcode ID: 242eec9b135785bff3eea072249ecd91862a96344d2252b54a5cfe288c18a330
Instruction ID: c4dd46ea366f7c91119a9f5a5b64813c2608b4c42b298a2dbba856433c285030
Opcode Fuzzy Hash: 242eec9b135785bff3eea072249ecd91862a96344d2252b54a5cfe288c18a330
Instruction Fuzzy Hash: 364115B5A16228CFEB20DF24D9487EAB7B1EB89341F1081E9D50DA7352CB365E84DF00

Function 057ADA50 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Byl, xrefs: 057ADAEA
\Byl, xrefs: 057ADADA

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID: \Byl$\Byl
API String ID: 0-1668068921
Opcode ID: 14c98e1a614710efeb3dabb0bd881eee317af1e91d7262dbd26532297efcca16
Instruction ID: 5262bb0368dda526b4b2726963709d1093c1f9e132175b4b309089d56f8a3cc7
Opcode Fuzzy Hash: 14c98e1a614710efeb3dabb0bd881eee317af1e91d7262dbd26532297efcca16
Instruction Fuzzy Hash: 9B214C71D08209CFDB24DF99D184AAEB7B2FB88304F18C2AAC915A7748D7749D81DF91

Function 09D165F9 Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 09D16603
O, xrefs: 09D1662F

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: ?$O
API String ID: 0-3355297304
Opcode ID: a008525927f9a195152ab016d4c65ab9aeea1231bb39802e2f1ea59391ad0778
Instruction ID: 1bcca498fdb7bd2f103abd6b048e4177695adba1c0754382fc39864342f11d38
Opcode Fuzzy Hash: a008525927f9a195152ab016d4c65ab9aeea1231bb39802e2f1ea59391ad0778
Instruction Fuzzy Hash: 57019275D9522DDFEB259F64E4887EDBAB1BB89304F2041A9E009A7642C7784AC1CF05

Function 059F4520 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E98), ref: 059F464F

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 97bd510f808aff94b850fe0616d2e4a1964ca9ef36e737fa56ca24460e87f9bf
Instruction ID: bca7fbb757d241191cbd51ac4f87c3f199b1fe61815d1b28ce6a19e657cb4500
Opcode Fuzzy Hash: 97bd510f808aff94b850fe0616d2e4a1964ca9ef36e737fa56ca24460e87f9bf
Instruction Fuzzy Hash: 6B516F7140D3C06FEB238B608C55BA6BFB8AF07214F0A44DBE588CF1A3D6695909C772

Function 059F3A3C Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getnameinfo.WS2_32(?,00000E98), ref: 059F3B2D

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: getnameinfo
String ID:
API String ID: 1866240144-0
Opcode ID: 3cd65da8c62c77940adc584f070005244561bddb000920ac9b6c3ee7c98e4279
Instruction ID: aeaebdecde87c82ff2d4de2c42a8a131c595dbc16150d03a87eb32ffca5a2add
Opcode Fuzzy Hash: 3cd65da8c62c77940adc584f070005244561bddb000920ac9b6c3ee7c98e4279
Instruction Fuzzy Hash: 6F4160724093846FE7228B618C51FA6BFBCEF07314F0988DBEA848B0A3D6659509C771

Function 059F3D1A Relevance: 1.6, APIs: 1, Instructions: 115networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F3E01

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 681bad1edcf5ef6d4942812b93d0c28b63619bfd0fb624cde629cae689e3bacf
Instruction ID: c13e2248f2e42c90709cd7c24bb52e5302299a483a71a173084f38533bc75b70
Opcode Fuzzy Hash: 681bad1edcf5ef6d4942812b93d0c28b63619bfd0fb624cde629cae689e3bacf
Instruction Fuzzy Hash: 68414F7550D7C05FE7238B608C54BA2BFB8EF07614F0A44DBD985CB1A3D269A849C771

Function 059F6818 Relevance: 1.6, APIs: 1, Instructions: 111processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,00000E98), ref: 059F6910

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3ad39fce84595cf539f43a4579f1934d5cad85f1e856720b00b187d315d4f116
Instruction ID: 7bcfcdff66aec84334513201d894d9c14854efd87aa8ec8388f3105743030610
Opcode Fuzzy Hash: 3ad39fce84595cf539f43a4579f1934d5cad85f1e856720b00b187d315d4f116
Instruction Fuzzy Hash: BD419C72104741AFEB218B61CC41FA6BBACEF05710F04899DFA899A1A1D765E948CB60

Function 059F05C9 Relevance: 1.6, APIs: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E98,?,?), ref: 059F06A2

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a025317c08dd54bace3b62a009a8a9e946800a6be3d4123351ac6ab11aa26fcc
Instruction ID: 6f7bba1bc87f4d0e65ac8ec1406ec5b1ce5fa97bfbfc43df78508e16b9f1c163
Opcode Fuzzy Hash: a025317c08dd54bace3b62a009a8a9e946800a6be3d4123351ac6ab11aa26fcc
Instruction Fuzzy Hash: 3F418B3510E3C05FD3138B218C15B61BF78EF87620F0E81DBD8848B5A3D669A909D7B2

Function 059F2C3C Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E98,?,?), ref: 059F2D1A

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: b1d17e13e4f9472587fae0d15b5b2c9ff6cba4e886b5b9ac110ead47ee3370a8
Instruction ID: 8fdf44a256c7028a4fbe5ccf216ba183e65b9b4f954343654ee195a2f3fab351
Opcode Fuzzy Hash: b1d17e13e4f9472587fae0d15b5b2c9ff6cba4e886b5b9ac110ead47ee3370a8
Instruction Fuzzy Hash: C3315D7540E3C05FD7538B358C65AA1BFB4EF87624F0A40DBD8848F1A3D6686909CBB2

Function 059F5F1A Relevance: 1.6, APIs: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F5FE4

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 64e41eb8ecd685375aae4eeea9f973e0786a6d67a85aec2d03c5af4b00fc83d4
Instruction ID: 86184d292c3b8e7f1db9118ed0f60b0e7e2d2bb5b618a77fcd13fca58f70b1b3
Opcode Fuzzy Hash: 64e41eb8ecd685375aae4eeea9f973e0786a6d67a85aec2d03c5af4b00fc83d4
Instruction Fuzzy Hash: 5F313C7100D3C06FD7238B618C54B62BFB8AF07614F0D85DBE9858B1A3C2699849C772

Function 059F4012 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E98), ref: 059F40C9

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4f3e4ea97419f4777ffd56e5ffa70f0f8d68159b5cbe537eaca3980c0cb3a2a9
Instruction ID: 6beb2fbd8fad0f8b29494c1062eef56fcef39228e305d1bbf525cd1fa8d874d9
Opcode Fuzzy Hash: 4f3e4ea97419f4777ffd56e5ffa70f0f8d68159b5cbe537eaca3980c0cb3a2a9
Instruction Fuzzy Hash: 3031EAB2404344AFEB228F51CC40FB7BFACEF45310F04889AE9849B152D764A509C771

Function 059F0AB7 Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 059F0B6D

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f1ff7ca5e23aef3c424157dac110b0a2693dd14ca280cd5135a49dce17cf1180
Instruction ID: 3a80ddf322c06f1432ff3d5b4cdd58086abb163a254ec4fcd82c2f3f1dadc679
Opcode Fuzzy Hash: f1ff7ca5e23aef3c424157dac110b0a2693dd14ca280cd5135a49dce17cf1180
Instruction Fuzzy Hash: E3318FB1405380AFEB22CB25DC44F62BFFCEF06714F09849AE9898B252D365A509CB71

Function 059F3B8D Relevance: 1.6, APIs: 1, Instructions: 97encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E98,?,?), ref: 059F3C56

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: 4b26521ee248c2e48eed53b52a2b433ccee01f4a9d74bb0ff0b7f6cb3b1b0047
Instruction ID: 8f99e03a7eab9234b9f97b9c9feec9c24f52424c035b0eae1d77d6d64ae861fe
Opcode Fuzzy Hash: 4b26521ee248c2e48eed53b52a2b433ccee01f4a9d74bb0ff0b7f6cb3b1b0047
Instruction Fuzzy Hash: 04317A7150E3C45FD7038B758C61B66BFB4AF47610F1E80CBD8848F2A3D665691AC7A2

Function 059F6D69 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

AcceptEx.MSWSOCK(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F6E20

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Accept
String ID:
API String ID: 3029133314-0
Opcode ID: 3afcad34a27f15be7cdf439f41490c6f0c0501360c0e1d86be3d94eec7ef208c
Instruction ID: e8d8fab2f753a14a459793ba357113d7dac0865819c05e6a41494d025fd351c4
Opcode Fuzzy Hash: 3afcad34a27f15be7cdf439f41490c6f0c0501360c0e1d86be3d94eec7ef208c
Instruction Fuzzy Hash: 5D31A3B24097806FEB22CB61CC44FA7BFBCEF06714F09849AE685CB162D765A518C761

Function 059F6846 Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,00000E98), ref: 059F6910

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 761392823f37f7b32203681c18ca7b84807c7cd1aedd0f120e96b129ddfaa41c
Instruction ID: 753a05590ad3d0eb8644290cde8fb04ce6cb0d9e1aadc7b541a806ddb4729aea
Opcode Fuzzy Hash: 761392823f37f7b32203681c18ca7b84807c7cd1aedd0f120e96b129ddfaa41c
Instruction Fuzzy Hash: C4316C72100305AFEB21CF61CC81FA6F7ECEF08714F048959EA499A191D7B5F554CB61

Function 059F457F Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E98), ref: 059F464F

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: ebe4c0efff670681e592895fbf67bf8fd0ef4e0fb2c2e7072816ccaa2f7009dd
Instruction ID: 4704476c21039e177dce00b7985b99103e05411e5707c401ca4da27e3d69a26d
Opcode Fuzzy Hash: ebe4c0efff670681e592895fbf67bf8fd0ef4e0fb2c2e7072816ccaa2f7009dd
Instruction Fuzzy Hash: 1E319271408344AFEB21CB61CC84FA6BBACEF05714F05489AFA489B192D7B5A909CB71

Function 059F7200 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E98), ref: 059F72AC

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a3405112fee56c6db1b5879df8ee5949d4b1197506307b2bbca4e8ec15c76b18
Instruction ID: 54269cf461b64c1c3a27af26d715aa045857f32d0ffbdae1663a563560b13f90
Opcode Fuzzy Hash: a3405112fee56c6db1b5879df8ee5949d4b1197506307b2bbca4e8ec15c76b18
Instruction Fuzzy Hash: 3431E772404384AFEB228F50DC44FA6BFB8EF06314F09849EEA858B163D774A518CB71

Function 030EBAB2 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E98), ref: 030EBB61

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 766be938b36dda0fdd42971ca65aa3848e6c6bd8298010c7f2ac11efca2ad27c
Instruction ID: dcf718348008e91c5eedbc02d20b8e946a5772e0fd834a886b62caadad34aaf7
Opcode Fuzzy Hash: 766be938b36dda0fdd42971ca65aa3848e6c6bd8298010c7f2ac11efca2ad27c
Instruction Fuzzy Hash: F8318472508384AFE722CF51CC45FA7BFBCEF06610F09849AE9859B156D264E509CB71

Function 059F4212 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E98), ref: 059F42BE

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 39ea847871b495ef4682f79ae82cf982d57a52d2fda46b4082b9a12d45e78cf6
Instruction ID: 37e01b90309068664a992d5e3403927cf2bdccc8085474c95dbbd1244e2a3e55
Opcode Fuzzy Hash: 39ea847871b495ef4682f79ae82cf982d57a52d2fda46b4082b9a12d45e78cf6
Instruction Fuzzy Hash: ED31B6B1409780AFEB22CF65DC44FA7BFB8EF06324F0984DAE9848B153D665A509C771

Function 059F730A Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F73BE

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 63173af8fec0442af5796ec0cd3c958ba5d1206887174bf1b33ebc655151292a
Instruction ID: 4d23040de8868639703da489af493add48475b7950aa64c07d785efe551a3592
Opcode Fuzzy Hash: 63173af8fec0442af5796ec0cd3c958ba5d1206887174bf1b33ebc655151292a
Instruction Fuzzy Hash: 3731A4724083846FEB228F61DC54FA7BFB8EF06324F0984DAE9858B153D664A509C7B1

Function 059F394A Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetPerAdapterInfo.IPHLPAPI(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F39FF

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: AdapterInfo
String ID:
API String ID: 3405139893-0
Opcode ID: 8d478f065f3ad26e32f67e141bd63c71347086f61356ded4c2ea96f9846a8aa9
Instruction ID: 5630b2b3d7a82de4c72253203fc3beff9f0196a9eef8105bac69cf3e679a5bc6
Opcode Fuzzy Hash: 8d478f065f3ad26e32f67e141bd63c71347086f61356ded4c2ea96f9846a8aa9
Instruction Fuzzy Hash: D0316D7540D7C06FE7138B219C55BA6BFB8EF07614F0A84CBE9848F1A3D265A909C772

Function 059F1D75 Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?), ref: 059F1E19

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: 8605afaec3167ea34bcf01bded300fab8901a0d6953e45979d987e9c95afaac7
Instruction ID: 088b17e4fb3bfc2b93e3a26132be35fd48dcf50d6d3fdaab39a7f358e223afac
Opcode Fuzzy Hash: 8605afaec3167ea34bcf01bded300fab8901a0d6953e45979d987e9c95afaac7
Instruction Fuzzy Hash: C3318471509380AFE712CB25DC45B66FFB8EF06314F0984DAE9848B293D375A509CBB1

Function 059F3A96 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

getnameinfo.WS2_32(?,00000E98), ref: 059F3B2D

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: getnameinfo
String ID:
API String ID: 1866240144-0
Opcode ID: e624eb71e692d785799cfbf8ca3eec57f64a9dc5fa408fe52f803d972746eeb3
Instruction ID: 996c7ed282c5e8b48e41a015341b2bbc3fc5bdb0a7608fe2a6ac6a13806be162
Opcode Fuzzy Hash: e624eb71e692d785799cfbf8ca3eec57f64a9dc5fa408fe52f803d972746eeb3
Instruction Fuzzy Hash: 39216B72504204AFEB21CF65DC81FBAF7ACEF04714F08896AEA85CA191D775E548CBB1

Function 059F18FC Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1999

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: b1b4c8cb3dba46bd0e779280fa9e926a2a117602b43f725c90bc40f0773ba10c
Instruction ID: 1810870bd22d8f6de79b25b1d5f4ecb387df90e168afdf276b7993c9fe5ad411
Opcode Fuzzy Hash: b1b4c8cb3dba46bd0e779280fa9e926a2a117602b43f725c90bc40f0773ba10c
Instruction Fuzzy Hash: 7B310B72509380AFEB128F51DC45F66BFB8EF07310F0984DBE9848B153D2259545D7B1

Function 030EBBA9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 030EBC64

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 840313cbe786e55c65a4b012f0b7bbbae131491f2a64ccfd4993a9b4e4caa7e2
Instruction ID: 0986a6db91e485d3495fa0ea6b764e032b063a4a4c32d0b26cbd26e2bf08368b
Opcode Fuzzy Hash: 840313cbe786e55c65a4b012f0b7bbbae131491f2a64ccfd4993a9b4e4caa7e2
Instruction Fuzzy Hash: 4F31B3715097805FE722CB21CC44FA2BFFCEF46714F09849AE989CB152D760E548CBA1

Function 030EAC10 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 030EACAA

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 89834c56d15382701bb880f63c52e243e64dccbd37687c72fa37089198c3ba79
Instruction ID: 5f6d5b16f03cb74ff23ceb115580059a5d0bc26d5cc3340d8122d9f9e85ad71f
Opcode Fuzzy Hash: 89834c56d15382701bb880f63c52e243e64dccbd37687c72fa37089198c3ba79
Instruction Fuzzy Hash: 0321E6B25097806FEB12CF64DC45BA6BFB8EF06324F0984DAE9848F193D364A509C771

Function 059F1E70 Relevance: 1.6, APIs: 1, Instructions: 88networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1F16

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: e2d51b2c8260f43d373b37886bf565a98db03b45e458f183f2c52eea0e31cc53
Instruction ID: 88210d8a271c18b77a9947e012a1119704b36007800f2ada964a31dc9118e4e4
Opcode Fuzzy Hash: e2d51b2c8260f43d373b37886bf565a98db03b45e458f183f2c52eea0e31cc53
Instruction Fuzzy Hash: E13184B24093806FE712CB61DC85BA6BFB8EF06224F0984DBE5848B193D364A549C7B1

Function 030EBEBF Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 030EBF5C

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4b2a8ad01a55be2d47d2025e3f3a567c3419ffee786f7f7317f463f33394d172
Instruction ID: fc46e0bf11c47f209e8218cd66ffe51bccb6dd5f61fead508af874bc20062bd7
Opcode Fuzzy Hash: 4b2a8ad01a55be2d47d2025e3f3a567c3419ffee786f7f7317f463f33394d172
Instruction Fuzzy Hash: 5E3193715093806FEB22CB61DC45FA6BFBCEF46614F0984DBE989CB152D264A508C772

Function 059F7116 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F71AD

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 399f8fd03278743556d374903f53708cf0ea4fe9739e8116758adf43950d5089
Instruction ID: 3faf8753ee3e47801494516cc3e5ae4ad27d401871e2bda48dad27d474bd6ce0
Opcode Fuzzy Hash: 399f8fd03278743556d374903f53708cf0ea4fe9739e8116758adf43950d5089
Instruction Fuzzy Hash: 9D31E9715043806FEB228F51DC45FA6BFBCEF46314F05849AE9458B152D764A908C7B1

Function 059F1635 Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 059F16D5

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b9754e8ae5cc46417b6cba948a73646517b01e10f9e21868fe156761d651a076
Instruction ID: c3a3ae7f952e56cb1b58df0271b4b420e619fc17837180c672d7b10d77661618
Opcode Fuzzy Hash: b9754e8ae5cc46417b6cba948a73646517b01e10f9e21868fe156761d651a076
Instruction Fuzzy Hash: 5A316471509380AFE721CF25CC45F66FFF8EF06614F09849AE9888B292D765E948CB61

Function 059F45AA Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E98), ref: 059F464F

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 087418b0f299383aa26fa39c1791d87787c4bc26f11e2b7dd95fbd25d7369213
Instruction ID: 150b34480c7054c9e3002136c56e6650d2eedf20a5b273f86cccf1010e079fa7
Opcode Fuzzy Hash: 087418b0f299383aa26fa39c1791d87787c4bc26f11e2b7dd95fbd25d7369213
Instruction Fuzzy Hash: 1E21D171004204AEFB20DF61CC85FBAF7ACEF04724F04885AFB489A191D7B5A5088BB2

Function 059F202D Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000E98,?,?), ref: 059F20DA

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 703c3600d61b70e0d40f16c27c47b29bcd18cc04d08b6540769286424cdd727e
Instruction ID: f25953acfd7b4c5a9f40810bdf9b7a801a7354284523f08498ce6f27f1f6cfc6
Opcode Fuzzy Hash: 703c3600d61b70e0d40f16c27c47b29bcd18cc04d08b6540769286424cdd727e
Instruction Fuzzy Hash: 1431C3725093C05FD3138B21CC55B62BFB4EF87610F1A80DBE9848F593D6656909C7B1

Function 059F411E Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F41C8

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 3de6e8a6cfe21804305a71aa36ca208282d6b73bc91b46f8e2d5a31f2a001b85
Instruction ID: 51c614260eacd160e8a347d8fc4d7c847c92182d464c291e35201b88eac63419
Opcode Fuzzy Hash: 3de6e8a6cfe21804305a71aa36ca208282d6b73bc91b46f8e2d5a31f2a001b85
Instruction Fuzzy Hash: 0E31D7B14083846FEB22CF50CC44FA7FFB8EF46714F09889AE5889B152D364A509C7B1

Function 059F3F24 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNEL32(?,00000E98), ref: 059F3FBD

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 06f647e59870887cce7bf3158b856f5acc8e2fcbae4ad96f9e2ccc9c0225d5ef
Instruction ID: 02041206827e100c5e43a2b26e16fd72477487e453acca13bfb94bba2e3a39cc
Opcode Fuzzy Hash: 06f647e59870887cce7bf3158b856f5acc8e2fcbae4ad96f9e2ccc9c0225d5ef
Instruction Fuzzy Hash: 9D21D6754093806FEB228B25DC45FA6BFB8EF06314F0984DBE9488F153D365A509C771

Function 030EAD09 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 030EAD9A

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 25f47b1d806278f694fb06083539b4fc25c121beddf42b16766de9e716d022e7
Instruction ID: f92becedc86c94ef8da16bea82333bb307b5e012bd9a0957d943cbcaf2cb85af
Opcode Fuzzy Hash: 25f47b1d806278f694fb06083539b4fc25c121beddf42b16766de9e716d022e7
Instruction Fuzzy Hash: 56219171609380AFE722CB51CC44FA6BFBCEF46224F09849AE945CB152D664E948CB71

Function 059F52E7 Relevance: 1.6, APIs: 1, Instructions: 82encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F537E

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 525126d46f9f5771185fa5d8ff9d51e169812f933118c056aa54cd3092d3f9ce
Instruction ID: 05732a5d913a55dd3381f70fe61f4a3fd9f1910c5bef3507d3b56fa50a1328e3
Opcode Fuzzy Hash: 525126d46f9f5771185fa5d8ff9d51e169812f933118c056aa54cd3092d3f9ce
Instruction Fuzzy Hash: E121D6B1508380AFE7128B64DC45F66BFB8EF06324F0984DBE9848B193D365A909CB71

Function 030EAE00 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E98,?,?), ref: 030EAEA6

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: f834f179169b2762226a2f2b0d91537d565ac70446245a936ab1117f2aba261b
Instruction ID: 34dc92dac669d8b26c5124eb63c69c709a5bfae6933d6a07b90a95532f4f6909
Opcode Fuzzy Hash: f834f179169b2762226a2f2b0d91537d565ac70446245a936ab1117f2aba261b
Instruction Fuzzy Hash: BE21B1715093C06FD312CB65CC55B66BFB4EF87214F1A84DBD8889B1A3D624A909C7B2

Function 059F0BC4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F0C59

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 44abe25a266a25258c10e476013898046e8e14e192d29d84d86ee1ca1690017f
Instruction ID: c8add5da057c7b1db9b767ef6cd14fe70d3647ac0a1a8272fb86af65a79033f3
Opcode Fuzzy Hash: 44abe25a266a25258c10e476013898046e8e14e192d29d84d86ee1ca1690017f
Instruction Fuzzy Hash: 542129B54097806FE7128F21DC45BB2BFBCEF47724F0980D6E9848B193D264A909C7B1

Function 059F172C Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F17C0

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 309162458dbbe73be110ebc031a9b18b52208f4fcefcc8248ea32b3e0f7bdf91
Instruction ID: 285f499bb8d2c5fc3d4ed6f19632a156877c4941976fa5550658084454406ebe
Opcode Fuzzy Hash: 309162458dbbe73be110ebc031a9b18b52208f4fcefcc8248ea32b3e0f7bdf91
Instruction Fuzzy Hash: F92128B5404384AFFB12CF11DC45FA6BFA8FF42724F19849AE9488B192D375A905C7A1

Function 030EA1A8 Relevance: 1.6, APIs: 1, Instructions: 78networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000E98,?,?), ref: 030EA239

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: e31adbc0d6bebc265f4f4aee0353b28f966ade6dbdb02d2a1e7edd5a680c5d17
Instruction ID: 4bd6316673d55416ad80f0eea786c0356f90433511fba052afe72c4cd6c73f45
Opcode Fuzzy Hash: e31adbc0d6bebc265f4f4aee0353b28f966ade6dbdb02d2a1e7edd5a680c5d17
Instruction Fuzzy Hash: 6821D67150D3C06FD3128B25CC55B66BFB4EF47620F1A85CBD8848F293D629A819C7A2

Function 059F404A Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E98), ref: 059F40C9

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cc2ff573e4402e4c576dec9f173e4ec0dfe627b5e587c3d0c953763b51ab5efd
Instruction ID: 90deea3c08704e29eee3433d7b5dd7ffe97c4ccee6196886e3a41fc47411b22d
Opcode Fuzzy Hash: cc2ff573e4402e4c576dec9f173e4ec0dfe627b5e587c3d0c953763b51ab5efd
Instruction Fuzzy Hash: 6D21B372504204AFFB20DF51DC45FABFBACEF04624F08885AEA49CB255D774E4088BB2

Function 059F6DA2 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

AcceptEx.MSWSOCK(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F6E20

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Accept
String ID:
API String ID: 3029133314-0
Opcode ID: f33e39443932b4fc32bb27989d2dd237bd343cb8be17238ea255eeaca0928e7b
Instruction ID: 55c3a90544ba5dd39ccad095498aba1d1b6eac50e5de916f57dff8e971294962
Opcode Fuzzy Hash: f33e39443932b4fc32bb27989d2dd237bd343cb8be17238ea255eeaca0928e7b
Instruction Fuzzy Hash: B321AFB2504304AFEB21CF91CC44FABBBECEF08724F04886AEA45CA151D775E5188BB1

Function 059F06CE Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 059F075A

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 038a99ca9db696b8cc9b9e0d748849337fda9826f8dc19bcb9258395ec9230d6
Instruction ID: 0935e9a7baf5db621c0b8c839e18ad68d68d353a8a7dc56e5a31d2c5a18711ed
Opcode Fuzzy Hash: 038a99ca9db696b8cc9b9e0d748849337fda9826f8dc19bcb9258395ec9230d6
Instruction Fuzzy Hash: B6218671409780AFE721CF55DC45F66FFB8EF06724F08889EE9858B252D375A418CB61

Function 059F12C6 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 059F135A

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: fb7de9e3aba7e348ba3ed512e53e191dee0edccf58f050161b2baa2f19da581a
Instruction ID: f245fe005069d39977ccd5b603ed509b2cb5c9433d4a3ccf0ad69596167162b6
Opcode Fuzzy Hash: fb7de9e3aba7e348ba3ed512e53e191dee0edccf58f050161b2baa2f19da581a
Instruction Fuzzy Hash: A721A371409380AFE722CF55CC45F66FFF8EF09624F04849EEA898B252D365A518CBA1

Function 059F3E4B Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F3EE7

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 99e72e81b08b0e9c21efc4f1a4e9cd625e12d7e4cdade0ed8f0e9e528c531da2
Instruction ID: 11e70b617a189350090858da71073094625d59d5c31ec09a32642a777701d1c2
Opcode Fuzzy Hash: 99e72e81b08b0e9c21efc4f1a4e9cd625e12d7e4cdade0ed8f0e9e528c531da2
Instruction Fuzzy Hash: B521A37540D7C46FE7128B21DC55FA2BFB8EF03614F0984DBE9888B193D264A908C771

Function 059F3875 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F390D

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: cd4e4e3b9071eb2e712ca9250e6667db435caa738892de2efabd6cea232b1747
Instruction ID: 9cb3ab2ffa3d1dbcfd85f0bfb138332a8baa0a948a72af82facbdf6077feb3e8
Opcode Fuzzy Hash: cd4e4e3b9071eb2e712ca9250e6667db435caa738892de2efabd6cea232b1747
Instruction Fuzzy Hash: 1921A371409780AFE7228B51DC44F66FFB8EF06620F0984CBE9848B1A3C365A548CB72

Function 059F0AEE Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 059F0B6D

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6e3b86f45aad1d5b970257c081dc1190e9c7b97074157d0fb51c301fde419717
Instruction ID: 26f186e16b7c204039374a71df20bf2371b988cc63ca6a7de4608619d360843f
Opcode Fuzzy Hash: 6e3b86f45aad1d5b970257c081dc1190e9c7b97074157d0fb51c301fde419717
Instruction Fuzzy Hash: 1221A171504300AFEB20CF25DC45F66FBECEF04724F0488A9EA4A8B252D775E404CB61

Function 059F673E Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F67D0

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: aa1eff2756e84a70fa305659a690b500d1be0900face2fb0672406ee2bd9b9c5
Instruction ID: 7154b3e41c80a973f738ab7b96fdc289e691dc509761a8a5d66a43307f3e1cd4
Opcode Fuzzy Hash: aa1eff2756e84a70fa305659a690b500d1be0900face2fb0672406ee2bd9b9c5
Instruction Fuzzy Hash: C821B0B65083806FEB21CF11DC44F67BFBCEF45624F08849AEA859B252D364E448C7B1

Function 059F723A Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E98), ref: 059F72AC

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 552e3490683f2529a64b810e9f7934dc82dd301ec6ca2d2d108e04224958e499
Instruction ID: 8f05c6d7dcb85687fa07a3abc14cd887dd62171f31a7b6443de524800f92be3e
Opcode Fuzzy Hash: 552e3490683f2529a64b810e9f7934dc82dd301ec6ca2d2d108e04224958e499
Instruction Fuzzy Hash: 64210472100204AFEB21CF94DC40FAAFBACEF04720F08885EFA458A651D771E514DBB2

Function 059F102A Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F10BC

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bd8c496dc31cf93a995fcc5d046678fa431db085c2067a0f20dff6ada3681e8a
Instruction ID: 44363b188fad6a1c02295b00b9289f6962fd0e14c8c3def0ff6226c30c622187
Opcode Fuzzy Hash: bd8c496dc31cf93a995fcc5d046678fa431db085c2067a0f20dff6ada3681e8a
Instruction Fuzzy Hash: 78219D72508780AFE721CF11CC44F67BBFCEF05620F08849AEA898B252D365E508CBB1

Function 030EB413 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E98,?,?), ref: 030EB4B2

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 4010e38f6698af4d48a8eba0f09a11c2e72dd7b8bce5397009492939c64367ab
Instruction ID: 6eea1077f32de6201a673972c33668cbe9814b7b44dd722098c40947aa12658c
Opcode Fuzzy Hash: 4010e38f6698af4d48a8eba0f09a11c2e72dd7b8bce5397009492939c64367ab
Instruction Fuzzy Hash: 2121747150E3C06FD3138B258C55A65BFB4EF47620F0A80DFD8849F5A3D664A919C7B2

Function 030EBAE2 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E98), ref: 030EBB61

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 102de50168ec2ab3a1bc02059c2d90e47e50a8905d10cf647c87551fdb7095b4
Instruction ID: eb93bcb665e30803ddf7b560475af2b089d7d2744730f33cd38d5c74e1bd461d
Opcode Fuzzy Hash: 102de50168ec2ab3a1bc02059c2d90e47e50a8905d10cf647c87551fdb7095b4
Instruction Fuzzy Hash: F821C372504304AFEB21DF51CC84FABFBECEF04624F08845AEA459B255D7B4E5088AB2

Function 059F1BC9 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1C4F

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 70c4f984ea6a971ee29a19d920c7edc80ccb32b97dadfb99371576537ae19958
Instruction ID: f192f1ef2f6bb47da6e217631b617eb656ed6319fe21a47a2e2f1a9a66eb6104
Opcode Fuzzy Hash: 70c4f984ea6a971ee29a19d920c7edc80ccb32b97dadfb99371576537ae19958
Instruction Fuzzy Hash: 4521B371408380AFE721CB11CC44FA6BFBCEF46624F09849AEA898B152D364A508C7B1

Function 059F6284 Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F62FE

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 1ec179e638fe0c1385e8e7aa833f2adce548bc20ca8489874128450d232f6155
Instruction ID: 3846b5386bcc145384108e3c19de7fbb36d8c8c51ed9acaf95a73bc0fa6ed121
Opcode Fuzzy Hash: 1ec179e638fe0c1385e8e7aa833f2adce548bc20ca8489874128450d232f6155
Instruction Fuzzy Hash: BD2165715093809FD711CF65DC85B96BFF8EF06220F0984EAD985CB253D264D849CB61

Function 059F424A Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E98), ref: 059F42BE

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e0ecba883e743c85b5a833b1134ddad7524ef7af93caa1cd4a3bb51672260265
Instruction ID: 2372de33b303d07a865846b2cdd407828c3adc69723b18ab982ece27a407ce9e
Opcode Fuzzy Hash: e0ecba883e743c85b5a833b1134ddad7524ef7af93caa1cd4a3bb51672260265
Instruction Fuzzy Hash: A821A171504200AFFB20DF55DD44FABFBACEF04624F08886AEE488B255D775E4088BB2

Function 027338CF Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(?,?), ref: 02733918

Memory Dump Source

Source File: 00000002.00000002.3823758871.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2730000_file.jbxd

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: e8c7f5113f2ff45d62a06b302b2cec66e8cefca4ac2b21331067e3bc9bccac1c
Instruction ID: a912480a91229265075117bf8b4cdeb42ae3d37dcd5019c22b148113dc6c0e18
Opcode Fuzzy Hash: e8c7f5113f2ff45d62a06b302b2cec66e8cefca4ac2b21331067e3bc9bccac1c
Instruction Fuzzy Hash: 4D2131B6614705AFD314DF29C845EA6B7F8FB88320F114B1EB569C3680E770E914CBA1

Function 059F3D86 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F3E01

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: a245f020a8f84ef652febb1ba0e7354b739063826cfafc2a56465642966d585b
Instruction ID: 7f1bdd6e41355ead3460559d47565433f4f862d3d36cf47e9e89240fc4ff7171
Opcode Fuzzy Hash: a245f020a8f84ef652febb1ba0e7354b739063826cfafc2a56465642966d585b
Instruction Fuzzy Hash: A2218B75504600AFEB21CF51CC84FA6FBE8EF08724F08886AEE498B251D775E454CBB1

Function 059F53DE Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F5466

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 70d89d27e6421cdaf9484a0ef65252ac26bb4ec9eface9c44b5931ab493fd8fd
Instruction ID: 3feb5647d3848d86717cb2ca3b54308df09d3bd6eee87526c49c3d3bc56a20a6
Opcode Fuzzy Hash: 70d89d27e6421cdaf9484a0ef65252ac26bb4ec9eface9c44b5931ab493fd8fd
Instruction Fuzzy Hash: 93219271408380AFEB21CF51DC44FA6FFBCEF46724F09849AE9889B152C365A508C7B1

Function 059F1662 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 059F16D5

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 3e87e29625c4160e3cfd33c501a40f76a9ea744fbce966f46fb865976e43d8e1
Instruction ID: 6cba97e54799045fefa61c7936d496fe4305418abb0518853c4cf901aab010b0
Opcode Fuzzy Hash: 3e87e29625c4160e3cfd33c501a40f76a9ea744fbce966f46fb865976e43d8e1
Instruction Fuzzy Hash: B221A471504240AFFB20CF25CD45FA6FBE8EF05624F0884A9EE498B251D775E404CBB2

Function 059F0D76 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F0DF5

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2a9e7277faec49f67b47ba8f95c5f95ab1fee7e73bfb44305244e21464cc9a5a
Instruction ID: 6e802776b803ca88f1bd69adad5629140f096d0a8518823cf807abdcec593827
Opcode Fuzzy Hash: 2a9e7277faec49f67b47ba8f95c5f95ab1fee7e73bfb44305244e21464cc9a5a
Instruction Fuzzy Hash: 0E219571405340AFEB21CF51DC44F67BFB8EF45710F08849AE9859B152C265A508CBB1

Function 059F1CAD Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1D2B

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: cab6817427f9eb2f762280b970e64f7f9a6413f55107e32ac7cb3890e7c54993
Instruction ID: 84d50d8637d9a0c476e609e6ddcf7c40fd568f074722a251c64bfb2e79eb3540
Opcode Fuzzy Hash: cab6817427f9eb2f762280b970e64f7f9a6413f55107e32ac7cb3890e7c54993
Instruction Fuzzy Hash: F121C671409384AFEB22CF51CC44FA6BFB8EF46714F08849BE9889B152C374A508C7B1

Function 030EBBEA Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 030EBC64

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3d076a5a969a1096cd0e5c5f196abb7800387166cc6eb284f0838227c502a6e2
Instruction ID: 7e0dc1db0daea040e2bf5218f22164ed6810821bf8087d8951d4fa5f244641fd
Opcode Fuzzy Hash: 3d076a5a969a1096cd0e5c5f196abb7800387166cc6eb284f0838227c502a6e2
Instruction Fuzzy Hash: 97219075609714AFEB60CF15DC84FA6F7ECEF44714F08845AE9498B251DB60E504CAB2

Function 030EB1F5 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030EB276

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc680400d370f9da58e3e5abc6a3bc6cee917fedcd5d5caf2fecf5728b2df323
Instruction ID: 150311a04fdae091b91ce2ad3cc11293c9342eaf70c6fc721026f561962cd79b
Opcode Fuzzy Hash: fc680400d370f9da58e3e5abc6a3bc6cee917fedcd5d5caf2fecf5728b2df323
Instruction Fuzzy Hash: 4E21B3724093C0AFDB138F60DC54B52BFB4EF47214F0C84DAE9848B163D275A418DB61

Function 030EBEF2 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 030EBF5C

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: e84e3330b18c6553bc38ad0e8213777e8b0fff67a909484b0c47e3a653d4001b
Instruction ID: 47fea1639db172de43f6dd04189786dc3b0c3dd395d1ada5763045bbf2a626ec
Opcode Fuzzy Hash: e84e3330b18c6553bc38ad0e8213777e8b0fff67a909484b0c47e3a653d4001b
Instruction Fuzzy Hash: 7B11A271504204AFEB21CF51DC44FAAB7ECEF44624F0488AAEA49CB251D774E504CBB1

Function 059F6AD0 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F6B44

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0ce41af2485cfd786af0213939902bd0a7384202dc26d159461deebf19cf8305
Instruction ID: 51fe07fd2647004366277d58cad4914a32a822b70593149f3d863378d0d4dc34
Opcode Fuzzy Hash: 0ce41af2485cfd786af0213939902bd0a7384202dc26d159461deebf19cf8305
Instruction Fuzzy Hash: 0D216F725093C05FEB128B25DC55B92BFB8AF47324F0D84DAD989CF263D624A848CB61

Function 059F07B3 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 059F0830

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: a858e3e390fa40219b82af561d65ddbb7dfe0484aadee3ae7f061867f05f255e
Instruction ID: a15ceef043ea04f12012789e0b98c16e5c62a3017a7e962c3672a13f473395e6
Opcode Fuzzy Hash: a858e3e390fa40219b82af561d65ddbb7dfe0484aadee3ae7f061867f05f255e
Instruction Fuzzy Hash: E82190324093C09FDB128F61DC44BA2BFB4EF07220F0D84DAD9C48F163C225A859CB61

Function 059F1DAE Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?), ref: 059F1E19

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: 616ba7db4ecede1d2873e6951395e33af57e3b915ee86ff139c3a97d6e137a56
Instruction ID: 3df99f92f1dcf4388a039007677553ecf66cbce98604728ffed4347fd6d4288b
Opcode Fuzzy Hash: 616ba7db4ecede1d2873e6951395e33af57e3b915ee86ff139c3a97d6e137a56
Instruction Fuzzy Hash: 1D216D71504240AFFB20CF15DC85BA6FBE8EF05724F0488AAEE498B251D775A404CBB2

Function 059F6499 Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 059F6510

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: cbc38e95b80f083156684d4b5d3e6a220ea785dbfdd72198e2fa11754b292513
Instruction ID: 5c6d6a9d0396482f6c34ab90341d03f87142e0463ec8f761978121dce643e2c3
Opcode Fuzzy Hash: cbc38e95b80f083156684d4b5d3e6a220ea785dbfdd72198e2fa11754b292513
Instruction Fuzzy Hash: 9C21C3764097809FDB228F25DC40A62FFB4EF47324F0884CEED858F263D265A818DB61

Function 030EAD36 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 030EAD9A

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: eba00dde0aa1f93d203a4141e31f465003bbb4cb4728ce7d6fcbb1f8da086a5b
Instruction ID: 76b7c4a26356c26a68aa6d31e52fdd0326644245a07c0b9b62a5c1d93e208166
Opcode Fuzzy Hash: eba00dde0aa1f93d203a4141e31f465003bbb4cb4728ce7d6fcbb1f8da086a5b
Instruction Fuzzy Hash: 9011B171608200AFEB20CF55DC44FAABBECEF05624F08C4AAE949CB251D774E404CAB1

Function 059F475A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 059F47D6

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 1e28bff6a3b13381711e63d7cc830fdf939fb1644d4d3d4e31f2def22d61ac54
Instruction ID: 3d53fd257be9a0de003788b3ab86f52f49ba8ee1130e5e9c235ee844c18597a3
Opcode Fuzzy Hash: 1e28bff6a3b13381711e63d7cc830fdf939fb1644d4d3d4e31f2def22d61ac54
Instruction Fuzzy Hash: 7A216271408780AFDB228F55DC44B62BFF8FF06210F0885DAEA898B263D375A419DB61

Function 059F734E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F73BE

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 3b0496c2562bb3ff017af3e520da1a405a1a0070edbfd9be70f88087d485dbbe
Instruction ID: 4229e7ed60484c703f8f4a22a58287b70fa2e2ab9e49208d925f932e5c0d3d75
Opcode Fuzzy Hash: 3b0496c2562bb3ff017af3e520da1a405a1a0070edbfd9be70f88087d485dbbe
Instruction Fuzzy Hash: EC11AF72404304AFEB21CF55DC44FAAFBACEF04724F04885AEA458B251D7B5E514CBB2

Function 059F36D2 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F3750

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 5dbbe78805fa60b0d3f31320b9667562832e32d3e124bc2e33a51868d835ef76
Instruction ID: 266c9c0f1cf4a4080d5e74bfcbf43a804fe25cb00a64314af8e5bfaf25ee0e62
Opcode Fuzzy Hash: 5dbbe78805fa60b0d3f31320b9667562832e32d3e124bc2e33a51868d835ef76
Instruction Fuzzy Hash: 0721DA714093846FEB22CB11CC44FA6FFB8EF46624F0985DBE9889B153C364A508C7B2

Function 059F06EE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 059F075A

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 1a0b14d6128ca11ef994c6112227ab6c9285ecc50cb3284d3da50346fa80225e
Instruction ID: 48a55c0427023d0486b33ed8f1020a3d495324073a718ce47ac2f0ea7705d5b4
Opcode Fuzzy Hash: 1a0b14d6128ca11ef994c6112227ab6c9285ecc50cb3284d3da50346fa80225e
Instruction Fuzzy Hash: AC21A471404200AFEB21CF55DC49FA6FBE8FF05724F08889DEA854B252D776A414CB72

Function 059F12E6 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 059F135A

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 70c42efe8143078bf677025e8f3cd140a7550c0629f3727888546a56c4e2465a
Instruction ID: db21f9e4f96fa46a385145a873b1ecfa3b029812d4989c30767351a37e514c44
Opcode Fuzzy Hash: 70c42efe8143078bf677025e8f3cd140a7550c0629f3727888546a56c4e2465a
Instruction Fuzzy Hash: 4221C371404200AFFB21CF15CC45FA6FBE8EF08624F04845DEA498B651D7B5E418CBB2

Function 030EA797 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 030EA806

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7e8d04edee4dd66a3b1daa498091beb9304909d954a0bd57cbe16f4874fd5ff5
Instruction ID: 1e4bc56706e94d7cbf70587b17a510bd1923ae4b55a216d2be927e3ee1afd636
Opcode Fuzzy Hash: 7e8d04edee4dd66a3b1daa498091beb9304909d954a0bd57cbe16f4874fd5ff5
Instruction Fuzzy Hash: BE2172716053805FDB61CF25DC54B62BFF8EF4A220F0C84DAED89CB252D225E804D761

Function 059F3F5A Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNEL32(?,00000E98), ref: 059F3FBD

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 81b5a9a7c29090a5b5383e0a96a349f4668352d9a50f9a52fdb598b55e9c8f1f
Instruction ID: ffca9755c5038e8d58365f155496b3af25608b6a76227ed67b1f691be0d7273c
Opcode Fuzzy Hash: 81b5a9a7c29090a5b5383e0a96a349f4668352d9a50f9a52fdb598b55e9c8f1f
Instruction Fuzzy Hash: 4311E671404204AFFB20CF55DC45FBAFBACEF04724F08885AEE488B255D779A4088BB2

Function 030EB2B6 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 030EB328

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: ac2542302075a136eaf232f4f2bab9f07d2b449f05600edebfb3c8767f2f59fc
Instruction ID: e2b615811d39fb2832c9cf1c7681037b2133cfb1fcc0c717cdcabd57beba2ed4
Opcode Fuzzy Hash: ac2542302075a136eaf232f4f2bab9f07d2b449f05600edebfb3c8767f2f59fc
Instruction Fuzzy Hash: 6621497140E3C05FDB138B25DC95652BFB49F07220F0D84DBD8888F1A3D2A99908C772

Function 059F415E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F41C8

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: d80f38ef19ce8f231431bb61821388ecf7d97cb51a22d4609e9ee26d08af63a9
Instruction ID: 5e54163de1abedf27a238a5f150afb3f52c405f8524cc197ba8753bb1b26d94b
Opcode Fuzzy Hash: d80f38ef19ce8f231431bb61821388ecf7d97cb51a22d4609e9ee26d08af63a9
Instruction Fuzzy Hash: 1611BEB1504304AFEB21CF51CC84FABFBECEF04624F04886AEA498B251D774A544CBB2

Function 059F675E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F67D0

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4551606f2775e43a9709c8fd5cf1b5f6248ba909951eb437e6faac7d7d7cf757
Instruction ID: 2bb0621a2ccf889a7c1d0e87b4fd3e53a574ec1d1b6e01d0590a3fbdf33ac83e
Opcode Fuzzy Hash: 4551606f2775e43a9709c8fd5cf1b5f6248ba909951eb437e6faac7d7d7cf757
Instruction Fuzzy Hash: AB118E76504700AFEB21CE15DC44F66BBACEF04624F08845AEA459B251D764E4048BB2

Function 059F262D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 059F26A9

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 7124add039a9de8bb920c921f5c5c5dbdd7fafc52dafb70bde4d0b79916a1816
Instruction ID: 947f51ea255c512f00a1c9e788edff99c105888bd1065537ceefa72dd715f388
Opcode Fuzzy Hash: 7124add039a9de8bb920c921f5c5c5dbdd7fafc52dafb70bde4d0b79916a1816
Instruction Fuzzy Hash: 342190B55093805FDB228F15DC84B62BFF8EF46214F08808AED858B263D265E808C772

Function 059F104A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F10BC

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 82d4d226ab05db5f2b13a1b6f8d3688a61de7150a7ebb9d7e1fffea844124a30
Instruction ID: 27d9d9c02c80a1381f6674e66776911e4630f66e55af78c42445b214b6bc6690
Opcode Fuzzy Hash: 82d4d226ab05db5f2b13a1b6f8d3688a61de7150a7ebb9d7e1fffea844124a30
Instruction Fuzzy Hash: C6117972504640AFEB21CF15CC84FA7BBECEF04624F08C45AEA4A8B251D761E548DBB2

Function 059F193A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1999

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 70a0c0b838bc4471983e0e1ff34851422300d5bc6f95f15d59b3aa18eb5431bd
Instruction ID: 2cf91dfa9e5cfb604afa39c0e6b80b6d71ab977ea9fd095f77dd58a3c83addf6
Opcode Fuzzy Hash: 70a0c0b838bc4471983e0e1ff34851422300d5bc6f95f15d59b3aa18eb5431bd
Instruction Fuzzy Hash: E711EF72504300AFFB21CF51DC45FAAFBA8EF05724F08886AEA498B251D775A544DBF2

Function 059F714E Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F71AD

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 0fa7c440107f0bc8cafe22a4d4b1599db7ebc8b3d25c81ff586f4de94f4c8ea7
Instruction ID: 32d8d2251e61e788ece0c26559d1e123dfca0feeaf724856dd183893d2004be5
Opcode Fuzzy Hash: 0fa7c440107f0bc8cafe22a4d4b1599db7ebc8b3d25c81ff586f4de94f4c8ea7
Instruction Fuzzy Hash: 2811D371504200AFFB208F55DC44FBAFBA8EF04724F04885AEE458B251D775A418CBB2

Function 030EAC4E Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 030EACAA

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: b3f99d6080227fa4e155baeceff74a69873ea7f345831e345d4ae560cf4719c6
Instruction ID: 4af651a50633616a1a03e05e18e9c8472a6fd7880c22e14e148d865136113b6a
Opcode Fuzzy Hash: b3f99d6080227fa4e155baeceff74a69873ea7f345831e345d4ae560cf4719c6
Instruction Fuzzy Hash: DB11B271604204AFEB21CF15DC45BAAFBE8EF44724F08C4AAEE498B251D775A404CBB2

Function 059F5322 Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F537E

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 9d07e363370e67b3145888bd400f81440c9e8a8e63d8b5247425999b84486f3c
Instruction ID: 474095d2ec6d3c8f2ae8c622e3a28adee39f4345a5e3ea8ab957d1fb7cc34788
Opcode Fuzzy Hash: 9d07e363370e67b3145888bd400f81440c9e8a8e63d8b5247425999b84486f3c
Instruction Fuzzy Hash: 7411B671504300AFEB20CF15DC45F7AFBA8EF44624F05845AEE458B251D7B5A404CBB2

Function 059F1EB2 Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1F16

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: d6ef418728a42231d02006f207a804cd045c9932794c0859e5359af9a3140e10
Instruction ID: 6dbabbd97c403d3383039fbf682a76011469b34d525a4cbbedd09332dee4a652
Opcode Fuzzy Hash: d6ef418728a42231d02006f207a804cd045c9932794c0859e5359af9a3140e10
Instruction Fuzzy Hash: E01160B1404204AFEB21CB51DC84FAAB7ACEF44724F05886AEA499B245D775A504CBB6

Function 059F1BEE Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1C4F

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: b70f10ed1725a16e9766d3f93a6da400a9a570d3495c91d90e04e54d5f91781d
Instruction ID: f4669d760cb4930e196bb4132f76f535a2f81f6f19b5db772b5c8caa75469c50
Opcode Fuzzy Hash: b70f10ed1725a16e9766d3f93a6da400a9a570d3495c91d90e04e54d5f91781d
Instruction Fuzzy Hash: 6311B271504300AFEB20CF11CC85FA6BBACEF44724F08C46AEA498B241D775E504CBB6

Function 059F5F7A Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F5FE4

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b3d475dff035c5bca26e4b70a0d017a18d1423e90aa44819c268631342be03d0
Instruction ID: da481962d4d1bb4494744fe2462f04cb75b944410e4094874568cef6bb0f9d7c
Opcode Fuzzy Hash: b3d475dff035c5bca26e4b70a0d017a18d1423e90aa44819c268631342be03d0
Instruction Fuzzy Hash: 4511BF72504700AFEB218F11CC44FA6FBA8EF04724F08849AEA469B251D771E504CBB2

Function 059F0D96 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F0DF5

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d7b20c2c080b40c408d02568b4a5253ce63ceae6dda7e0edbfdc6f3dfab78c53
Instruction ID: 3f9c58ab0bd4317130f71fce0dd4988163842704696d48b629651f753100c3f6
Opcode Fuzzy Hash: d7b20c2c080b40c408d02568b4a5253ce63ceae6dda7e0edbfdc6f3dfab78c53
Instruction Fuzzy Hash: 2311A372504304AFEB21CF51DC44FAAFBACEF44724F04889AEE499B252D775A514CBB2

Function 059F63EC Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 059F6459

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0443eb5929938901da9f1dab6025779e3471fdd1962b5af4070e1c392175123b
Instruction ID: 40b908fdf4ace431078d84698b2140bcf259a88c5dbc4769622da9fd7fe76102
Opcode Fuzzy Hash: 0443eb5929938901da9f1dab6025779e3471fdd1962b5af4070e1c392175123b
Instruction Fuzzy Hash: E811B1754097C09FDB128B25DC84E66BFB4EF07224F0D80DEED898F563C265A918CB62

Function 059F6036 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F6097

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0037e64fbf3a066bbce957e09a4116e370aa534a3f76f156b85fa903e2b6bac0
Instruction ID: 16d20c04927eb7921a7b14f58a2c7a23c4586e966e98f4142201664b656f19f1
Opcode Fuzzy Hash: 0037e64fbf3a066bbce957e09a4116e370aa534a3f76f156b85fa903e2b6bac0
Instruction Fuzzy Hash: 381193715083C09FDB11CF25DC85B66BFA8EF46220F0984EAED89CB262D665A844CB61

Function 030EB4DC Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,?,?,?), ref: 030EB549

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: a11e1b7205cdf56617e610a8d1ce3b3777c1ff76b9a412141bfb87b9f6478333
Instruction ID: 9105b2560dcab908cce7f6fe558b872d1b731a14a1631d1caadad328fe10c9ce
Opcode Fuzzy Hash: a11e1b7205cdf56617e610a8d1ce3b3777c1ff76b9a412141bfb87b9f6478333
Instruction Fuzzy Hash: FB116372609380AFDB21CF15DC45B66FFF8EF45724F08849AED858B252D261E808CB71

Function 059F0F86 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetIfEntry.IPHLPAPI(?,00000E98,?,?), ref: 059F1002

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Entry
String ID:
API String ID: 3940594292-0
Opcode ID: bb1236cfb0bdd18170382a4eefbed412b058d56878af3eea9d270f87415d98c6
Instruction ID: 32273461c3218cfe85720725e79e3c892686fed711fef3986be01b36a043c0f4
Opcode Fuzzy Hash: bb1236cfb0bdd18170382a4eefbed412b058d56878af3eea9d270f87415d98c6
Instruction Fuzzy Hash: 7A11C8715093806FD311CB15CC45F26FFB4EF86620F19818EE9485B693D725B915C7A2

Function 059F540A Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F5466

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 735aa5529d31314d4d459e7a8ba29d09e98c4a73d813c47a53b01b21ffdc8bcc
Instruction ID: 1325e79678d72dc239f0427cb6bfe2549e878c6dec43ef1ab376d954764ab579
Opcode Fuzzy Hash: 735aa5529d31314d4d459e7a8ba29d09e98c4a73d813c47a53b01b21ffdc8bcc
Instruction Fuzzy Hash: 4711CE71404200AFEB21CF11DC84FBAFBA8EF44725F09889AEE488B241D775A504CBB2

Function 059F1CD2 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F1D2B

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 2a0436a7cfd4e64d08718e8d3946918358f730e81f68fa535962007d78681b10
Instruction ID: a92e1f5bebab67707dad95f3f1c9ab330a80660e08d6799f6c80182d553f0cb0
Opcode Fuzzy Hash: 2a0436a7cfd4e64d08718e8d3946918358f730e81f68fa535962007d78681b10
Instruction Fuzzy Hash: B411E071404644AFEB20CF11CC44FAAFBA8EF05724F0888AAEA488B241C774A404CBB2

Function 059F6CC6 Relevance: 1.6, APIs: 1, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F6D1F

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 2a0436a7cfd4e64d08718e8d3946918358f730e81f68fa535962007d78681b10
Instruction ID: 1ca0d92e4d07fb7ee0ded23f41b87ac25da8b81fb5f5a8264c715a5d3e826657
Opcode Fuzzy Hash: 2a0436a7cfd4e64d08718e8d3946918358f730e81f68fa535962007d78681b10
Instruction Fuzzy Hash: 7E11A371404300AFFB21CF11DC45FA6FBA8EF45724F18886AEA499B255D775A504CBB2

Function 059F6605 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 059F6670

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: ca7486ddaceed190613850b818ff0f7a0d018d0940feb47a05a0657915916285
Instruction ID: 36c8da9a8a59cdb30e716525fb25f72fc549dd7895a9bd2cc194823594c99aa1
Opcode Fuzzy Hash: ca7486ddaceed190613850b818ff0f7a0d018d0940feb47a05a0657915916285
Instruction Fuzzy Hash: D1115E754093C0AFDB128B25DC84B61BFB4EF47624F0980DAED898F263D2656808CB72

Function 059F176A Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F17C0

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 075eb5b1fe7a507f4d71c40545c9a0fd46c1e2f10da74876f40ddfb27b2db07c
Instruction ID: 0c370f5e98aaa7399755cbb042a38c25cabddb4c4bb595c8d30030c409893046
Opcode Fuzzy Hash: 075eb5b1fe7a507f4d71c40545c9a0fd46c1e2f10da74876f40ddfb27b2db07c
Instruction Fuzzy Hash: BD11C275404204AFEB10CF15DC84BAABBA8EF44624F1884AAEE489B245D775A504CBF2

Function 030EB085 Relevance: 1.6, APIs: 1, Instructions: 56networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 030EB0ED

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 09baee344168bf5484e161ccea2abc5b1492d4a332a8e6684bdea7a1b5d83c2a
Instruction ID: ea516008a2ed5473d4171a7067b98cc982f23cf418996757701a8474dfbfabfb
Opcode Fuzzy Hash: 09baee344168bf5484e161ccea2abc5b1492d4a332a8e6684bdea7a1b5d83c2a
Instruction Fuzzy Hash: 67119031409380AFDB21CF55DC85B62FFB4EF06320F0888DAED898B162C375A458DB62

Function 059F38AE Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F390D

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 37162565ff4dfa543de1f0267518c8c7ef29f9727c61bedc1c84c97298b51664
Instruction ID: 1d5fe70b6ad055ff157335d3e8be7dba78c3b67fe9b77fa4b02ca6247b29167b
Opcode Fuzzy Hash: 37162565ff4dfa543de1f0267518c8c7ef29f9727c61bedc1c84c97298b51664
Instruction Fuzzy Hash: B311AC71404704AFEB218F11DC84FBAFBA8EF04B24F08885AEE495B251D775E558CBB2

Function 059F39A6 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetPerAdapterInfo.IPHLPAPI(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F39FF

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: AdapterInfo
String ID:
API String ID: 3405139893-0
Opcode ID: 0391bc2d3a9c42798a3c4da45628cf75cfe34b0f48397f5b1cbf61b24ee6d73d
Instruction ID: 3a23f6368ff9f5e099aa7f61cc1434327eff661dfd261a4db62a13d5b8fbd2ae
Opcode Fuzzy Hash: 0391bc2d3a9c42798a3c4da45628cf75cfe34b0f48397f5b1cbf61b24ee6d73d
Instruction Fuzzy Hash: F711CE75404600AFEB208F12DC44FB6FBA8EF04724F08885AEE484B255D775E544CBB2

Function 059F2110 Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F2170

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: ebed305bf2d470f4b2dc26569165f36d39896d821ebaa6797edcdbd60441870b
Instruction ID: cd5601b5430397ecb5a46d67c964ce8a182730305235367ef70f769bfb095d32
Opcode Fuzzy Hash: ebed305bf2d470f4b2dc26569165f36d39896d821ebaa6797edcdbd60441870b
Instruction Fuzzy Hash: 5911B271404380AFDB21CF51DD44B66FFB4EF46320F0888DAEA898B162C375A418DB61

Function 059F3E8E Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F3EE7

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 0391bc2d3a9c42798a3c4da45628cf75cfe34b0f48397f5b1cbf61b24ee6d73d
Instruction ID: bf2032ef4cebed8c993036b11f66800da56daefb30d7183031e6cf744efc63e6
Opcode Fuzzy Hash: 0391bc2d3a9c42798a3c4da45628cf75cfe34b0f48397f5b1cbf61b24ee6d73d
Instruction Fuzzy Hash: 9411CE71404200AFFB208B11DC44FB6FBA8EF04724F08845AEE484B251D7B5A5448BB2

Function 030EB58E Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 030EB5F1

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 758be57f1d06bc30ba564c1cf8cd62c3ff4c3405514f0da28b85cb6a6ca60bb2
Instruction ID: 1515bff120961f410203a5654001f93bf2584dd749bf1ec58660b7befd00719a
Opcode Fuzzy Hash: 758be57f1d06bc30ba564c1cf8cd62c3ff4c3405514f0da28b85cb6a6ca60bb2
Instruction Fuzzy Hash: FE119171509780AFDB22CF15DC84A62FFB4EF46324F0C84DEE9884B263D265A818DB61

Function 030EA7BE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 030EA806

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: de7433742bff6e9ee7df1ae2bd10dd5830fd3458ec472246701dc65d1bb2f3f7
Instruction ID: 39e618e266025c4c2496cba1b9980ef36a30936d5cb3dee19cb393684c026ce7
Opcode Fuzzy Hash: de7433742bff6e9ee7df1ae2bd10dd5830fd3458ec472246701dc65d1bb2f3f7
Instruction Fuzzy Hash: 38118E717052409FEB60CF25DD85B66FBE8EF08220F0884AADD49CB251D635E404CA62

Function 059F62B6 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F62FE

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 514111c1909d6ba91503a885908ac7e30840a70153285bae883b3469cc5c94a3
Instruction ID: 963732478385717f1d5ee9bb4c1092aafc89c880e9f250c30db974e3257a219a
Opcode Fuzzy Hash: 514111c1909d6ba91503a885908ac7e30840a70153285bae883b3469cc5c94a3
Instruction Fuzzy Hash: 921161716043409FEB10CF29D885B6AFBE8EF15620F0884AADE49CB256D775E444CB62

Function 059F36FA Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F3750

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: a6d8729b310e9ffe8e2fc76ac2e1a1baf10379b90503295d86c04e6706d36281
Instruction ID: 527d4bcca434fb3cf3d2f3c56aec4d65ebcbf1c30a5867482d1474ddc7978735
Opcode Fuzzy Hash: a6d8729b310e9ffe8e2fc76ac2e1a1baf10379b90503295d86c04e6706d36281
Instruction Fuzzy Hash: CA01C8B5504204AFFB11CF11DC45F76FBA8EF44724F188456EE445B251D778A5048BB2

Function 059F0C06 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E98,D7C79997,00000000,00000000,00000000,00000000), ref: 059F0C59

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 6d05503851f4c5ce7680a78a3f5d2e3007140226e55b4d3640f3efa297395591
Instruction ID: 316dc258533a1a66506497b2d6c9549be2ac28fab943cdb0b09fa4ffe77fe500
Opcode Fuzzy Hash: 6d05503851f4c5ce7680a78a3f5d2e3007140226e55b4d3640f3efa297395591
Instruction Fuzzy Hash: 3301C471504200AFFB20CB01DC85FB6BBECDF44628F04C096EE498B242D774A5088BB6

Function 059F7420 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F7474

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: c592d127d6e20306233e213c1b749e7122003526975007448506dc91cbadaf44
Instruction ID: 6a8f760f8c00809a4bc5e26bf6f33245dc624a62d3c70aa404165e2de6ce93bf
Opcode Fuzzy Hash: c592d127d6e20306233e213c1b749e7122003526975007448506dc91cbadaf44
Instruction Fuzzy Hash: 7D1130714093C09FDB12CF15DC95B56BFB8EF46224F0884DAED898F253D275A548CB62

Function 059F6359 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F63B0

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7f5919094a9c6f82c03a46bfeda16f5d404dc8e56758dd130d310e9f3c3ef9b5
Instruction ID: 5c65165f71ecb406c06a80d1f5adf51f13d99541e6d97fe5c5550c559a21ba99
Opcode Fuzzy Hash: 7f5919094a9c6f82c03a46bfeda16f5d404dc8e56758dd130d310e9f3c3ef9b5
Instruction Fuzzy Hash: 9811C6755097809FD7118F15DC85B52BFF4EF06220F0980DADD898B263C275E858CB61

Function 059F478A Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 059F47D6

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: ba4209f1c335a529cb1f17c26e8f4a5ab9347779aae22a43a3d6abbca871f941
Instruction ID: a0345682827863e42119f2bb4a165dc8891759616041c216234b619f9ead2903
Opcode Fuzzy Hash: ba4209f1c335a529cb1f17c26e8f4a5ab9347779aae22a43a3d6abbca871f941
Instruction Fuzzy Hash: 18117C315046409FEF20CF55D844B66FBE4FF05620F08C8AADE498B622D376E454DBA2

Function 059F605A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F6097

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8a138736af7eaf3c4367a79223d12a639a676e7f59b74dbda9240970f1e5b678
Instruction ID: 0eecce52b54eef718a62d5a085f9a69fe837b4f44888fa7b4ab6a74d371303b5
Opcode Fuzzy Hash: 8a138736af7eaf3c4367a79223d12a639a676e7f59b74dbda9240970f1e5b678
Instruction Fuzzy Hash: 75018C716043409FEB10CF26D885B66FBE8EF05220F1C84AADE49CB252DB75E444CBA2

Function 030EAE56 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E98,?,?), ref: 030EAEA6

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 48b47b49c417f26c0d7629fbd97bdc7dcd5fb7eae7d34bcace9535c16d16cb73
Instruction ID: 7580992e1e836d102578af467c1dfbc188e007812e0c1ac6b22d4ccf6adee5dc
Opcode Fuzzy Hash: 48b47b49c417f26c0d7629fbd97bdc7dcd5fb7eae7d34bcace9535c16d16cb73
Instruction Fuzzy Hash: 9F018471500200AFD310DF16DC46B26FBA8FB85B20F15855AED089B741D775F515CBE5

Function 030EA1EE Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000E98,?,?), ref: 030EA239

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: 95a861206ea0a75ee34ce2feea80a4abe98f6e472e4e9c3838f499ad785a33b6
Instruction ID: 6efb17dafb2d8440a868652cb2d76c540e0470a99423ef9c3819bdabe6b92dda
Opcode Fuzzy Hash: 95a861206ea0a75ee34ce2feea80a4abe98f6e472e4e9c3838f499ad785a33b6
Instruction Fuzzy Hash: 9B01DF71900200AFD310DF16CC86B26FBA8FB89A20F25856AED089B741DB75F911CBE1

Function 059F6B0A Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F6B44

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0d4926070b4b1a72832c8120e7ee170877c08a4f2d9fda19be2b4de1c4707cd3
Instruction ID: f6180c3d1bdb57a8a958341c0e2984c03b61f5153298c326a5e985b131cfe18e
Opcode Fuzzy Hash: 0d4926070b4b1a72832c8120e7ee170877c08a4f2d9fda19be2b4de1c4707cd3
Instruction Fuzzy Hash: 06015E716083449FEB10CF26D885B66BBA8EF01725F0884AADE49CB652D675E444CBA2

Function 059F208A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000E98,?,?), ref: 059F20DA

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 4af38facb13c07d228463c83d4de169513f69c078a5c2bbee2589de4491f6ace
Instruction ID: 1dc996037854648b491580c9e04e5d3b741fd74332190f77206c2f5c9e79075f
Opcode Fuzzy Hash: 4af38facb13c07d228463c83d4de169513f69c078a5c2bbee2589de4491f6ace
Instruction Fuzzy Hash: 7E01D471500200AFD310DF16CC46B26FBA8FB85B20F15855AED089B741D771F511CBE1

Function 059F3C06 Relevance: 1.5, APIs: 1, Instructions: 47encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E98,?,?), ref: 059F3C56

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: 0f9d9ae2e445a8ef110a05cc1fdfad139f327c83705c3807d8a8a499b4875593
Instruction ID: 1b2ab84388f5211a402ef39c94d490976d0b79185d066b7bfd5401e0eba56cb7
Opcode Fuzzy Hash: 0f9d9ae2e445a8ef110a05cc1fdfad139f327c83705c3807d8a8a499b4875593
Instruction Fuzzy Hash: 2401D471500200AFD310DF16CC46B26FBA8FB85B20F15855AED089B741D771F515CBE1

Function 030EB4FE Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,?,?,?), ref: 030EB549

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 9d554e7eb41040e1185d00e3f203afdd4e4d466968ee33287fb87d68c3ce9058
Instruction ID: 9141a738873e2f2d9744b51454b2d53a45002db636c5eb2b9581e85ab44a9e58
Opcode Fuzzy Hash: 9d554e7eb41040e1185d00e3f203afdd4e4d466968ee33287fb87d68c3ce9058
Instruction Fuzzy Hash: D90192726053409FEB60CF15D845B26FBE8EF04720F0C8499DD598B356D771E444CAB2

Function 059F265E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 059F26A9

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 3b417324fc0e6984a28cd2d6fea6fde8824fcb33b9c53513398f98f37b86914a
Instruction ID: 4bbe47db89be24032c1a63442141f4f34d2c72f166003258c8c24d66e5488981
Opcode Fuzzy Hash: 3b417324fc0e6984a28cd2d6fea6fde8824fcb33b9c53513398f98f37b86914a
Instruction Fuzzy Hash: 93018C755046009FEF20CF15DC84B62FBE8FF04624F08849AEE498B252D775E418CB72

Function 030EB232 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030EB276

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d07eaa823c7a7b72ac34e24933359e97b3b0dd2e1a0ae18c8f911bd775e63b63
Instruction ID: 0692e5db5d41edd004898315b8b5d9907537a9fe7dc875435f732d669d135569
Opcode Fuzzy Hash: d07eaa823c7a7b72ac34e24933359e97b3b0dd2e1a0ae18c8f911bd775e63b63
Instruction Fuzzy Hash: 4A018B315046009FDB21CF51D844B5AFBE4EF49320F08899ADE894A611C336A014DBA2

Function 030EB462 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E98,?,?), ref: 030EB4B2

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 6dcf9baad048f001cd70e04e81fa1063b369b53ea7d77903951a00140f2a66b1
Instruction ID: b1fb9482079a10f3e08c62a023f6bf3bd7f95ed0271e9cd832d31a5939c63540
Opcode Fuzzy Hash: 6dcf9baad048f001cd70e04e81fa1063b369b53ea7d77903951a00140f2a66b1
Instruction Fuzzy Hash: 6501AD72600200AFD250DF16CC86B26FBA8FB89A20F15811AED085B741D771F915CBE6

Function 059F0FB2 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetIfEntry.IPHLPAPI(?,00000E98,?,?), ref: 059F1002

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: Entry
String ID:
API String ID: 3940594292-0
Opcode ID: 1ca7157d318ee0162bb179af8f14d612f41f1655766464d0e0d57f4d828d993e
Instruction ID: 7d9e1473a5517b844841f068bde6f4d0f178da90f10b6a5c60b1ba871f8f53c5
Opcode Fuzzy Hash: 1ca7157d318ee0162bb179af8f14d612f41f1655766464d0e0d57f4d828d993e
Instruction Fuzzy Hash: B001D171600200AFD310DF16CC86B26FBA8FBC9A20F15815AED085B741D771F915CBE6

Function 059F07F2 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 059F0830

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: c7334b1a4e9b4c9227a115239edf5e156d730573dadd7f9ece4a922ac650ce26
Instruction ID: c03a72dcb9938bedfd09f448a2ed242e34a6bb1f5289705018b72db2c6d13a0b
Opcode Fuzzy Hash: c7334b1a4e9b4c9227a115239edf5e156d730573dadd7f9ece4a922ac650ce26
Instruction Fuzzy Hash: D5019231404640DFEB20CF55D848B65FBA8FF04724F08C89ADE894B252D376A414CBA2

Function 059F2132 Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F2170

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 31445995aec18c1e6ff4d28a610e689c3eb403137edee772c7f72cfd93e0e1a9
Instruction ID: 9433badbb94221af088acfc71c2261299ef30b6ba4db8fd4d822b020bbc30767
Opcode Fuzzy Hash: 31445995aec18c1e6ff4d28a610e689c3eb403137edee772c7f72cfd93e0e1a9
Instruction Fuzzy Hash: BF0180355042409FEF20CF55DD44B6AFBA5FF05320F0888AADE494B251C375A014DF62

Function 059F64D2 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 059F6510

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 76e258f55ecde760010a596e8942118b78412efbda45c171a2c19d54b19f17fa
Instruction ID: e105037ccb052e1a69d851de341d1e93d0e3d02cf0dd8860af89bb4ae3c4802c
Opcode Fuzzy Hash: 76e258f55ecde760010a596e8942118b78412efbda45c171a2c19d54b19f17fa
Instruction Fuzzy Hash: 0C01B1325047009FEB208F15D844B66FBE5EF05720F08C4AEDE4A4B666C375E418DF62

Function 059F2CCA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E98,?,?), ref: 059F2D1A

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: aa077495a6fe2f22a2de019e94e47b6bc1b3ea1107c60d71f112877b207b07f3
Instruction ID: 5590157e70b0c279f4cb719d4f1f2ccb097ea1fcb5460d3a68837475a69dd369
Opcode Fuzzy Hash: aa077495a6fe2f22a2de019e94e47b6bc1b3ea1107c60d71f112877b207b07f3
Instruction Fuzzy Hash: 5901AD72600200AFD210DF16CC86B26FBA8FB89A20F15811AED085B741D771F915CBE6

Function 059F0652 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E98,?,?), ref: 059F06A2

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8b2e1838ca1b125e58c0d6f1cf9b25f6edcd8f359b8ea7218ea76cfe1ac02f8c
Instruction ID: 3cff6da13bce1cacb0284cc2ee43319271b72f28564d255557a2a59e09dfdfb3
Opcode Fuzzy Hash: 8b2e1838ca1b125e58c0d6f1cf9b25f6edcd8f359b8ea7218ea76cfe1ac02f8c
Instruction Fuzzy Hash: 5001AD72600204AFD210DF16CC86B26FBA8FB89A20F15811AED085B741D771F915CBE6

Function 059F641E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 059F6459

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a798b64ccdc3a810973c197230990255b72bf0c7520b6d7056956afe4a9ddf01
Instruction ID: 3bf24515f2c58ced3a71859ef7527d06a05dd2e878ddf9633d2552fbb942544b
Opcode Fuzzy Hash: a798b64ccdc3a810973c197230990255b72bf0c7520b6d7056956afe4a9ddf01
Instruction Fuzzy Hash: 9701DF315007409FEB208F15D884B66FFA4EF04324F08C49EDE4A8B662D372E468DFA2

Function 030EB2F6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 030EB328

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: c0db9435bce20875047a55bd8ce9b6fd052f6ef58fd3fb8765229825bc07c0c8
Instruction ID: 85925f04cb6a62142b479d156869b4908d047dcf5ffb0981e0b6a985099c3afa
Opcode Fuzzy Hash: c0db9435bce20875047a55bd8ce9b6fd052f6ef58fd3fb8765229825bc07c0c8
Instruction Fuzzy Hash: 1E01A2309092409FEB20CF15D885769FBE4EF01220F0CC4EADD488F252D6B5A404CAA2

Function 059F637E Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 059F63B0

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 434317aa32a3ffed112be4abd75d974012264827757728571054b30360d840fd
Instruction ID: 14402e9dba1cabf6d2532365208afa5bc4891f8980b4213d79d0e6f11651f7c6
Opcode Fuzzy Hash: 434317aa32a3ffed112be4abd75d974012264827757728571054b30360d840fd
Instruction Fuzzy Hash: 2E01D1355047448FEB10CF15D884B66FBA4EF41634F08C0AADE498B752C6B6E458CBB2

Function 030EB5B6 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 030EB5F1

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 70a0ecea852232343e206c66e7e4d32a21e0c872e6480a2d533774636a7640d3
Instruction ID: d3de8c1a41e03861cbd8d7aaf4f408f7304847f99a973bc488f86fd1d9f6633e
Opcode Fuzzy Hash: 70a0ecea852232343e206c66e7e4d32a21e0c872e6480a2d533774636a7640d3
Instruction Fuzzy Hash: 21018B355097449FEF20CF06D884B65FBE4EF04320F08C49ADE490B222D37AA458CFA2

Function 030EA5EE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 030EA620

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f4bac03ec972ab903e1a581a806f20cd08716e052829baa5d5f2e1a19b6a908d
Instruction ID: bb2527540f07da0ae0aa46faa6f81f677277ffca1f21258c86a8d1e6463b6501
Opcode Fuzzy Hash: f4bac03ec972ab903e1a581a806f20cd08716e052829baa5d5f2e1a19b6a908d
Instruction Fuzzy Hash: EDF0AF35A052409FEB10CF05D884765FFE4EF0A624F08C0DADD494B362D375A444CEA2

Function 059F663E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 059F6670

Memory Dump Source

Source File: 00000002.00000002.3829367062.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59f0000_file.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: a238285c2caccd52f2a1f4fa108d3c355e712bf1d61cce4a26dbc609e4d348c9
Instruction ID: 5adedc6af72401f614a9dc44ba12a8ce6b1023eb0c2b92db891b55a9aa4b8bfc
Opcode Fuzzy Hash: a238285c2caccd52f2a1f4fa108d3c355e712bf1d61cce4a26dbc609e4d348c9
Instruction Fuzzy Hash: 0EF0AF358047409FEB10CF05D884B65FFA4EF05624F08C49ADE494B352D775A444CFA2

Function 054D00B0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

:@Rl, xrefs: 054D031C

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID: :@Rl
API String ID: 0-46225596
Opcode ID: a38561d33f614d270719f027633a01ea4e71e1c793bffb66e7165882b0d50ac3
Instruction ID: 55a8f1a03b6f0befb9c59030fdbc5d30862b7496f937f678a40993520f9100cb
Opcode Fuzzy Hash: a38561d33f614d270719f027633a01ea4e71e1c793bffb66e7165882b0d50ac3
Instruction Fuzzy Hash: C6914C347012108FD708EB79C458BAEB7E6FF89314F1581B9E90ACB7A1EB71AC458B51

Function 054D0006 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

:@Rl, xrefs: 054D031C

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID: :@Rl
API String ID: 0-46225596
Opcode ID: 4733e21473a0a7e47b9861e13af6a28f19cc91e289e7758067f56307c279e05e
Instruction ID: cf5b06e8d94e4fcda850ac71a0b2b20eb5a3f7459e1b20336bee8bbedfabee95
Opcode Fuzzy Hash: 4733e21473a0a7e47b9861e13af6a28f19cc91e289e7758067f56307c279e05e
Instruction Fuzzy Hash: 859180347052008FD705DB78C468BA9B7E6EF8A204F1680EAD909CF7A2DB75DC45C762

Function 054D00A0 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

:@Rl, xrefs: 054D031C

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID: :@Rl
API String ID: 0-46225596
Opcode ID: eb491a991d556a84f2f571e914d8526a7def9651b967b09e9ef49053c131ae24
Instruction ID: b57ad5256faca1e5c2058fbe908355cb63dadc2f35fc169feb9e51173eb127d9
Opcode Fuzzy Hash: eb491a991d556a84f2f571e914d8526a7def9651b967b09e9ef49053c131ae24
Instruction Fuzzy Hash: A0812B347012108FD704EB78C458BAAB7E6EF89204F1581B9E90ACB7A5EB719C45CB51

Function 09D124B0 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

2yl, xrefs: 09D12736

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 2yl
API String ID: 0-3058294596
Opcode ID: b9cd0eaf73972c16da4c756d0d01b182740749411c5b1a1c443d5b45ba677a76
Instruction ID: 7211355afc0b5ede7abcbc0cce3c12b561a79ada30afab27663628a574883a63
Opcode Fuzzy Hash: b9cd0eaf73972c16da4c756d0d01b182740749411c5b1a1c443d5b45ba677a76
Instruction Fuzzy Hash: 77616871D42228DFEB24DFA4D9847DDBBB1EB89340F4080AAD51AB3744DB344E888F54

Function 09D124C0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

2yl, xrefs: 09D12736

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 2yl
API String ID: 0-3058294596
Opcode ID: 3516b1b15d2195a5dde8c2e023a2316d44c51971e158a052cf728539d7287c72
Instruction ID: 5a182b5e077c301a2c7b0b3f1e83488357b387535ccc334c485acc769ec9c0ea
Opcode Fuzzy Hash: 3516b1b15d2195a5dde8c2e023a2316d44c51971e158a052cf728539d7287c72
Instruction Fuzzy Hash: C5517971D42228DFEB20DFA4D9847DDBBB1EB89340F4080AAC61AB7744DB354E888F54

Function 09D12684 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

2yl, xrefs: 09D12736

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 2yl
API String ID: 0-3058294596
Opcode ID: 22dce12d6fbd3865c0ed53e8aac126f87905f7076a63d770764a40157edaa01d
Instruction ID: b03125e8c0d992c9bec8154514728286296d7ef79fbf516ac052922ecfc88ab0
Opcode Fuzzy Hash: 22dce12d6fbd3865c0ed53e8aac126f87905f7076a63d770764a40157edaa01d
Instruction Fuzzy Hash: 73513571D42228DFEB20DFA4D9887DDBBB1EB49340F50949AC61AB7244DB354E888F54

Function 09D12627 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

2yl, xrefs: 09D12736

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 2yl
API String ID: 0-3058294596
Opcode ID: ce7d37fa188d419f2602011d22338b8d1a3bf5746fc69fee6b3b9fea8e08d8e6
Instruction ID: a8595cbebe7157868d2f557bbae93b9604a411b53a3a2fb7c65242cf73ed22ff
Opcode Fuzzy Hash: ce7d37fa188d419f2602011d22338b8d1a3bf5746fc69fee6b3b9fea8e08d8e6
Instruction Fuzzy Hash: 4D513671D42228DFEB20DFA0D984BDDBBB1EB89344F50949AC61AB7344DB354E888F54

Function 09D12522 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

2yl, xrefs: 09D12736

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 2yl
API String ID: 0-3058294596
Opcode ID: 3829e6362ed2e74245d2609a516ab4bae03613ad546513a6504c697a34107e4f
Instruction ID: c01b8bae68b8df0bd1613b76d1fbcc1a303b4c2becc4cf78141fd5a65319f1b7
Opcode Fuzzy Hash: 3829e6362ed2e74245d2609a516ab4bae03613ad546513a6504c697a34107e4f
Instruction Fuzzy Hash: 81515671D42268DFEB20DFA0D9847DDBBB0EB89340F5094AAC61AB7744DB344E888F54

Function 09D126CD Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

2yl, xrefs: 09D12736

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 2yl
API String ID: 0-3058294596
Opcode ID: ae424d572e39397d74c680d6c3e6008a3d5cb8a055300584f4939fffab774057
Instruction ID: 2b9afa7b8129544fa59bfbbb4c4d49d7cca89116393f0c41a303cda9c1651f95
Opcode Fuzzy Hash: ae424d572e39397d74c680d6c3e6008a3d5cb8a055300584f4939fffab774057
Instruction Fuzzy Hash: 6C513671D42228DFEB20DFA4D984BDDBBB1EB49340F50949AC61EB7244DB354E888F54

Function 0773789B Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

k, xrefs: 07736E5E

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: 135e77204aaed2a90145735d16cf0e42cb43de4daeb25230bf17a6c00d2ca29d
Instruction ID: 90cc5fddf509534951593d73d22b1cf02b6dd62b1f2018cb901afc9896674f41
Opcode Fuzzy Hash: 135e77204aaed2a90145735d16cf0e42cb43de4daeb25230bf17a6c00d2ca29d
Instruction Fuzzy Hash: A251C2B5A05628CFEB60DF24DC487EAB7B1EB89301F1081EA950DA7351DB355E84DF00

Function 07736EE7 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

k, xrefs: 07736E5E

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: f49c96f9cdde16e343551412c3df03292d75155a3398a9367032fd2607aa2c81
Instruction ID: e17e68e40d2abce8b96b0229b32fe255d9a19dc9cdbf3e305861b35cd12c467d
Opcode Fuzzy Hash: f49c96f9cdde16e343551412c3df03292d75155a3398a9367032fd2607aa2c81
Instruction Fuzzy Hash: 605104B5A06228CFEB60DF24D8487EAB7B1EB89341F1081EAD50DA7351CB365E84DF01

Function 07736E6A Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

k, xrefs: 07736E5E

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: d768838f1d51de3beb0e70fd6dc5fc87b685d58f3048c7bdba0a6066eb1156fe
Instruction ID: bfb5295e6fcc7692ea2f9e1ce9f957534a4131f1817f73c7723d1c618bd06b88
Opcode Fuzzy Hash: d768838f1d51de3beb0e70fd6dc5fc87b685d58f3048c7bdba0a6066eb1156fe
Instruction Fuzzy Hash: 0941F7B5A16228CFEB60DF64D8487DAB7B1EB89341F1081EAD50DA7352DB365E84DF00

Function 030EAA70 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 030EAADC

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b3c55f156ec6ca646b8aedf26a67999c0fcfa7eecf1260373060be021bfd9281
Instruction ID: 7c0c1be774d2db7119e40df6ec174333a5d1458870aca936732ed9531251abed
Opcode Fuzzy Hash: b3c55f156ec6ca646b8aedf26a67999c0fcfa7eecf1260373060be021bfd9281
Instruction Fuzzy Hash: C121D2725093C05FDB02CB25DC94B92BFA4EF07324F0D84DAEC848F263D225A908CB61

Function 054D02DB Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

:@Rl, xrefs: 054D031C

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID: :@Rl
API String ID: 0-46225596
Opcode ID: c447fce8d2079fb4a67781671540db3a012f47d8b6a8d6050c614bb405b9aaa9
Instruction ID: 88cf87fa3fca19f0d9f3a7d6022be88960e19d66bd4d4c9fb14d91dad352f3a7
Opcode Fuzzy Hash: c447fce8d2079fb4a67781671540db3a012f47d8b6a8d6050c614bb405b9aaa9
Instruction Fuzzy Hash: 1E118F347002008FD714EB79C898BA9B3E6EFC9318F1540B9E50ACB7A1DEB59C458751

Function 030EA682 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 030EA6B4

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a6774e517234d29b2de71c488e04d1b6afea345d551921134655213e1626a597
Instruction ID: a76df62fe371311b6c856108484733b03d97f28fadf1ff60491c0ca0762fe296
Opcode Fuzzy Hash: a6774e517234d29b2de71c488e04d1b6afea345d551921134655213e1626a597
Instruction Fuzzy Hash: 7401A2757052409FEB50CF15D88576AFBE4EF06220F08C8EADD498F652D679E444CEA2

Function 030EAAAA Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,D7C79997,00000000,?,?,?,?,?,?,?,?,6D0C3C58), ref: 030EAADC

Memory Dump Source

Source File: 00000002.00000002.3824315492.00000000030EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30ea000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0e10352436f08c2a6f0ab4d4d36a95a05a6321c2e4672c33df699e9d6c17b6fd
Instruction ID: e433f1a0f4aef699e68be8b2219b57f7f19e40ae5eec06ade8d6a3f69697cde9
Opcode Fuzzy Hash: 0e10352436f08c2a6f0ab4d4d36a95a05a6321c2e4672c33df699e9d6c17b6fd
Instruction Fuzzy Hash: FF01DF317053808FEB50CF15D984766FBE4EF05224F08C4AADD498B652D775E444CBA2

Function 09D15F7F Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

-, xrefs: 09D1658B

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 8bfc33b712674b54c23c3fef6598ec0a3de6587106dd43cb174d4d1e8f490563
Instruction ID: f008d1d4e568d661030d9c8c6389cf1318fa9d2291fc6615e95f5f132dd89a80
Opcode Fuzzy Hash: 8bfc33b712674b54c23c3fef6598ec0a3de6587106dd43cb174d4d1e8f490563
Instruction Fuzzy Hash: 0F010875A42228DFEB60DF64E888BEDB7F1BB46300F5041EAE449A7281C7744AC4CF11

Function 09D16292 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

-, xrefs: 09D1658B

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 82b042505fc2b5fb1009478b2715be5fa82450061c6f58092134beb7752afc3a
Instruction ID: aef4e20e7511f0281b0204d9db05a5d9196a91820865879a5dc0a04caa34fa9a
Opcode Fuzzy Hash: 82b042505fc2b5fb1009478b2715be5fa82450061c6f58092134beb7752afc3a
Instruction Fuzzy Hash: 4201D6B5A42228DFEB609F60D848BEDB7F0BB45300F5041DAE44DA7291CB744A84CF11

Function 09D10207 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

7, xrefs: 09D1027E

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 957ae3f4742148805644c217b7485f1e7e26a55f048fbda6c1989680251b2bff
Instruction ID: e3d33375b4b59641b0748d6a87be5be6b722aa07a4f2f2fd36e334edff49a056
Opcode Fuzzy Hash: 957ae3f4742148805644c217b7485f1e7e26a55f048fbda6c1989680251b2bff
Instruction Fuzzy Hash: 03F0CFB4A09228CFDB64EF20D9886ADB7B1EB85340F1082D6894DA3350CB365E81CF01

Function 09D162AE Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

%, xrefs: 09D16306

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 877ecc9000140241006af1147b8544d26383ed4cd117bc23d391f16653fb239e
Instruction ID: 555600e5f8167f48299f56bb7eb29ec2e51619280ad8e50dd0c3b9aa34b3903a
Opcode Fuzzy Hash: 877ecc9000140241006af1147b8544d26383ed4cd117bc23d391f16653fb239e
Instruction Fuzzy Hash: CAC09261596810DBF340ABA5E248B7A2BB5D7C73C8F40A254824337AD5CA7DC80B4B6A

Function 09D162F3 Relevance: 1.3, Strings: 1, Instructions: 7COMMON

Download Yara Rule

Strings

%, xrefs: 09D16306

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: bbfc24f1b94d1f5d09955869ceaf6da199a0e750e50cc503c3455dc1effc2681
Instruction ID: b560431292ee844a2855b27dd17227e16df22a7348aabe55ce363181d6c58fb5
Opcode Fuzzy Hash: bbfc24f1b94d1f5d09955869ceaf6da199a0e750e50cc503c3455dc1effc2681
Instruction Fuzzy Hash: 2FC08CB0801804CEE3046B50800E298BAB4AB41340F00D244904A8A0A2CB3480028F54

Function 09D10A7D Relevance: 1.3, Strings: 1, Instructions: 7COMMON

Download Yara Rule

Strings

6, xrefs: 09D10A8F

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: a14d45434767d249b0305a84c3c489c89dc7cb052b2062f9ba16e9c58192c8f0
Instruction ID: fc00af3d09d035bb5f140c74b8b57a80fdafbde234e10fa99e2596564c1eec06
Opcode Fuzzy Hash: a14d45434767d249b0305a84c3c489c89dc7cb052b2062f9ba16e9c58192c8f0
Instruction Fuzzy Hash: EAC04C74C046D89ACB61CFA1985429DBFF45B55341F1051968054B6250D67846C4CF08

Function 09D17AD8 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ade709c959706164775ba838e1bb62d29cb623a7479bd4e6da35ff4e42b43cb
Instruction ID: 3f32235be0dcf242e1fe960131401b040adf9a9ba865ee2dfac7fffd7b106966
Opcode Fuzzy Hash: 8ade709c959706164775ba838e1bb62d29cb623a7479bd4e6da35ff4e42b43cb
Instruction Fuzzy Hash: F5C13A75E012099FDB14DFA8D881BAEBBF2EF88310F158069E915AB7A1D731EC45CB50

Function 09D1B400 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5dc100a15fdccf13b700b677509da2bddd243d33058964eb852d9040aea082d
Instruction ID: 10d47f56c0dbb33b679af715537c445713f7ac54d92c70b1ff62a85b65ff25ef
Opcode Fuzzy Hash: a5dc100a15fdccf13b700b677509da2bddd243d33058964eb852d9040aea082d
Instruction Fuzzy Hash: DDC14A39E012089FDB04DF98D894BADBBF6EF88310F15806AEA14AB7A5D734DC41CB50

Function 057ACB98 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7a22de81b4297a11a4bb453b5e713e72eb4c30db333335afcecb6af953a8a6
Instruction ID: e4d8a3e327b2b0e7d682313eca691c5f7b7654dd9d7fb933a3eef47dd23c3e7b
Opcode Fuzzy Hash: 8e7a22de81b4297a11a4bb453b5e713e72eb4c30db333335afcecb6af953a8a6
Instruction Fuzzy Hash: 3BB11575E06308DFEB15DFA4D548AAEBBFAEB89300F208629E419A7344CB355D41EF11

Function 07736320 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54db401f781393a3c0f03743972f77e87e1e56078292212874bf57e4575a53ec
Instruction ID: fbf8d7868ee65140108604e2e1b1e9e91f74efab9eae172ca10229e2aab0ada3
Opcode Fuzzy Hash: 54db401f781393a3c0f03743972f77e87e1e56078292212874bf57e4575a53ec
Instruction Fuzzy Hash: FB9147B0A06208EFDB04DFA4D588B9EBBF6FF8A340F509115E50AAB355CB395908DF51

Function 0773D160 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a0cbe7262006c412586532c9a84c79a6ce1481e89345b4ecd17d9824712bbd
Instruction ID: 54304bc892e4e008ddd993a61d9778a9289f3a3c8bdee3d088ee84b18fa06bd8
Opcode Fuzzy Hash: 53a0cbe7262006c412586532c9a84c79a6ce1481e89345b4ecd17d9824712bbd
Instruction Fuzzy Hash: 15A112B4E02208CFEB24EFA8D54879EBBF6FB89300F508869E519A7745CB391945CF11

Function 07736330 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88d262bf5e3e69e49c19d776c7d2554adc797abb3a43bf3dfc04a885ba0e9e3
Instruction ID: 5c7693e672b0d727307dff032dc628fd8051c1a5049169627f6dff914b5ff3d7
Opcode Fuzzy Hash: c88d262bf5e3e69e49c19d776c7d2554adc797abb3a43bf3dfc04a885ba0e9e3
Instruction Fuzzy Hash: 94913974A06208EFDB04DFA4D588BDEBBB6FF8A340F509115E50AAB344CB394908DF51

Function 0773DB20 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9132fd6d9a838e9625048821124112c066f72119183b8719ee257de898c4a008
Instruction ID: ec80accdfce4d89be1b68300b5d3c68a6f040308fb14b2144c4885dec6b32122
Opcode Fuzzy Hash: 9132fd6d9a838e9625048821124112c066f72119183b8719ee257de898c4a008
Instruction Fuzzy Hash: 2081D1B4E19209DFDB24DFE9C4487EEBBF5BB4A380F108429C509A7296DB744984CF84

Function 09D17E71 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74aca7d1be48e09cfedbb59aaf0cbe8a4ef73663b4f33c4aafd1cc330016a46
Instruction ID: 52fcd4c55c597901bb7897c5beebea20dae42dbe8e3c698d5fc75c19fda549a9
Opcode Fuzzy Hash: e74aca7d1be48e09cfedbb59aaf0cbe8a4ef73663b4f33c4aafd1cc330016a46
Instruction Fuzzy Hash: 966137B2D45218DFDB14DFA9E5887EEBBF1BF89304F24942AD409A7651DB344885CF10

Function 09D17E80 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c04b9b444f48e09416a57308ec895b2d91f14c26efaa6379545984bf08ed95
Instruction ID: 0ab98e3bf134f465f68843c955ad896879ebb9f636bc26a8c2eadc9ed25ca204
Opcode Fuzzy Hash: e5c04b9b444f48e09416a57308ec895b2d91f14c26efaa6379545984bf08ed95
Instruction Fuzzy Hash: 7B6125B2D85218EFDB14DFA9E5887EEBBF5BF89340F209429D409A3661DB344881CF10

Function 09D17FBC Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61bcbe9e0fdd862f5980e9304b5450d1ecaa500cca1df6bdb0eb07f38cc8ec4f
Instruction ID: 748e51798409f2aa674fadf19a1cce227d913ffae183e4676efb4582e9a38186
Opcode Fuzzy Hash: 61bcbe9e0fdd862f5980e9304b5450d1ecaa500cca1df6bdb0eb07f38cc8ec4f
Instruction Fuzzy Hash: 175103B2E8521CDFDB14DFA8E5887ADBBF1BF89344F209429E409A7661DB744881CF10

Function 0773DFF8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db075f6cb4097e7e0ad93eff3aa33b42a1aec28559db46036c63fc6e7924753
Instruction ID: 05082671bbbe632c09fd98dc2fd57df362c22a0290a9bece0c32ebc5d45b73ae
Opcode Fuzzy Hash: 5db075f6cb4097e7e0ad93eff3aa33b42a1aec28559db46036c63fc6e7924753
Instruction Fuzzy Hash: 795115B4E05209CFDB04DFA5D648AEEBBF2EF89340F20852AD405B7242DBB54A41CF51

Function 0773FA80 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563c0b5f14bbd7f6d505d45d76263463508d67123dcdc3c15095e3a98c95ba8b
Instruction ID: a870eaf291653b92d18ace7465fad290989d265ee58c0d4aed509855f572d1ce
Opcode Fuzzy Hash: 563c0b5f14bbd7f6d505d45d76263463508d67123dcdc3c15095e3a98c95ba8b
Instruction Fuzzy Hash: 815116B0E45208CFDB14DFA9D5486EDBBF6FF8A380F20992AE519A7242DB355841CF40

Function 09D11CFD Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6afac13e4c00ce9aa11d04bd890c58ce25f117eb7297957c60a21eab3be5a0
Instruction ID: a7541e40a6bd946c7a1f3ab45aed55f4181cd19485c66dfcec29e5be5e6fda65
Opcode Fuzzy Hash: 6d6afac13e4c00ce9aa11d04bd890c58ce25f117eb7297957c60a21eab3be5a0
Instruction Fuzzy Hash: 365144B1E49208EFCB40DFE9E4846DDBBF6BF4A300F14802AD609AB611D7348845CF44

Function 057A86F8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d90b5f6db383a651b834df6f4e29923bbdc5b576cb8387075bce40b90453723
Instruction ID: 6c7ce5280643c6420b22c14827ef829a5c81ebb8834cf6802aaa03c83e450506
Opcode Fuzzy Hash: 5d90b5f6db383a651b834df6f4e29923bbdc5b576cb8387075bce40b90453723
Instruction Fuzzy Hash: 53412075E06208CFDB18EFA9E4486EEBBF6FB89300F10952AD416B7644DB394841DF16

Function 09D11D28 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fd05414ca333829b26293bf252d2659133f4328ca4c2288a812babc05f15b3
Instruction ID: 1803c5ef0d500f322e1db97966ec96ef4fdf54aa5a4bd55f52126fca4ac80f7e
Opcode Fuzzy Hash: 61fd05414ca333829b26293bf252d2659133f4328ca4c2288a812babc05f15b3
Instruction Fuzzy Hash: 814103B1E49208EFDB54DFE9E5446EDBBF6BF8A300F10912AD609A7601D7708845CF45

Function 057A8D98 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e419e0023a145abbe365bad520dd6d383f4050a6552286140e57bb247cc9eb
Instruction ID: 063bbecc5382b8c8108c81a555a2eaeaba3958c8caa8366c9cb794b2aa94d258
Opcode Fuzzy Hash: 83e419e0023a145abbe365bad520dd6d383f4050a6552286140e57bb247cc9eb
Instruction Fuzzy Hash: DB51BB79A04618DFDF00CFA8C984AADBBF2FB4D314F144595E602AB3A0D774A940EF55

Function 057A8F10 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47324246c2daa81982972b4eaf27d6d0f1949bc2a55bafedba050d042bd01e52
Instruction ID: 570a41c65b5340e6165f686d005831955300f1e9c30c0ed3e26a18a9a1f85865
Opcode Fuzzy Hash: 47324246c2daa81982972b4eaf27d6d0f1949bc2a55bafedba050d042bd01e52
Instruction Fuzzy Hash: 3A318FB1E0520A8FDB04EFA4D444BBFBBBBEBCA300F509665950AA3645CB358940DB56

Function 057A8A38 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6da7808f5f2fa20f4816a41340f10421b5998c2a2fb9c5f6e1a59a9a99cbcee
Instruction ID: d67a60a8404fce7a5168382e3ef0df8a8f7076b06a04d8d0606e1ee55edc2c00
Opcode Fuzzy Hash: d6da7808f5f2fa20f4816a41340f10421b5998c2a2fb9c5f6e1a59a9a99cbcee
Instruction Fuzzy Hash: 4A412972E0A10DCFDB40EFA4D5846EDBBF5FB89304F148569C106B7688DB345A41DB52

Function 0773F8C0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77996a57db0c7569bf91539245a978e92930f779d11206d420a50ae17ff324e1
Instruction ID: a5d179d3dba9f4309c872ed6fb02b40260773b09fc269a66bbe6c2e7918f1607
Opcode Fuzzy Hash: 77996a57db0c7569bf91539245a978e92930f779d11206d420a50ae17ff324e1
Instruction Fuzzy Hash: 7B41DFB0E16208DFDB04EFA4D5886EEBBB5EB8A340F108069E509B3351DB385940DF50

Function 0773E428 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aca2568a0563bd847d8bccfc6ab9f85d7d24002a7324fa58574e05f8a00a483
Instruction ID: 059257ec1795e2e1685f46d4506417e65b967fbf8792e6675c7af4166b17785e
Opcode Fuzzy Hash: 1aca2568a0563bd847d8bccfc6ab9f85d7d24002a7324fa58574e05f8a00a483
Instruction Fuzzy Hash: 1A41E1B4E01209DFEB44EFA8D4586EEBBF1EF89200F10812AE509A7390DB755941CF51

Function 030FA863 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824414939.00000000030F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30f2000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf0685b33285163a4409fd0026296d033fb6a7b208f599d2972549f2471c89b
Instruction ID: 2f27a969b2b72c61b98434ca1070569dcc3ad391a8def802797f9dc7e52c3d63
Opcode Fuzzy Hash: 4bf0685b33285163a4409fd0026296d033fb6a7b208f599d2972549f2471c89b
Instruction Fuzzy Hash: BB215EB6908344AFD710CF05DC41E67FFE8EB89630F05C85EF94897211D276A914CBA2

Function 07732A3E Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb4a3f0bf8d79cec65eb14113e5d461cca8b42b159c11cd8a55095c8e5e31d3
Instruction ID: 3f40e322a800e4aa8b69174becdfdba68e9809dadac7e2b94626811c7c04654b
Opcode Fuzzy Hash: 8cb4a3f0bf8d79cec65eb14113e5d461cca8b42b159c11cd8a55095c8e5e31d3
Instruction Fuzzy Hash: 4431F0B0906328CFDB21DF24C898BA9BBB9BB0E351F1094D9D419A7243E7345B81CF44

Function 057AC2B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5717cc1c2dd8be9a5eddff85725079e195794748de95f51d726fd270e5cc012
Instruction ID: 57619da23941515cabd888d69088b579489c7572e143558d70b1600b86f2267f
Opcode Fuzzy Hash: e5717cc1c2dd8be9a5eddff85725079e195794748de95f51d726fd270e5cc012
Instruction Fuzzy Hash: 55216D72E05209EFDB05EFA5C445ABEBBF9AB8A300F108565E405A3380DB359D40DF52

Function 030FA88E Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824414939.00000000030F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30f2000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd64dd73f97e981a2b33bfb761a8eba05a0255a2a0332b129f330a9afe02399f
Instruction ID: 7ca4b073db13a207531f44e7350f4a85a044e0cac6fa3b3e3dfdec7d65be1e1c
Opcode Fuzzy Hash: bd64dd73f97e981a2b33bfb761a8eba05a0255a2a0332b129f330a9afe02399f
Instruction Fuzzy Hash: 2A214FB6944300AFD650CF06EC41E67FBE8EB88630F14C96AFD4C97311D676A5148BA2

Function 07735EC1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ff2bbdef74fcea93fd9b52e7542a4857888812c34d11e7dd37f7518c791b71
Instruction ID: f947dd36eff8d3bda77344d090e92896330f353644cdd5a0ad56b0c32217d677
Opcode Fuzzy Hash: b0ff2bbdef74fcea93fd9b52e7542a4857888812c34d11e7dd37f7518c791b71
Instruction Fuzzy Hash: 973105B8E052199FCB04DFA9D8415EEBBF6FF88300F11846AE809B7350DB355A45CB61

Function 057A8188 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9b7bed7cfe7a9388b8729dfe6fdc61d8230025c465077b8cf4ed33e4a79ab7
Instruction ID: 9cbea866a1c62ee1e9c6d812eec3d5db8679db9f83bc852359b30a6eb0ad6857
Opcode Fuzzy Hash: 8c9b7bed7cfe7a9388b8729dfe6fdc61d8230025c465077b8cf4ed33e4a79ab7
Instruction Fuzzy Hash: DD31C574E04208DFDB44DFA8D884AEEB7B2FB88304F108269D915B7790EB355A41DFA5

Function 08FF1C4E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830856027.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8ff0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55ce0ca5e68d02aae4a2412419ab3d679d9816b9999c18bc82d0aee41b17fbb
Instruction ID: 01de3fc86f8a965d1695f7e04c78e205994eac54dd884ad84c109da2d69a5344
Opcode Fuzzy Hash: a55ce0ca5e68d02aae4a2412419ab3d679d9816b9999c18bc82d0aee41b17fbb
Instruction Fuzzy Hash: DC21C5B5908341AFD340CF19D840A5BFBE4FF89664F05896EF988D7311E275E9088BA2

Function 08FF26C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830856027.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8ff0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc7a1662e5f6a7a30919228c0a0fd9863de177cd7f2cfecb32d27a54f5d23a6
Instruction ID: f2db74f3773b8ce80748dd9c353225c321bdb2e6728fbd6e084d525ee1dd1216
Opcode Fuzzy Hash: 0cc7a1662e5f6a7a30919228c0a0fd9863de177cd7f2cfecb32d27a54f5d23a6
Instruction Fuzzy Hash: 961197B5908341AFD350CF19D881A5BFBE4FB88664F04896EF99CD7311E235E9148FA2

Function 031D8E14 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824928391.00000000031D6000.00000040.00000020.00020000.00000000.sdmp, Offset: 031D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_31d6000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0303e16ec34d3e6eb60265a705a4176ae5bf28b934a9e25e129a07f603147ac8
Instruction ID: 1b677aa317d85ad8cd112d870d15df1394dba704aac390245fb82c322ac4f79f
Opcode Fuzzy Hash: 0303e16ec34d3e6eb60265a705a4176ae5bf28b934a9e25e129a07f603147ac8
Instruction Fuzzy Hash: BE11B130208244DFD715CB14D980B26FBE5EB8E708F28C99CE9494B652C77B9862DE92

Function 057A9DA8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd8b41433f271b4af3ddb2d229a5b89cab64bf486e64e5900a4cb06ae3f51e1
Instruction ID: aaec6bc68cb2d9245a37f1e2d7e4d68e6e5c487fe95e2b4aff40a4a61a0fdf23
Opcode Fuzzy Hash: 2fd8b41433f271b4af3ddb2d229a5b89cab64bf486e64e5900a4cb06ae3f51e1
Instruction Fuzzy Hash: 6D211475D09219DFCB04CFA9C584ABEBBF6FB89300F108266DA09A3305D7749A90DB91

Function 030FA7CC Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824414939.00000000030F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30f2000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b948e8b4225c29f5e9e5919e3689d47e6afb115e3189fed3662c25d2ab79be0a
Instruction ID: 095bfde29742c924ee4540be7e1b378019a0ec3d8998fc1280fce4c3f54bc157
Opcode Fuzzy Hash: b948e8b4225c29f5e9e5919e3689d47e6afb115e3189fed3662c25d2ab79be0a
Instruction Fuzzy Hash: 9B1151B15493806FD341CF15DC41A56FFE4EF86620F09889AF98887212D275A908CBA2

Function 057A9A80 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234c9ddb69a08f8d989f5034e7f03cca7656351e111c2dd732652e929c2e1082
Instruction ID: 2c16530b57a423540761b27b94ca788652ebd607f27fa3b965f223e74ca3acaf
Opcode Fuzzy Hash: 234c9ddb69a08f8d989f5034e7f03cca7656351e111c2dd732652e929c2e1082
Instruction Fuzzy Hash: 73114874E09209CFCB04DFA9D4486EEBBB9FB89300F10856AD509A3748D7354A51DF94

Function 030FB864 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824414939.00000000030F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30f2000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981a4c7f6cd4062e424801264f400850d1dc375c5f9f3d3c34c2f922718908ce
Instruction ID: 6acb1f2a1cfb547d7cae558d403dd7e5071bcfabda3905305e51d9ccd65d0ac3
Opcode Fuzzy Hash: 981a4c7f6cd4062e424801264f400850d1dc375c5f9f3d3c34c2f922718908ce
Instruction Fuzzy Hash: DE11CCB5908301AFD350CF09DC41E5BFBE8EB89660F04896EF99D97311D271E9088FA2

Function 08FF2564 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830856027.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8ff0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291104934c42a02e2c2b88eaf6abd10c28b787c39bbddaee08039f95dcd33938
Instruction ID: cfb0cc64931e89f42c65c8c2b7af1067fa0a6070689b9cd887105c481821f801
Opcode Fuzzy Hash: 291104934c42a02e2c2b88eaf6abd10c28b787c39bbddaee08039f95dcd33938
Instruction Fuzzy Hash: B611C0B5908301AFD750CF09DC81E5BFBE8EB88660F04895EF95D97311D271E9088FA2

Function 057A1AA4 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c65f8988aaf2050679afd410f4eb0639157a1dd05307116480a5ed7c73af7ef
Instruction ID: ca115bf8c0cb078aaafbafbf1fdcf2a73315775ef5523bc687514a2c6f22ef62
Opcode Fuzzy Hash: 6c65f8988aaf2050679afd410f4eb0639157a1dd05307116480a5ed7c73af7ef
Instruction Fuzzy Hash: CD11C675D06229CFEB64EF29D944798BBB2FBC8301F4082E5D40EA2204DB364EA5DF01

Function 031D8E02 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824928391.00000000031D6000.00000040.00000020.00020000.00000000.sdmp, Offset: 031D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_31d6000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cde204b94a06d777da726e9322acf2b4036188a88082096d4f204e20b9c7c74
Instruction ID: cffe301a538789e3d6d0723abbd38aac33108d5fe4886d5651df1baa6b229bcb
Opcode Fuzzy Hash: 4cde204b94a06d777da726e9322acf2b4036188a88082096d4f204e20b9c7c74
Instruction Fuzzy Hash: C7115E35549280DFC702CB10C980B15BBB1BF4A708F18C6DED4894B6A3C33A9812DF42

Function 07736B40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b048102ab5ba8988c25d3c4e1194da400267b01a9f37163828346950877fb86
Instruction ID: 2497b368088038f24bbe35f1ad7ee02b5bc4ad8b72e917d02da3690a1ce891c2
Opcode Fuzzy Hash: 7b048102ab5ba8988c25d3c4e1194da400267b01a9f37163828346950877fb86
Instruction Fuzzy Hash: 9B0149B644920DABC704DA94E901BBC7BF8D717388F34C0699848D2382E6758643CE55

Function 031D05DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824928391.00000000031D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_31d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea6911f6aa7b12ae3c793929cbdcc8e8febd8c4cad3b8a175ccbba19cc03deb
Instruction ID: 3c20cd636fa5ee97dee5cf53da0b7d5caf972931083a49d365d190645e9d6800
Opcode Fuzzy Hash: 7ea6911f6aa7b12ae3c793929cbdcc8e8febd8c4cad3b8a175ccbba19cc03deb
Instruction Fuzzy Hash: B501627650D3805FD711CF06EC84966FFA8EB86620709809FE84D8B652D625A904CBB2

Function 07736AF8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f7b6b09a3b003fcc7f4dac07130a5ac276539a361454611f2bc53d3cc9740c
Instruction ID: 35bbe02c20bff103e4e603cd1d6044459eb041a711344d0d89719c2a59108c2e
Opcode Fuzzy Hash: 91f7b6b09a3b003fcc7f4dac07130a5ac276539a361454611f2bc53d3cc9740c
Instruction Fuzzy Hash: 0A0178FA149109ABC305D7A4E9097AD7FF4DB03348F28C598C8289B793DA368903CB40

Function 09D17A68 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50cca33e391780c4f60ce7eed81125ea28ec599edd51ce31b89168092c15c04
Instruction ID: ff4cda89699511dcdc21c6d556391a9de041e52f9425a86f7380a6f74fa01507
Opcode Fuzzy Hash: f50cca33e391780c4f60ce7eed81125ea28ec599edd51ce31b89168092c15c04
Instruction Fuzzy Hash: C101813144824AEFCF02CF94C8009DD7FB5EF0A300F1481C5EC58AA252C2368662EF10

Function 054D1CDE Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a80eb556efdf08c02ee54542405e82424339b7a97024a6cede6d756c291a8fb
Instruction ID: fd2d3c96a365ec0a6d176748b1a96528b1edaaacfa29de156582f057f456151e
Opcode Fuzzy Hash: 6a80eb556efdf08c02ee54542405e82424339b7a97024a6cede6d756c291a8fb
Instruction Fuzzy Hash: 5F11B074906228CFDBA8DF24D8587A8BBF1FB49300F54D1DAE48DA2245DF348A80CF91

Function 09D1324E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554e75cfb63cb589f6e39851977042f5bd88997ca5004d4075167aa45c50f874
Instruction ID: c0f0930f3f83e40ae2a48b16071caf59c1199f8ec27ee16000d7f96786d3fd90
Opcode Fuzzy Hash: 554e75cfb63cb589f6e39851977042f5bd88997ca5004d4075167aa45c50f874
Instruction Fuzzy Hash: 390112B5E4122C9FEB18DFA4D9586EDBBF1EB89340F1041A9D109A7240CB358E81CF90

Function 031D8ED0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824928391.00000000031D6000.00000040.00000020.00020000.00000000.sdmp, Offset: 031D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_31d6000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a18135dbcc10eb8d150372fd7a243db1ce43d1f1140c516fd8c987d0e922dc8
Instruction ID: 29f4edf8e09e25d3de5258b3c58ee87fb6f1a75e1f94dfa58f1aebc27e160c12
Opcode Fuzzy Hash: 7a18135dbcc10eb8d150372fd7a243db1ce43d1f1140c516fd8c987d0e922dc8
Instruction Fuzzy Hash: C2F0FB35144644DFC315CB00D980B16FBA6EB89718F24CAA9E94907662C7379822DE81

Function 054DC3F0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d09f5a86c02bd866385e201086c9bde407e7b99aec0b6389bf3c7be29f248ed
Instruction ID: 6149e99abd3d261ce47672e1040933f4fb111ff84f02c8351707bace42ebe2a2
Opcode Fuzzy Hash: 9d09f5a86c02bd866385e201086c9bde407e7b99aec0b6389bf3c7be29f248ed
Instruction Fuzzy Hash: 54F0493094520CDFC704EFA8E5446AEB7F1FB48308F1482A9C40597B88EB391945DB90

Function 09D17188 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cfeb08eeabb04034290e20cc03af68510cebbaf3d942ca901792913fb0aeaf
Instruction ID: 948e283941618ffa85d1ce6413dad1c320866bb29d32b12f01b72956b9e655f7
Opcode Fuzzy Hash: 27cfeb08eeabb04034290e20cc03af68510cebbaf3d942ca901792913fb0aeaf
Instruction Fuzzy Hash: 65F0823514D285AFC70ACFA0D8009A9BF71EF46314F1884C9DC544B263C6368956DB11

Function 09D17A78 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef0787a280d8cd16e0496025d5ed18be74d23553d7acf1bd9d2b2d14956644e
Instruction ID: 2722151daac7c702b4e288a9aa6959143eaf4c8429df8cd5b2e04cdf8bd7899a
Opcode Fuzzy Hash: cef0787a280d8cd16e0496025d5ed18be74d23553d7acf1bd9d2b2d14956644e
Instruction Fuzzy Hash: 51F01236804209FFCF01CF94E800AADBBB9EB48300F10C099FD58A6260D7369A21EF90

Function 09D18201 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72538e13271615aa7da7d3fc6bb4d005556b7182edd843625debf3ff60e06f87
Instruction ID: 05ede9a02116f783505f0729f538b8e9ca4b2173e05f4fcb78d2284727974fc7
Opcode Fuzzy Hash: 72538e13271615aa7da7d3fc6bb4d005556b7182edd843625debf3ff60e06f87
Instruction Fuzzy Hash: BDE0923058E286FFC307CB64E901559BF759F47218B1884C5C8984F793C63A5D47CB41

Function 031D0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824928391.00000000031D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_31d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e612cd8e73e0fc7701f7275c2b227f38da2ecd3ab2950a308760c3e0dba1f20
Instruction ID: 361da74a9bbc201d2d23a50c9d557bcd8343f3a168fa982f01f46948d958a558
Opcode Fuzzy Hash: 1e612cd8e73e0fc7701f7275c2b227f38da2ecd3ab2950a308760c3e0dba1f20
Instruction Fuzzy Hash: 41E092766047004F9650CF0BEC41462FB98EB84630B08C07FDC0D8B711D676F504CAA5

Function 030FA81B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824414939.00000000030F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30f2000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347564841a36df77add12b8c2c5209605d86148ce6073c7da07e57db76df785d
Instruction ID: ff6d78d65c43cfde07c308ac620fbdb773d2fdffb185221384b0dcb10fa54564
Opcode Fuzzy Hash: 347564841a36df77add12b8c2c5209605d86148ce6073c7da07e57db76df785d
Instruction Fuzzy Hash: 49E048B29403446BE2509F06DC46F62FB58DB94930F18C557EE0C5B701E576B5148AE6

Function 030FB8B3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824414939.00000000030F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30f2000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471614e8487c57b5ea8d70651c7ebe56b4aabc3463378be8893e4bb63e5ac9d8
Instruction ID: 14705b40f40e885a42559ad0b1d5d5cba7fd973b990d397b1654ec7388a2ca72
Opcode Fuzzy Hash: 471614e8487c57b5ea8d70651c7ebe56b4aabc3463378be8893e4bb63e5ac9d8
Instruction Fuzzy Hash: 96E026B29403046BE2508F06EC46F23FB5CEB81A30F08C56BEE0C1B302E572B5048AF2

Function 07736070 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc473d07b68414d9007d8c4ecb4569574ba66be65b8a6ed64a28de1c9e40511
Instruction ID: 6da0994cec8455576a62188d8ca4c6787bf1c999563ce95456195342a7427ac1
Opcode Fuzzy Hash: 5dc473d07b68414d9007d8c4ecb4569574ba66be65b8a6ed64a28de1c9e40511
Instruction Fuzzy Hash: FEE06DB4948209AFC711CFA4D401AADBBF5EF16344F1091A9DC29A6761E7395A45CB40

Function 07736218 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e5ed326ebb078ba4e0c212af25ddaf5209e53833775abb3051a1e4384790e1
Instruction ID: a880b98e41458784698f39fbb19babad2f9f5e2f518a3e0d9ccf2f8f49f293cb
Opcode Fuzzy Hash: 24e5ed326ebb078ba4e0c212af25ddaf5209e53833775abb3051a1e4384790e1
Instruction Fuzzy Hash: 1AE06DB0944118AFC704CF84C581BADB7B4EF49304F24C2E9DC19A7311CB399A42CF41

Function 08FF1FD7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830856027.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8ff0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf465e1f08aecb1c6372d4dd3701368789e16013cd76774715a411e67645c35
Instruction ID: ac2c00ccbe277c5389d3b4997cbb2844d981b78fcf345572b61825f857dad6ad
Opcode Fuzzy Hash: fcf465e1f08aecb1c6372d4dd3701368789e16013cd76774715a411e67645c35
Instruction Fuzzy Hash: 18E048B29403046BD2509F06DC45F63FB58DB84930F08C567EE0D5B701E576B514C9E6

Function 08FF1CC3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830856027.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8ff0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f5c584faaa4a4467a65c9bfd0c32927058b49d8b3eda8b428f98006e481678
Instruction ID: 77c0eb940953e95909e7e89bd61d88c99088208dc4e09aff1ecae7e1205a3eb7
Opcode Fuzzy Hash: 67f5c584faaa4a4467a65c9bfd0c32927058b49d8b3eda8b428f98006e481678
Instruction Fuzzy Hash: 2AE04FB29403446BE6508F06EC46F62FB58EB84A30F08C56BEE0D5B742E576B5148AE6

Function 08FF25B3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830856027.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8ff0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1410d847577fa6927cb3ed9264f3ee444725e586ab90e667c2f728c5dd8097f
Instruction ID: 4ab11194c275d53f3622e4d39da173f78bd9b33d7a97adb7e76e1e7e301ae416
Opcode Fuzzy Hash: d1410d847577fa6927cb3ed9264f3ee444725e586ab90e667c2f728c5dd8097f
Instruction Fuzzy Hash: 1BE012B29403046BE6509E06DC85B62FB58DB44A30F088567EE0D5B712E576B51489A6

Function 08FF272B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830856027.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8ff0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f469b0c682c07196cf492b9939e00cc2789c8d5868bccc3c9b15a7469299395a
Instruction ID: 448f39bb7a1e2d075a9402278d3ba7174d40094777f3b43d2284fb9bddb5cf37
Opcode Fuzzy Hash: f469b0c682c07196cf492b9939e00cc2789c8d5868bccc3c9b15a7469299395a
Instruction Fuzzy Hash: B6E048B29403046BD7508F06DC45F62FB58DB94931F08C56BED0C5B741E576B51489E6

Function 09D179C8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5587526be9f1c506b024bcda40c83f78a8e9be4915e352cc4ff463ee08f0bfdb
Instruction ID: 44bd0361e175266077934ce20383990f6a9c02b5ac8c25a4a61861c7134acec4
Opcode Fuzzy Hash: 5587526be9f1c506b024bcda40c83f78a8e9be4915e352cc4ff463ee08f0bfdb
Instruction Fuzzy Hash: 6BF03030D49248EFCB05CFA8E4406ACBFB0EB4A214F1481EAD8489B756C6354E46DB41

Function 09D11FB8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ac57e67e6ef66ab9922ac77ec112029d3833b141743a788e179224981a6aae
Instruction ID: d91d871d629962739068ec2297e26b54d0f412b83c300cecaccd1860e619e7a3
Opcode Fuzzy Hash: 76ac57e67e6ef66ab9922ac77ec112029d3833b141743a788e179224981a6aae
Instruction Fuzzy Hash: 63E09A3A1CE144AFC305CB94E840FA9BBA5EB06325F2581E89D581B392D736AA12CA40

Function 07736970 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bade8875c375ace79f039d8051bbb88ccc565762dfdd651d6e464504407bd80d
Instruction ID: c593f41092dc88f45ea2804c9ea673279c84695183ce1a607d69e9386406c2ae
Opcode Fuzzy Hash: bade8875c375ace79f039d8051bbb88ccc565762dfdd651d6e464504407bd80d
Instruction Fuzzy Hash: 3DE068B4208005BBC304CB84EA00A7CBBA0EB16309F10A0D8DC4C87393CA32AD02CA40

Function 07735CC0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d251e5474790e01daa916e156386ea6ff574c9bb4e45599f77e5107bb1ccbbc
Instruction ID: c2085424ec65680a3627619e43922f2a6bb1d6a83a7fc3ed44c05efceaf820a1
Opcode Fuzzy Hash: 4d251e5474790e01daa916e156386ea6ff574c9bb4e45599f77e5107bb1ccbbc
Instruction Fuzzy Hash: FBE06DB0D05209DFCB05DFA9D4446ACBBB1EB45345F1181A9D808AB341D6744940DF40

Function 077366E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f444704c1d42d576a8219b0a6c55c49d416cba7b3ff609c9680372d1225d8f24
Instruction ID: 3e8313b9b82340396d5f3d45bd9d0d1005e5027e6d4c2c5ff9bdbd85f839e0b3
Opcode Fuzzy Hash: f444704c1d42d576a8219b0a6c55c49d416cba7b3ff609c9680372d1225d8f24
Instruction Fuzzy Hash: 98E026F86480059BC708CBC4D5007A97760DB0634AF10D0E8881887382DA329C03CA40

Function 054D67FA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c768899e468ef9ef3fdf629656d1a662b3cefeaffadf8f1d98b2b348d3fc63
Instruction ID: e599c0e38f37aefcd86eb310c427d0af5d4741214e7fe87d44d6a254cfe36db3
Opcode Fuzzy Hash: 90c768899e468ef9ef3fdf629656d1a662b3cefeaffadf8f1d98b2b348d3fc63
Instruction Fuzzy Hash: CFF0AA70905228DFEB20CFA4D998BD9FBB5FB49300F0056EAE40DA2644D7356A84CF21

Function 07735E51 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2b6dce566ff153f2d723be86ef84264abb3df36b2e874428c1e6936599ab7d
Instruction ID: a22bad54a4aedfb7b4b0125c1757de5870d0d9f2a486e9d848f4a912aa1a182b
Opcode Fuzzy Hash: 4e2b6dce566ff153f2d723be86ef84264abb3df36b2e874428c1e6936599ab7d
Instruction Fuzzy Hash: B8E0DFF0C99104DFCB04CBB8E805B9D7FB4DB0A306F1102A9E808A7341D6700904CF50

Function 09D12F00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ba6ebed127d6532ca4599dc87be370c37e6ed926dccbb118fbab2a1c1262ac
Instruction ID: 1c15c9a9b37a448186e562167666afc12f3139cdfb69ada695b752841d0f3d92
Opcode Fuzzy Hash: 17ba6ebed127d6532ca4599dc87be370c37e6ed926dccbb118fbab2a1c1262ac
Instruction Fuzzy Hash: FDE08C3044E395AFC702DF74A8186AABFF8DB07215F0548EAE8488F202DA640848EB12

Function 057AC080 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6643615816ea0587ebc55fd824275f596d633e80a1561d0e2565c7134915acd
Instruction ID: 6e637c1dca4169d09c42aa388213a1f2db00675c085ccd0e2f352bd71243e773
Opcode Fuzzy Hash: d6643615816ea0587ebc55fd824275f596d633e80a1561d0e2565c7134915acd
Instruction Fuzzy Hash: AFE0E534948208EFCB04DFA8D840AADFBB9EB88304F10C1A9A80967340D6319A52DF84

Function 054D3580 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3014ddda73fea2df6c4b2291a67694a132ef0c7bf5ff05dac3e6e97b9ff477
Instruction ID: 0098d0135d376f6c7a0efe837b6dd0e6d0b5d9b4480123c0aee278137969cfeb
Opcode Fuzzy Hash: 8e3014ddda73fea2df6c4b2291a67694a132ef0c7bf5ff05dac3e6e97b9ff477
Instruction Fuzzy Hash: 6DF07974905229CFEB64DF68D998BD9B7B9FB49301F0052E6D41EA2284DB745AC8CF20

Function 09D179D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10db707f57dbaf32c8a709d523a1c6b7b35c2a74f4fc6d2b3a68cfef9fa2745
Instruction ID: fa4c88338d59ded39e9b3f5d1251a03e3df67a3c34243741ae9eef764d96359e
Opcode Fuzzy Hash: e10db707f57dbaf32c8a709d523a1c6b7b35c2a74f4fc6d2b3a68cfef9fa2745
Instruction Fuzzy Hash: 9FE01A34D48108EFC704DF98E4416ACBBB8EB49304F20C1E9984857740DA319A45CF41

Function 09D1CDC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3b66b7626dc1ad1d5565c852f490341eb22cb0e6d1b8ea32d94b3406235d2f
Instruction ID: f43775cefc4e69cda0e17de2e9565e031cdb5ec226a6bbf80574bfdf94984f2b
Opcode Fuzzy Hash: 0c3b66b7626dc1ad1d5565c852f490341eb22cb0e6d1b8ea32d94b3406235d2f
Instruction Fuzzy Hash: 43E086349C8108EFC704DFA4E84096DBF78EB45304F20C1A9DC4467744D7359A51DB84

Function 057AC108 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfca1f6130399c872ffd6ba6526f1f88a8e2e997a368a83964ef095c9348afa4
Instruction ID: 850a45ee253a221967fe5a7b7ff077ada1138989d343f3c7038aa36c6228b304
Opcode Fuzzy Hash: cfca1f6130399c872ffd6ba6526f1f88a8e2e997a368a83964ef095c9348afa4
Instruction Fuzzy Hash: 10E01A74E08108EFCB04DF98E4406ACB7B9EB88304F10C1A9980957340DA355E01DF40

Function 07736B08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e95d58f6a1fb0ec51aa8547a4f2a47789b6411623abf72af31023647fc12dd
Instruction ID: 791108907331424de649753ed778b31119de8948b357c8be042829eda4456e53
Opcode Fuzzy Hash: a5e95d58f6a1fb0ec51aa8547a4f2a47789b6411623abf72af31023647fc12dd
Instruction Fuzzy Hash: 55E08C7490820CEBCB08DF94E8409ADBFB9EB4A304F20C1ADDC4867341DB329A52DF84

Function 0773EDF8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10c46a47c057f14918be25287b42d03cc73df40b0ca4f9ed2178114230f1721
Instruction ID: 4cf99f9bb320288ad128e3c29fcb33dc113fe6d4107b17e0976969de93a93c0f
Opcode Fuzzy Hash: e10c46a47c057f14918be25287b42d03cc73df40b0ca4f9ed2178114230f1721
Instruction Fuzzy Hash: 32E04F74D44108EFCB04DF98D4406ACF7B8EB49304F10C1E9C81857341DB715A51DF40

Function 0773C9A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e95d58f6a1fb0ec51aa8547a4f2a47789b6411623abf72af31023647fc12dd
Instruction ID: 99cba6cddef93a87c2a36817a9973f8859d0dbc5ac76d8597adedc7cec79e8d6
Opcode Fuzzy Hash: a5e95d58f6a1fb0ec51aa8547a4f2a47789b6411623abf72af31023647fc12dd
Instruction Fuzzy Hash: 55E08674908108EBC704EF94E84096DBB78EB46304F10C1A9DC4427345D7315A51DF94

Function 0773F678 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5774835271bb0868d3c47c4e8e724f5a94e89f90b7b819e42e1dad2fc81dd78d
Instruction ID: 2dc04e6d70fd1a7e3b7add583f38f48f65db61cad003771db77658bab754c42a
Opcode Fuzzy Hash: 5774835271bb0868d3c47c4e8e724f5a94e89f90b7b819e42e1dad2fc81dd78d
Instruction Fuzzy Hash: BFE08674908208EBC704DF94E84096DBBB8EB45348F10C1E9DC0927351D7315E51DF84

Function 07736228 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10c46a47c057f14918be25287b42d03cc73df40b0ca4f9ed2178114230f1721
Instruction ID: b4235155347b3721f2a4af67cde89e2f91328eae33a895b4bb6d80589c716151
Opcode Fuzzy Hash: e10c46a47c057f14918be25287b42d03cc73df40b0ca4f9ed2178114230f1721
Instruction Fuzzy Hash: 87E04F74D05108EFC704DF98D441AACF7B8EB49304F10C1E9C808A7345DB315A41CF45

Function 0773EEF8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10c46a47c057f14918be25287b42d03cc73df40b0ca4f9ed2178114230f1721
Instruction ID: 88fed3deda23f98ca1f7497ca3aaf29f2da28d9381c812bd164e32814ffaa091
Opcode Fuzzy Hash: e10c46a47c057f14918be25287b42d03cc73df40b0ca4f9ed2178114230f1721
Instruction Fuzzy Hash: 2AE01A74D04109EFCB44DF98D4406ACB7B8EB49304F10C1A9980857341DBB19A01DF40

Function 0773C8A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0195b1cba2e30bcb07f807ba8bc93562b9387963da3d3ca60a165878df05dce
Instruction ID: c66e9953990947ffebbab644ea87088d11131fc3fcb5bbba362c48a2dfa2e9f7
Opcode Fuzzy Hash: f0195b1cba2e30bcb07f807ba8bc93562b9387963da3d3ca60a165878df05dce
Instruction Fuzzy Hash: 4EE01A74D09208EFCB04EF94D4406ACFBB8EB49204F10C1E9885867381DA355A01DF50

Function 07736080 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf13d4a1854f39a10327bb8b4e2656f6cb92b7b4f797f7208fcbc65326aca93
Instruction ID: 00901b729f68cbd1ef48c06724fc1ff342def80f5450877472dd00000c2d43c9
Opcode Fuzzy Hash: 0bf13d4a1854f39a10327bb8b4e2656f6cb92b7b4f797f7208fcbc65326aca93
Instruction Fuzzy Hash: A5E0DF70C04208EFCB04DFA4E00099CBBF5EB04304F1080B9C80467300D7305A40CF84

Function 09D189F2 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf7003c0a73534f11ebbb5b42df9199f4ab062c93d9008d75290d113cdffc4d
Instruction ID: e7cd6fc945556537acce3933be6f06e3645a1abb127f2754de51d39d722e63af
Opcode Fuzzy Hash: ecf7003c0a73534f11ebbb5b42df9199f4ab062c93d9008d75290d113cdffc4d
Instruction Fuzzy Hash: 16F0AE75D4A628DECF20EF35E8883ADBAB1BB49300F1086EAD04DA2241D7344A85DF04

Function 09D18210 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261380ac1e7df13442d6ed997b5b85af262fb6fc5df8a992d6edf2f440f184b8
Instruction ID: c169717e5643795f64d4536532d40dc2a2f375b7046abf95e45e81c2e83e62ce
Opcode Fuzzy Hash: 261380ac1e7df13442d6ed997b5b85af262fb6fc5df8a992d6edf2f440f184b8
Instruction Fuzzy Hash: E7E0C234D48108EBC704DF94F84096CFBB9EB4A304F20C1E8C80927740DB319E02DB80

Function 09D1603F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd79d739735f67f9a81a521a807201c29c4288bef585c66c5e3c74a87689c9e5
Instruction ID: 359b5da9b1bfa177d3b927cac3ee6ff53b9925124b70f3fef01f60beca50ddca
Opcode Fuzzy Hash: dd79d739735f67f9a81a521a807201c29c4288bef585c66c5e3c74a87689c9e5
Instruction Fuzzy Hash: 48F0A5759042288FDB60DF20D8987EDB7F1AB55305F1044EA994977281CB745EC1DF40

Function 057A6748 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfba4c780525ed5d3b66e014c1f1a6b05088e4d9a54b8c42d7cae2a739502b43
Instruction ID: 54484157eafbe6d057d63f0140dc51b3d8cdbc239f2da5d9f221b90fb11102a7
Opcode Fuzzy Hash: dfba4c780525ed5d3b66e014c1f1a6b05088e4d9a54b8c42d7cae2a739502b43
Instruction Fuzzy Hash: C5E04638D08208EFCB04DFA8E144AACBBF8EB88304F1082E9D80967300DA302A00DF42

Function 057A6700 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653d5dd3c7673b09b235b66c85c62af433a593568335547ba500cc85137d7955
Instruction ID: 18af9fe6fd140e28d98988d00e7265716cf6cd24b44aa5831842d6b08f50b0ad
Opcode Fuzzy Hash: 653d5dd3c7673b09b235b66c85c62af433a593568335547ba500cc85137d7955
Instruction Fuzzy Hash: 04E04678D09208EFCB04EFA8E444AACBBB8FB88304F1082AAD80963354D7345A00DF41

Function 057A69B8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2378fbfe086f4ca3f1efc6cb0c812f03a779e6fc79bb0bd6feec5d08e4e2db
Instruction ID: 751a886799da27b4c48d8dce68f6200f9b985542fc02e72d117f909934c5ef55
Opcode Fuzzy Hash: 7f2378fbfe086f4ca3f1efc6cb0c812f03a779e6fc79bb0bd6feec5d08e4e2db
Instruction Fuzzy Hash: 34E01A34D04208EFCB04DF94D448A9CBBB4FB48300F10C1AAED4467310D7315A54DF51

Function 077366F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd5ec2c0fd0a033b878ab2f24bf925dc897a469e35e5790d71a0c5e26d84683
Instruction ID: 4a2275372d20146f1cbcaa63bfc973820a32364c860aeffe45679552da7e73c7
Opcode Fuzzy Hash: 0cd5ec2c0fd0a033b878ab2f24bf925dc897a469e35e5790d71a0c5e26d84683
Instruction Fuzzy Hash: 4DE012B4949108EBCB08DF94E94196DBBB8EB46305F60C1EDC80967345DB716E42DB85

Function 07735CD0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfdae24eaf130ba8956ad17c923ac3a50637c5162466d139430a9f6ad2e9ed8
Instruction ID: 51b386ddda06f38a79f75651e1289a412860c343533bfd1181b1d6371e6b4330
Opcode Fuzzy Hash: 9dfdae24eaf130ba8956ad17c923ac3a50637c5162466d139430a9f6ad2e9ed8
Instruction Fuzzy Hash: 40E08C70D09209EFCB04EFA4E4046ACB7B8FB45309F1081E9C81827300D7345A50DF90

Function 054D6378 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb6c7c48938d4d05ad7e4a41e304167ab17a602ebab3a77b65d85ef45ff0328
Instruction ID: 2ca13e58d760aebf1042f62c3f054b3556fac222e26f210460a8a21a20a7404c
Opcode Fuzzy Hash: 8bb6c7c48938d4d05ad7e4a41e304167ab17a602ebab3a77b65d85ef45ff0328
Instruction Fuzzy Hash: 1FF0AE70905228CFFB24DF20D95CBE8B6B1FB06351F0016D6E00EA3241EBB44A858E21

Function 054D2AA7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe3f3a407acd76ab0882a6955d4e25edb7d5123f29c1243e0e605e4c1dc4063
Instruction ID: 3135adc94e61a2d8fc3b34965775fb1ffafbc66531c88e85d05126e06b538e80
Opcode Fuzzy Hash: 4fe3f3a407acd76ab0882a6955d4e25edb7d5123f29c1243e0e605e4c1dc4063
Instruction Fuzzy Hash: B4F062749012288FEB64DF20DD587D9BBB1FB49305F4080EAD40DA3645DB741A858F15

Function 09D15FD1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656f42d53fa18af168cd46ca56fe8aa1ec28a63e213dc0b96127740431c8efb3
Instruction ID: ead974e33cce6d63b342fdce56eb692d9779a7afcf9493e4a068692a1870b7d9
Opcode Fuzzy Hash: 656f42d53fa18af168cd46ca56fe8aa1ec28a63e213dc0b96127740431c8efb3
Instruction Fuzzy Hash: D2E0E539D45219DFDB28DF74E4887DDB7B2BB89304F2045A9E009A7601C73989C1CF04

Function 057A7F98 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f3fa667256b4cf79680415b8e2d6efd90ec6edef7a8a40e9c08063a463b171
Instruction ID: f443473169bb798a30fb5119ee43c15d22ae7607375ef437ca1b0fc5a5de78a8
Opcode Fuzzy Hash: 83f3fa667256b4cf79680415b8e2d6efd90ec6edef7a8a40e9c08063a463b171
Instruction Fuzzy Hash: 75E04674C0520CEFCB08EF94E404A9CBBB4FB88300F1081A9DC0463344D7351A55DF84

Function 057AC008 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2098118a3ea0feaa26e1e794765896f6ea1a8771a7a123e0a32113730f56b73c
Instruction ID: 417d43eb212798df3a192066d0f59e5dc262386e4851e7e8c058b37cf6247aa5
Opcode Fuzzy Hash: 2098118a3ea0feaa26e1e794765896f6ea1a8771a7a123e0a32113730f56b73c
Instruction Fuzzy Hash: 51E01234949108EFC744DFA8E94166DFBB8EB49214F1081E9D94957341EB729E41DF41

Function 07733476 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652c477d7840babcd3df4a8856b704bd63e9238b030b16c36e431943f02432da
Instruction ID: fdfcf56e61328bdd315ccee40f6890058a6d9bce460300b737101e92b94c6fc8
Opcode Fuzzy Hash: 652c477d7840babcd3df4a8856b704bd63e9238b030b16c36e431943f02432da
Instruction Fuzzy Hash: 15F0FAB4E056298FCBA4DF24DC8469DBBB1AB49301F1085EA964DA3654EB346E84CF08

Function 054D65EE Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ffc24f21a4f4e165714120dd32a54ce2f3c72ef39d816bbef2cc490c8a321c
Instruction ID: 76b114c23cd3278f9fd02b673ae193522c2cabfcce7801f5e311eb69ecebe195
Opcode Fuzzy Hash: 30ffc24f21a4f4e165714120dd32a54ce2f3c72ef39d816bbef2cc490c8a321c
Instruction Fuzzy Hash: C2F0FA74D4D228DFDBA0DF24D948798BBB1FB08780F0051DAE81DA2644EB786E858F81

Function 054DC2A8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a16e7e5df88525e7880f605759cf2595262672d26c459d5cce9b7b2d3db8f3
Instruction ID: dc2a2731193d5d51de77d49bbd699698d688ad5ffcd24b42c8d776646f67e6c3
Opcode Fuzzy Hash: 46a16e7e5df88525e7880f605759cf2595262672d26c459d5cce9b7b2d3db8f3
Instruction Fuzzy Hash: DCE04634D0520CEFCB08EF94E844A9DBBB4FB48300F1081AADC0463308DB345A54DF84

Function 09D12198 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b11dfd5e0e1f5118e795aa7dacbd21517769e77d324ac5bc67fce712b41f9f
Instruction ID: 60845cae37dd6bf14d0a558d5fd445b6337f70582fb37c98fcdc34772159165d
Opcode Fuzzy Hash: a1b11dfd5e0e1f5118e795aa7dacbd21517769e77d324ac5bc67fce712b41f9f
Instruction Fuzzy Hash: 99D0A7E7EDD18D1ACF5552D86D9C3AC06604B51311F26145BDAB8879C2E850C4434955

Function 07735E60 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02e2881e22409cb56c807b7c6e6e5f3d0f3a165490d03f11507e7b209147ab3
Instruction ID: b9d36446c48c3e4034bdc59105939d29c4ca97c8b3a32d9ac54404d777034432
Opcode Fuzzy Hash: a02e2881e22409cb56c807b7c6e6e5f3d0f3a165490d03f11507e7b209147ab3
Instruction Fuzzy Hash: 52D05E70899208EFC704EFB4E4056ACBFB8EB06605F1042A9D84967341EB711A58DF91

Function 077362E8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f28a565c9ba41544d2b8d163c2fcf24d4b635541791cae06c999e766513a6d7
Instruction ID: bf17cde01d88b6173373210699597da899b98ff4c7799ba67d208a93ea355e1f
Opcode Fuzzy Hash: 7f28a565c9ba41544d2b8d163c2fcf24d4b635541791cae06c999e766513a6d7
Instruction Fuzzy Hash: 3ED02EB080A308CFC306EBF09A002A837709F02B0AF1200EEC5046BB85DB398A04CB0A

Function 0773E6D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7f4df78626fbad2757743cc35e137568aafcea445a867e9facc62e4491ab62
Instruction ID: 9f2830845467fddfe5ab1fef6da4cc4a0e73b66b2e33d85fac1275a4fb142c76
Opcode Fuzzy Hash: 9a7f4df78626fbad2757743cc35e137568aafcea445a867e9facc62e4491ab62
Instruction Fuzzy Hash: E1D05E70549108DFCB04DA95E900A6DB3ACDB8620CF14909C980957382DAB79D01CB80

Function 054DBF30 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b899df33df56cc85ad49fbba2c72fe15a307129b53dc70d2f592812acafbd8c8
Instruction ID: 93df53c0144e7609593c9a4fd321ff04c16ac5e83c6a3776fed6b9c2a2ae9f38
Opcode Fuzzy Hash: b899df33df56cc85ad49fbba2c72fe15a307129b53dc70d2f592812acafbd8c8
Instruction Fuzzy Hash: 5DE0E270D49208ABCB04EFA8E841A9DFBB4EB48304F1181EA884863744DB742A44CF99

Function 09D100B6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2d6962f9f308385e3be144b03ce34e371c82200acf1ae73ff02cf3e4a1fabb
Instruction ID: f78ace1e44957d3d4a440600c966c6f58be1fb44563a7753722c8bfb9c117aef
Opcode Fuzzy Hash: 7f2d6962f9f308385e3be144b03ce34e371c82200acf1ae73ff02cf3e4a1fabb
Instruction Fuzzy Hash: 32D0A7305C6209DFC319EBA4E6006AE7776EB42619F2045DCDD082B755CB3A5943CB90

Function 09D100B8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c03e9846de8ad680daaff31a8114f9928ff942e5edf3fa738719e3345f881e0
Instruction ID: 0a4ca8222fc8db997d7159c77493b2c7a2267e55b342d820003e74fc382c755c
Opcode Fuzzy Hash: 9c03e9846de8ad680daaff31a8114f9928ff942e5edf3fa738719e3345f881e0
Instruction Fuzzy Hash: C4D01730846208EBC718EFA4E5006ADBB79AB41305F2081A8D90427754DB355A90CB95

Function 09D1C590 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2271c5ce70c71602883274b947f762104581c775751da9ed5cd825c70afaadb4
Instruction ID: bc37223e1591a51a74ccefcd2766db1d6cb5bdc21b66f17c5851056ce2071a4d
Opcode Fuzzy Hash: 2271c5ce70c71602883274b947f762104581c775751da9ed5cd825c70afaadb4
Instruction Fuzzy Hash: 10D05E30C45308EFCB04EFB4E40469CBBB4EB01705F2041E8C9442B744EB359A40CB81

Function 057ABF90 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630ad9f83dd6822fd567e256a02bbfeb7310c399cd50ee753ac09923a621dc77
Instruction ID: b8f7e1bda54171272424df10e436bc31ce429b51139fcb4221c6b79baaf34e6a
Opcode Fuzzy Hash: 630ad9f83dd6822fd567e256a02bbfeb7310c399cd50ee753ac09923a621dc77
Instruction Fuzzy Hash: B8D0A730D4520CDFC704EFA4E409B5DBBB4EB41204F1042E8C80863340EB741E40DF81

Function 0773E708 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05aee265d2985f3c8e5949e72471ae3b743c64543c0ad3d5d2f8c465abe7440
Instruction ID: 1adeb72dd0a6c1afffcf8db200a91384308f6e89aa42735f01042606d57c0475
Opcode Fuzzy Hash: a05aee265d2985f3c8e5949e72471ae3b743c64543c0ad3d5d2f8c465abe7440
Instruction Fuzzy Hash: 15D05E70805308DFCB08EFA4E44069CBBB4EB05609F5041F8C9042B744EB759A40CB81

Function 0773E3E8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678c1578d761e9d68f5a3978e874e457cd185f1bf14c7977c7b87491bb0c0d53
Instruction ID: 02fe22166d607ab1f7ddab187b426ff5892ecdc3143fc636594ba28cec78418b
Opcode Fuzzy Hash: 678c1578d761e9d68f5a3978e874e457cd185f1bf14c7977c7b87491bb0c0d53
Instruction Fuzzy Hash: A4D05E70806308DFCB04EFA4E40069CBBB8EB01609F5041E8C9046B744EB755A85CF81

Function 0773EFC8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f3075ea084414cc5894cea0b070ba4cb9ee9424a0168d83f77839392e7a5b3
Instruction ID: 9055754d43f61cf73644288ea24b72681cec2a61cafd20011006a12a6f920982
Opcode Fuzzy Hash: 44f3075ea084414cc5894cea0b070ba4cb9ee9424a0168d83f77839392e7a5b3
Instruction Fuzzy Hash: 9FD05E70805309DFCB04EFA4E40069CBBB4EB01209F5041F9C9042B748EB759E44CB81

Function 0773DFB8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402ad673934655e7a215602f751fb23c60921e7c6f6a86398aacb39d411b7703
Instruction ID: c47f965bf90f65507162405e6a7c812ed6d75ff694e5bd3c6aebfd6da63d7c76
Opcode Fuzzy Hash: 402ad673934655e7a215602f751fb23c60921e7c6f6a86398aacb39d411b7703
Instruction Fuzzy Hash: 8CD05E70906309DFCB14EFA4E44069CBBB4EF41209F5041E9C9442B748EB355A50CB81

Function 0773DAE0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006b313e572b26862d7664eccb038235fce76c9687b85454e71788deeb279291
Instruction ID: f1e474ab9dd3692206bc43453ac2644009a713ba1ea7236b1818b01158298cbe
Opcode Fuzzy Hash: 006b313e572b26862d7664eccb038235fce76c9687b85454e71788deeb279291
Instruction Fuzzy Hash: 18D05E7080A208DFC714EBB4A5002ACBBB89B05206F5041E9C9442A744EB794A84CB91

Function 0773C6B0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74567234e8b474181992214065f1089c865f75e2b27cdd7e6d2fcc4d7eebf77a
Instruction ID: a3941b81ab6b05564d41e11c8edab5d2f32402b8674e4b6239b620a5c144a895
Opcode Fuzzy Hash: 74567234e8b474181992214065f1089c865f75e2b27cdd7e6d2fcc4d7eebf77a
Instruction Fuzzy Hash: A9D05E7094520CDBC704EBA8E50569DBBB4DB01608F1041E8884823750EB751A44CBA1

Function 054DC228 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9839346b180b56f9d49db1b471f4b2e6e7dc3794008cde1d41c2642749abd76
Instruction ID: a550804c500420b777763b5d2e0f0bcda626d88a5dab0e700a1c93a8055ad917
Opcode Fuzzy Hash: f9839346b180b56f9d49db1b471f4b2e6e7dc3794008cde1d41c2642749abd76
Instruction Fuzzy Hash: 78D05E30C45208EFCB08EFB4E58169CBBB5EB01209F2041EDC94927344EB3A5A54CB91

Function 054D1ADD Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f882c1e06d4fe0579f336c8fcd926c0e35d529a98963add4aa88024e279308
Instruction ID: ebc0a9f6f339107c2d09f87fdfb83aa7de5afbadf2b3046fe9b557444011f383
Opcode Fuzzy Hash: 31f882c1e06d4fe0579f336c8fcd926c0e35d529a98963add4aa88024e279308
Instruction Fuzzy Hash: A0E07574A013288BEB24DF18C894BD8B7B2FB4A704F0080D5E50D62A54DB741F84CF02

Function 054DC0E8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa53c7fab6a068a7e54df208c14a769d2d0555c0f4e92513bb97fc57a377b1f
Instruction ID: 15e9da40a5abde71621f55809a247d14eeef8b2c5d09e15004fcd2a3105df5ef
Opcode Fuzzy Hash: 1fa53c7fab6a068a7e54df208c14a769d2d0555c0f4e92513bb97fc57a377b1f
Instruction Fuzzy Hash: 2BD05E3094520C9BC704EBA4E44169DBBB4EB05604F1081E9884473740EB701A84CB95

Function 030E23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824250240.00000000030E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30e2000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2a5784dfe41593dbf7082597123625320a40ffe1fde8bf840932bd72d42124
Instruction ID: c88fa89b700b0b72af8843a7cec83058a75f1df5b9a68ef2ab4ac34be34c87b0
Opcode Fuzzy Hash: 2f2a5784dfe41593dbf7082597123625320a40ffe1fde8bf840932bd72d42124
Instruction Fuzzy Hash: DBD05BB53066814FD316DB1CC154B5577D8AB51704F5A48F99C408B763C368D5D1D200

Function 057AB818 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f043b6ff29773f9cc432e67dcf115e21641f28ae85a4e4c8ced165cd76489cf
Instruction ID: 6245b15db58627fb185b95b881539bb8006a6f226d76bb63cf92bd83a179f76f
Opcode Fuzzy Hash: 9f043b6ff29773f9cc432e67dcf115e21641f28ae85a4e4c8ced165cd76489cf
Instruction Fuzzy Hash: C2D01270849208DFC704DBA5E805B6E7B7CE74660AF1041A9D40E63744DF751914DB95

Function 077362F8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adda2d78023688d8aacb9cc7a1da0d059a9055fe517db5f17fc33755a5db099c
Instruction ID: 42c45b790f2dd24dc96358ad98d30bdcd56994b070a2ef79a626cb786da1a673
Opcode Fuzzy Hash: adda2d78023688d8aacb9cc7a1da0d059a9055fe517db5f17fc33755a5db099c
Instruction Fuzzy Hash: ECD01270446309EFC718EFA5E804B6D73BDDB42609F1041ECCA0957748DB7A5A44CB95

Function 030E23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3824250240.00000000030E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30e2000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88b922caf21e354fd1e1dbb4bd84c6f372bcbab1eb20ffa941c89ec06535579
Instruction ID: 135a707279f4009cf0721e0b3a7058128e342a8997ad2415d0f882a7f55719d6
Opcode Fuzzy Hash: f88b922caf21e354fd1e1dbb4bd84c6f372bcbab1eb20ffa941c89ec06535579
Instruction Fuzzy Hash: 11D05E343052814FD715EA1CC2D4F59B3D8AB40704F2A88E9AC108B262C3B4D881CA00

Function 09D1429D Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e076e95dc04a6b3a2fe37efc18d3fd3807ee45913559a213aea9abd7fc9bba
Instruction ID: c0e511f5595aecf984a78721009f34628effa46faca11bc5eb1e2ab0f66903da
Opcode Fuzzy Hash: 51e076e95dc04a6b3a2fe37efc18d3fd3807ee45913559a213aea9abd7fc9bba
Instruction Fuzzy Hash: 5EE046B4E021288FEB21DF20DA406DEBBB0EF8A300F4080AA819573240C7344E80CF12

Function 057AD500 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b78c8544863ef239021264bf0c6419e0ca41138c6ae464bf0696f599c32019
Instruction ID: 422b390a56cb8c9e535cd4bfb717353ce272c4627e5c35f1c1c7d85e3d76490f
Opcode Fuzzy Hash: b4b78c8544863ef239021264bf0c6419e0ca41138c6ae464bf0696f599c32019
Instruction Fuzzy Hash: DCD01270449109DFC714EBA5E40975DB7FCE709209F104AA5EC0A93740DB755900EF51

Function 054D562F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a651bccf581b7bfe21c51691a01c9db78f72947b0fc7dd678f77b5b6240ce3
Instruction ID: bb50d6093426d74354a7b1ee39d9cbd286121832939d54ce38ba084815746001
Opcode Fuzzy Hash: 70a651bccf581b7bfe21c51691a01c9db78f72947b0fc7dd678f77b5b6240ce3
Instruction Fuzzy Hash: C7E0E2B4D023288EFB25DF25C848AD9FBB2BF84314F0080D6800D22205EB340A868F00

Function 054DC1F0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3615f04c6084e652d74a976f5d1bc2a31520e243de1df0d4df92b92be7c369c6
Instruction ID: 1e17de1a5532160a70f9f4447f17132cf46cf503d1c86e4d74eb61991f380155
Opcode Fuzzy Hash: 3615f04c6084e652d74a976f5d1bc2a31520e243de1df0d4df92b92be7c369c6
Instruction Fuzzy Hash: 4CC012309891199BC704EBA5A45975FB3FCD70A209F1045DA981D53705EA751D00DB91

Function 07736943 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098fad17976142741e981e078bb91fc384328afeec24c368ad2884da55b2b6e3
Instruction ID: 05276bfffbd3d7b9e8a4857ded2c8f59c797e4c18451a99497b8e920596092e7
Opcode Fuzzy Hash: 098fad17976142741e981e078bb91fc384328afeec24c368ad2884da55b2b6e3
Instruction Fuzzy Hash: 10C08C712C650706C28833D5780E77E73EC9742008FC85659262E2A949EE6450009AB6

Function 077302CB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4b3a2972ea21cd101cb24398ba227612369b562baa1c7bcfd34ee632b54ef1
Instruction ID: 40949f7d7b3e68e5f2662735c82fbfdc8bcf30d9362a005d4ac13bbe4d3d5f77
Opcode Fuzzy Hash: 0b4b3a2972ea21cd101cb24398ba227612369b562baa1c7bcfd34ee632b54ef1
Instruction Fuzzy Hash: D2E0BD70A022299FDB60EFA4E848B8CB7B1FB49214F0045E9C00AA2664DB341E80CF04

Function 09D121A8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaffff99230cded1d706bcd0c066b83d5f298533d5eccf8b2cd53ccc2edaeb3
Instruction ID: 1cd5a86b7ad655243c3eaf025741760883316702dd9fc8b02664caac26086eb6
Opcode Fuzzy Hash: adaffff99230cded1d706bcd0c066b83d5f298533d5eccf8b2cd53ccc2edaeb3
Instruction Fuzzy Hash: 6CC02B322C911506C64C77D53C0C37D72FC8781108F844116432D26C54FDA400408F76

Function 057AD948 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a873ab5940abaa0ec8628f945bf81c9749f3838378c116a8401fd4798d9901a
Instruction ID: ea49a81b5e6a3092814c4e5d5af6c8d774aa369ecd04f98916ec3f98a736be9b
Opcode Fuzzy Hash: 9a873ab5940abaa0ec8628f945bf81c9749f3838378c116a8401fd4798d9901a
Instruction Fuzzy Hash: 84C02B312CD10707C35833D5780D37DB3FCD781008F884A25021F16C44DD644080EB76

Function 057A6A08 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33516ebc565bb12272047426e5d9d8e6416890db59a6515f22ba9f458a14e96c
Instruction ID: 232526337112b331220c7883c06393153fab5ab4d45fba9f03021f903f42a0ea
Opcode Fuzzy Hash: 33516ebc565bb12272047426e5d9d8e6416890db59a6515f22ba9f458a14e96c
Instruction Fuzzy Hash: 31C08C310CA2184EC25877D5B80C36C72DCE74654DF48812A820E26C58DFA90400CF66

Function 057A98C8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f043f346359cf3937848453de7e96bf77df286e1382a9e9d99cee55a9bbaa206
Instruction ID: d2447aacab3ac754ef371b3805fb436c29ff1149aa59e0a84acdea9ede94b910
Opcode Fuzzy Hash: f043f346359cf3937848453de7e96bf77df286e1382a9e9d99cee55a9bbaa206
Instruction Fuzzy Hash: C6C02B312CB1194BC18873E5780C37D71CC8781008F444255431F27C44EF6400109B76

Function 07736948 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060a78d4ef808b339f19c0e8e7686e62071392a3717d4f0e1562370861f26380
Instruction ID: 783d6b694aa60475dadc8d49893f264fd4fc71a5b425e2f9c5cc2bd43dc218a8
Opcode Fuzzy Hash: 060a78d4ef808b339f19c0e8e7686e62071392a3717d4f0e1562370861f26380
Instruction Fuzzy Hash: D0C02B702C550706C28833D5380C37D73DC8742008FC8455D031D1A849EE6400009BB6

Function 0773D848 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c235d924832416ed6033be0163fd2de0b0d1cb652a42be1328a4d39ece7d27f
Instruction ID: 11d212642fb7301e001c742c8e67093912f7151261a849675aab4f938f433cac
Opcode Fuzzy Hash: 7c235d924832416ed6033be0163fd2de0b0d1cb652a42be1328a4d39ece7d27f
Instruction Fuzzy Hash: 13C02BF03C650706C29C33D5381C3BDB3DC8741008F8C4529021D16845DF641000DB76

Function 057A34DB Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf07a17b8445d51c7d0839a5501debf61814f8946a29cfe0b19e749fb51da4e
Instruction ID: 352329da1a46129bbc07c579ae2c9e177f281ae68d885b84e5cd9d3f95fb9914
Opcode Fuzzy Hash: fbf07a17b8445d51c7d0839a5501debf61814f8946a29cfe0b19e749fb51da4e
Instruction Fuzzy Hash: D2D09234915318DFE720EF10CC58BAEB631FF45741F004294D10A66190C7792D80CE45

Function 054DC498 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8472c38f30421daa9496d50f1ccf2a550554bc7361249e792d07bdce0ec5bffb
Instruction ID: f4866635fa2e9c5e6820b3d4d7812bbe4dee8a40e9e12b5a3e3c12c1a8166bc7
Opcode Fuzzy Hash: 8472c38f30421daa9496d50f1ccf2a550554bc7361249e792d07bdce0ec5bffb
Instruction Fuzzy Hash: E6B02B3008A2054AC2043240750C33A729CD30B60DF000891C10D00D044BE80800CA65

Function 054DC468 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cd7e4380f12d915ad19fd16c80227173d6c0a2488302a50ba3cee296994d58
Instruction ID: 27f883a24d090eb1e6e76623d77d2467367c4679a9fcdd3131d1ef804097b46a
Opcode Fuzzy Hash: 89cd7e4380f12d915ad19fd16c80227173d6c0a2488302a50ba3cee296994d58
Instruction Fuzzy Hash: B8B012300CE61D45C29833DA785C7FFF2DC970660CF8441A7869D16ED56EA85450CEFA

Function 054D14B0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705837801fb8cac725610a7fe2cc17028155c1741d424832bec3f1562d126eed
Instruction ID: b8ee144f0213f3a50740386c90b4d0b6eafb40eb799b99dcd8b6b7d7aa665c9d
Opcode Fuzzy Hash: 705837801fb8cac725610a7fe2cc17028155c1741d424832bec3f1562d126eed
Instruction Fuzzy Hash: B1C08C30A852088AE304EF10C8587FAB2BBFB8D700F40408098092A184CB3648418A00

Function 054D0D0A Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e634c3e30cbb3a5e7b3acf02e7a96f4ba37dd5c6e2e57f6affed4ff56107bd6
Instruction ID: 08e49ff6477f264360b67ff9d074752eb4ab5fc98daf12924689849e0fa546e7
Opcode Fuzzy Hash: 2e634c3e30cbb3a5e7b3acf02e7a96f4ba37dd5c6e2e57f6affed4ff56107bd6
Instruction Fuzzy Hash: 64D0CAB4C012288FEB24CF20CD59BDDFBB0AB08301F0040EA880DA3240D7305E828F24

Function 09D13FC0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb190d1ef847a65055d4ca9e28eb24cd2545fbc4aecdcf61c1da67e1c559b63
Instruction ID: 6d8cf7c18ee397e136f269b4a7d8ac1a05bb02d26a84492b11f6ce23dcdf3897
Opcode Fuzzy Hash: acb190d1ef847a65055d4ca9e28eb24cd2545fbc4aecdcf61c1da67e1c559b63
Instruction Fuzzy Hash: 80C04C74545015DFD711EF01E6A9BE977F5EB49388F001195D50927291C7349D048B50

Function 09D132DD Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb613711339607c37d236703be92aa5762e10df1982ec960bff27c7e623eaec4
Instruction ID: b88905c379dfa51577b8d5d7ab5218d2c27e23a14a2bdc1efe6c0af016a6e289
Opcode Fuzzy Hash: eb613711339607c37d236703be92aa5762e10df1982ec960bff27c7e623eaec4
Instruction Fuzzy Hash: 0BC08C34546100CBE314CF00C088AA8BBB0EB41344F000490C18533250CA78DCC08E01

Function 09D1282E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f06bb4c1c957423a21e3d0f81e01e55df0a366e1c9110f6b282dc3c607e5e2a
Instruction ID: 7554a1518757451530061cdd2498c6212d398b5bcb79528e7c10eec815d0004c
Opcode Fuzzy Hash: 2f06bb4c1c957423a21e3d0f81e01e55df0a366e1c9110f6b282dc3c607e5e2a
Instruction Fuzzy Hash: C4B09272A43148DBE724DBA4E694A9E77B1EB453C4FA0A018C1222728887795C088A4A

Function 054D2092 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e451743a7373dce5ddddedbbe25cc0148a77b5e2f383863f233d2508d638005
Instruction ID: dacb8a76ff1032ec30aa0bc9576efcfceb8ece1fa8b62903ef76878a5c02a606
Opcode Fuzzy Hash: 9e451743a7373dce5ddddedbbe25cc0148a77b5e2f383863f233d2508d638005
Instruction Fuzzy Hash: 45A001708053188EFBB49B20955C7D9BA61B706746F009286A01EA2645DB784A8E9E66

Non-executed Functions

Function 054D03F8 Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

dSyl, xrefs: 054D0619
:@Rl, xrefs: 054D0540
,)yl, xrefs: 054D04D1

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID: ,)yl$:@Rl$dSyl
API String ID: 0-2862802100
Opcode ID: 3fbe09c3e27eb9208cfbe3d9de78bafeef15b130608ef7fb6b0fb0b721c90117
Instruction ID: 9e5ad5d43ba38b4ea7db631dc14c1edea0cf4be22f72c9bcb0fc12d4ad12ebfd
Opcode Fuzzy Hash: 3fbe09c3e27eb9208cfbe3d9de78bafeef15b130608ef7fb6b0fb0b721c90117
Instruction Fuzzy Hash: 4C614F70A022098FE758EF6AE94478DBBF6FFC5304F44C139D108AB658DB7A5906CB51

Function 054D0408 Relevance: 3.9, Strings: 3, Instructions: 154COMMON

Download Yara Rule

Strings

dSyl, xrefs: 054D0619
:@Rl, xrefs: 054D0540
,)yl, xrefs: 054D04D1

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID: ,)yl$:@Rl$dSyl
API String ID: 0-2862802100
Opcode ID: b5a925b8a19bc5ea80be5eb78fd54728a63f87b909c192b23a809680c5337380
Instruction ID: 01aaa13c764a2e93fae734d7aa8a7433cf52753d9db82a898a5f1af5231febd0
Opcode Fuzzy Hash: b5a925b8a19bc5ea80be5eb78fd54728a63f87b909c192b23a809680c5337380
Instruction Fuzzy Hash: 49613D70A022098FE758EF6AE94478DBBF6FFC5304F44C139D108AB658DB7A59068B51

Function 07730007 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

7, xrefs: 0773019C

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 0266d059876496b462c21644673dcf4e94269974a8520d31e5936256302a4b4b
Instruction ID: 1009dbc958b7e24910f45d17b3da8818108695f59509fccac7529c8e953f11e0
Opcode Fuzzy Hash: 0266d059876496b462c21644673dcf4e94269974a8520d31e5936256302a4b4b
Instruction Fuzzy Hash: AA51CAB1D057548FEB19CF678C5069ABEF3AFC6200F19C1FAC44CAA266EB7409468F11

Function 07730070 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

7, xrefs: 0773019C

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 1ffc28a133648410187206e93401a89bba5283ae6e3017ad416a583b21da49b0
Instruction ID: d444df57092b0a26a303b2bc3a96bf847196091f0202b32cb4401349ddf6beee
Opcode Fuzzy Hash: 1ffc28a133648410187206e93401a89bba5283ae6e3017ad416a583b21da49b0
Instruction Fuzzy Hash: 054151B1D05A188BEB6CCF6BCC4079EFAF7AFC9241F14C5B9840CA6255EB7405858F11

Function 09D13F3E Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

:@Rl, xrefs: 09D13E75

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: :@Rl
API String ID: 0-46225596
Opcode ID: 116e38acfc44c802f7e7888c7694e54fccbd7fee2a77c8e053b86bdac5742923
Instruction ID: 86e3046921fe1b5a269b8b52af7599553c1ff7f3542d4396c39ec62fe4291029
Opcode Fuzzy Hash: 116e38acfc44c802f7e7888c7694e54fccbd7fee2a77c8e053b86bdac5742923
Instruction Fuzzy Hash: 93013C75D85218DBCB64DF99E9447EDFBB4FB46304F0050A6D119B7600C3708985CF05

Function 09D13E70 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

:@Rl, xrefs: 09D13E75

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID: :@Rl
API String ID: 0-46225596
Opcode ID: 627f2e14af27dce41d32d6af70d591db9e2b627eabd55da6e6744189179ebb0a
Instruction ID: bd6ab21bb653fe0bd24e57187c3435e3d90836b38aabacc0ff1006450d646226
Opcode Fuzzy Hash: 627f2e14af27dce41d32d6af70d591db9e2b627eabd55da6e6744189179ebb0a
Instruction Fuzzy Hash: B8F03775D85218DBCB64EF99E9447EDFBB8FB4A304F1050A6D128B7600C3708A81CF05

Function 054D07E8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1927d48054602685e52822ff4d5fd1e4e02fef6601882ec009bdde792cfaf744
Instruction ID: d934ef2dd643c660a056de4f5d743a02a89039b0fc802bc4f98315342001d5ca
Opcode Fuzzy Hash: 1927d48054602685e52822ff4d5fd1e4e02fef6601882ec009bdde792cfaf744
Instruction Fuzzy Hash: 4561BAB1D056959BEB29CF2ACD447E9BAB3BFC9304F14C0FA94486A518D7320A85EF41

Function 02733F39 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3823758871.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66343a0297263836eb4b9e5317cce3344386db575891b78461a4a0443df1a159
Instruction ID: c672a42c4154a26bed5eb3433789f33f8b5638bdede3973ff2055016a38eda02
Opcode Fuzzy Hash: 66343a0297263836eb4b9e5317cce3344386db575891b78461a4a0443df1a159
Instruction Fuzzy Hash: B651B7B9901B01CFC7A5CF69C580A46BBF5BF0C7107104A6AE99ACB751E730E941CF94

Function 0773F6C0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8b80e27f3f05456fbf456d469c2e86dd25e146f289439abc3d8862c215d37b
Instruction ID: 68a3cb2761a8304014dbe3e18256c29f64b8323a3e31a7ec3fbf2cc038ae6be6
Opcode Fuzzy Hash: af8b80e27f3f05456fbf456d469c2e86dd25e146f289439abc3d8862c215d37b
Instruction Fuzzy Hash: C15131B0E06209DFEB00DFA4D848BEEBBF1EB49385F20952AE505B3291D7781A44CF50

Function 054D07F8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3828831048.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec090bf34569fb625306b671c8d348c5d502ef1f9fb90884ff535bd0461028f
Instruction ID: 2c114cde438f0786fd91e1db723401ffc94048dacfbebe17829c395e5bbe0c55
Opcode Fuzzy Hash: bec090bf34569fb625306b671c8d348c5d502ef1f9fb90884ff535bd0461028f
Instruction Fuzzy Hash: 18516071D056598BEB28CF2BCD447DAFAF3AFC8300F04C1FA844CA6654EB700A819E51

Function 057AD120 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fcb5c70c249047e4036d48acab95e2573bc9eeb08f74aa81b4e712bff38f92
Instruction ID: 1ac215107190d47e7f6476592a66795c29b60f3d10ac8ad7f82769b3a08ab348
Opcode Fuzzy Hash: 98fcb5c70c249047e4036d48acab95e2573bc9eeb08f74aa81b4e712bff38f92
Instruction Fuzzy Hash: D7414471D19208CFCB10CFA5C484BEEBBF2BB8A304F0596AAC419B7680C7784A84DF55

Function 057A0047 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6903b28a73a772bb5171dcbe80b2f1543b6b5d084e90232d49682c2eb424b74b
Instruction ID: f6fd1a531a523761123d9dc2d64cc4d0869bf2ead34e05e1c1b62506dff4f1c3
Opcode Fuzzy Hash: 6903b28a73a772bb5171dcbe80b2f1543b6b5d084e90232d49682c2eb424b74b
Instruction Fuzzy Hash: FE4142B1E056188BEB5CCF6B8D4478AFAF3AFC9300F14C1B9854CAA255EB3109968F01

Function 057A0070 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3829241482.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_57a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e300bf03d8677c8e714563bfe052a402c22b6935201d7d9719cdc5f88be4e902
Instruction ID: f33c8a2c4ec38352d4839442daf4af45bf0d698d5c604f539eab26cfdcb8ddad
Opcode Fuzzy Hash: e300bf03d8677c8e714563bfe052a402c22b6935201d7d9719cdc5f88be4e902
Instruction Fuzzy Hash: 60415CB1E056188BEB68CF6BCD4479AFAF7AFC9300F14C1BA854DA6254DB3109958F01

Function 09D13D20 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4dc389d58e54912883a21d8ca2f30e850552ec19bc27b625398702e15a322b6
Instruction ID: c2bf14155bd3d52f1dfa6ce74357c80567c5b0ab3afa197c59f9507826ec2f18
Opcode Fuzzy Hash: e4dc389d58e54912883a21d8ca2f30e850552ec19bc27b625398702e15a322b6
Instruction Fuzzy Hash: 6721AC71D85259EBDB29CFAAE8847EDFBF9EF89300F0084AAD418A7655D7304585CF01

Function 09D13D30 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3d2a6e9593b576df0dacc31e6f67deeef4406d4586e96a3b321024d8413ce3
Instruction ID: 10e934ee4f5a1931277b76067a9034cfc0396f64e05dc0eb03b52c7f1df345f2
Opcode Fuzzy Hash: bc3d2a6e9593b576df0dacc31e6f67deeef4406d4586e96a3b321024d8413ce3
Instruction Fuzzy Hash: CB116A71D85228EBDB28DFAAE8447EEFBF9EB89300F0081B9D41CA3654DB7045808F40

Function 0773E748 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3830075926.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c7bbde95cffbb6a953add526be48b3bab9badb2d899f282ed3a6d6bb45d74f
Instruction ID: d0a035a08321c60b6842fb5fe6e17b69c1895423043de2c139e3d990f0da2d27
Opcode Fuzzy Hash: 46c7bbde95cffbb6a953add526be48b3bab9badb2d899f282ed3a6d6bb45d74f
Instruction Fuzzy Hash: CE21B3B1E04618CBEB18CF6BD84179EFAF7AFC9210F04C0BAD54CA6255EB7019468F51

Function 09D14108 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d496daa49a6cca9c81f9f8cbfd9e9675c034bf534a5665ce9526c1a33f74e25f
Instruction ID: 704b9b08756fd3f48a0835069980d3b4b743ef388464550935ab16ba906e17a8
Opcode Fuzzy Hash: d496daa49a6cca9c81f9f8cbfd9e9675c034bf534a5665ce9526c1a33f74e25f
Instruction Fuzzy Hash: D721C3B5D46228DFEBA0DF94E988BECF7B8BB49350F1014A9D50DA3251C7748A84CF04

Function 09D13FE5 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f491dceb8f0bd58192a7096415aaa9d19bc0dabf92ebace617cbdc8e9d22b1
Instruction ID: af24d3d8a0bf86135c6afc7429c263b747e6606c65e43e00c1490ca7139a0080
Opcode Fuzzy Hash: 68f491dceb8f0bd58192a7096415aaa9d19bc0dabf92ebace617cbdc8e9d22b1
Instruction Fuzzy Hash: 4C11C075D45228DFDBA2DFA4E944BACFBB8FB49304F1064A9D508B3244C7709A81CF01

Function 09D13ECA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343947a3a53b9cb875043f79eda37bec0b4f49569919f9115d66cdbfbb6b8509
Instruction ID: ed6e76fedecc7c69e2188b00d4d59c040fcccc717170bcab7b98c9353e37291b
Opcode Fuzzy Hash: 343947a3a53b9cb875043f79eda37bec0b4f49569919f9115d66cdbfbb6b8509
Instruction Fuzzy Hash: 5311E371E442289FCB65DFA5D9447EDFBB8FF8A304F0051A6E598A3250C7704A81CF02

Function 09D13F44 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ee428f8f67d8e64430b79cf55a2bfe82cf0447ac1f48342d03825b64592fe7
Instruction ID: 98c005be5a66e5a7a3cdfbcddfdf0d1580eaa0fe08682fe6f3b3708098a264a3
Opcode Fuzzy Hash: c3ee428f8f67d8e64430b79cf55a2bfe82cf0447ac1f48342d03825b64592fe7
Instruction Fuzzy Hash: 12119E75D49228DBDB60EFA8E9487EDFBB4FB4A304F0041AAD519A7650C7718A85CF01

Function 09D14C35 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6956ba418cd827afb73ecd09fd7f6ed20158eb8edd8415a496406a473d6c8f
Instruction ID: c8505c920f7bcd63fa6fe86015f3942471c2151675163802e87a66ffc3932368
Opcode Fuzzy Hash: 4b6956ba418cd827afb73ecd09fd7f6ed20158eb8edd8415a496406a473d6c8f
Instruction Fuzzy Hash: AB11AC75D44228EBDB60EFA5E9587ECFBB4AB4A314F1091A6D61CA3250C7708A85CF41

Function 09D1B860 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44682b0196d45dca97b7d549d16074292570deb5818934d4bbce33b4c32afa4
Instruction ID: f3128b1e97c67c0820e7f5a07227ea504a30dbd4810371d439d6fb962e996ea7
Opcode Fuzzy Hash: b44682b0196d45dca97b7d549d16074292570deb5818934d4bbce33b4c32afa4
Instruction Fuzzy Hash: 03018F31D84219EBDB24CFA9E841BEDFBF9EB8A300F004076C14DE3A41EB3499458B80

Function 09D13E00 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c397294c70253358d1bd4d0dd6538734e60eaf61352081cab821e3ad105f73f8
Instruction ID: 6efe6e8daff995ac1e271caaf9958d85c5c0de65ac476c609b46b0fbe32390b6
Opcode Fuzzy Hash: c397294c70253358d1bd4d0dd6538734e60eaf61352081cab821e3ad105f73f8
Instruction Fuzzy Hash: 57010475D85268EBDB60DFA5E9847ECFBB4EB4A340F1091A6D129B3650DA708A81CF01

Function 09D141BA Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eccf900cede3d5784d6a09b4d6e9b7e6d28bbbf16fd44c692cb23104ce53457f
Instruction ID: cadd1558d81b15227ae4831e121b40496a0b08136d252d59aadb77b5be651ca8
Opcode Fuzzy Hash: eccf900cede3d5784d6a09b4d6e9b7e6d28bbbf16fd44c692cb23104ce53457f
Instruction Fuzzy Hash: 8301D672D85218EFCB619F95E9487ECFBB4EB49345F1050A6D118B3651C7B08A85CF01

Function 09D13E46 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d6973ed4101073c57c0c181f9d9928624964b8056fd4a634f59e3c0c7f4793
Instruction ID: 885f94632d716675a6ef33d659ef0bad677463f1136fce2152d0250dd421c46a
Opcode Fuzzy Hash: 14d6973ed4101073c57c0c181f9d9928624964b8056fd4a634f59e3c0c7f4793
Instruction Fuzzy Hash: 7DF04936D89218DFCB60DF98E984BECFBB8FB4A304F1051A6D118A3650C3B08A81CF01

Function 09D1336C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5619e24678290285d6a48407589c93c8e3aff73483004a3743636f4bde8492b
Instruction ID: 26c23c84bc5b5eaf68994e6fad2d5e6b3450b04ac787ee23f6c2628247c86f38
Opcode Fuzzy Hash: c5619e24678290285d6a48407589c93c8e3aff73483004a3743636f4bde8492b
Instruction Fuzzy Hash: 3DB09227E89018A61A0008C474000FCE330E587179F2122A3C628B38A195218A29058A

Function 09D133E7 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3831938372.0000000009D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9de353fcc20bbcccf18db29ec3190b3825e74611e7d5f83c820b5b23db5c1f
Instruction ID: 9d0d10b20418e25b790cbe1124db51d14dea5ffd1d0c627a4d1540dd67dbf400
Opcode Fuzzy Hash: be9de353fcc20bbcccf18db29ec3190b3825e74611e7d5f83c820b5b23db5c1f
Instruction Fuzzy Hash: E8B0113BE88008FA2E200CC8B8000F8F330E0CA2BAF0020A3C22CB38008222C228028C

Analysis Process: vbc.exePID: 7944, Parent PID: 7556COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.7%
Total number of Nodes:	1477
Total number of Limit Nodes:	45

Executed Functions

Function 0040724C Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004072AE
memset.MSVCRT ref: 004072C2
memset.MSVCRT ref: 004072DC
memset.MSVCRT ref: 004072F1
GetComputerNameA.KERNEL32(?,?), ref: 00407313
GetUserNameA.ADVAPI32(?,?), ref: 00407327
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
strlen.MSVCRT ref: 00407364
strlen.MSVCRT ref: 00407373
memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407385

Strings

i, xrefs: 00407274
b, xrefs: 0040727C
5, xrefs: 00407290
}, xrefs: 00407294
}, xrefs: 004072A0
O, xrefs: 00407298
H, xrefs: 004072A4

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ByteCharMulusermeWidestrlen$ComputerUsermemcpy
String ID: 5$H$O$b$i$}$}
API String ID: 1832431107-3760989150
Opcode ID: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
Instruction ID: 8a8033fc9206e0c4c361a826d49ab5f0cafd1e40d7200dcd25d3d532c5214641
Opcode Fuzzy Hash: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
Instruction Fuzzy Hash: AC510871C0025DBEDB11CBA8CC41AEEBBBDEF49314F0442EAE955E6191D3389B84CB65

Function 00403C3D Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 170
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E894: FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0

LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C5C
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C71
strcpy.MSVCRT(?,?), ref: 00403E45

Strings

www.google.com/Please log in to your Google Account, xrefs: 00403CC1
pstorec.dll, xrefs: 00403C57
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CFD
Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D95
www.google.com/Please log in to your Gmail account, xrefs: 00403CAD
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D69
www.google.com:443/Please log in to your Gmail account, xrefs: 00403CB7
www.google.com:443/Please log in to your Google Account, xrefs: 00403CCB
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403D22
Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D62
PStoreCreateInstance, xrefs: 00403C6B

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProcstrcpy
String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
API String ID: 2884822230-961845771
Opcode ID: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
Instruction ID: d05da07ce2d894a49ef5f331cfc6c83e82fbb8602fa7f27bb7646818df223e42
Opcode Fuzzy Hash: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
Instruction Fuzzy Hash: 9B51D771600605B6D714BF72CD46BEABB6CAF00709F10053FF905B61C2DBBCAA5587A9

Function 00406EC3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406ED9
FindNextFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406EF7
strlen.MSVCRT ref: 00406F27
strlen.MSVCRT ref: 00406F2F

Strings

rA, xrefs: 00406F12

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileFindstrlen$FirstNext
String ID: rA
API String ID: 379999529-474049127
Opcode ID: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
Instruction ID: 479c8733b6b08075922562257f7174063dbd0ea9e1486761d8d5d3546bede414
Opcode Fuzzy Hash: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
Instruction Fuzzy Hash: 00118272005205AFD714DB34E844ADBB3D9DF44324F21493FF55AD21D0EB38A9548758

Function 0040ED0B Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040ED18
SizeofResource.KERNEL32(?,00000000), ref: 0040ED29
LoadResource.KERNEL32(?,00000000), ref: 0040ED39
LockResource.KERNEL32(00000000), ref: 0040ED44

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
Instruction ID: 6bf1e5af94a697a74b0619517749427008784a8e56cd275cc50dd62f01ccc87b
Opcode Fuzzy Hash: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
Instruction Fuzzy Hash: 450104367002126BCB185F66CD4599B7FAAFF852903488536AD09DA360D770C921C688

Function 00401E8B Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401EAD
strlen.MSVCRT ref: 00401EC6
strlen.MSVCRT ref: 00401ED4
strlen.MSVCRT ref: 00401F1A
strlen.MSVCRT ref: 00401F28
memset.MSVCRT ref: 00401FD3
atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402002
memset.MSVCRT ref: 00402025
sprintf.MSVCRT ref: 00402052

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

memset.MSVCRT ref: 004020A8
memset.MSVCRT ref: 004020BD
strlen.MSVCRT ref: 004020C3
strlen.MSVCRT ref: 004020D1
strlen.MSVCRT ref: 00402104
strlen.MSVCRT ref: 00402112
memset.MSVCRT ref: 0040203A

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

strcpy.MSVCRT(?,00000000), ref: 00402199
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004021A3
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004021BE

Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

Strings

Software\Mozilla\Mozilla Thunderbird, xrefs: 00401FA8
Install Directory, xrefs: 0040205F
Software\Qualcomm\Eudora\CommandLine, xrefs: 00401F66
nss3.dll, xrefs: 004020FF, 00402127
Mozilla\Profiles, xrefs: 00401EC0, 00401EC5, 00401EED
Software\Classes\Software\Qualcomm\Eudora\CommandLine\current, xrefs: 00401F8C
%s\Main, xrefs: 0040204C
sqlite3.dll, xrefs: 00401FF6, 004020C2, 004020E7
Thunderbird\Profiles, xrefs: 00401F0F, 00401F3D
current, xrefs: 00401F61
%programfiles%\Mozilla Thunderbird, xrefs: 004021B9

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
API String ID: 2492260235-4223776976
Opcode ID: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
Instruction ID: fcae88f02dbfb35d0bd4b12665d2d891c1e7b320b053452542e36e55e3802549
Opcode Fuzzy Hash: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
Instruction Fuzzy Hash: C891E472904158BADB21E765CC46FDA77AC9F44308F1004BBF609F2182EB789BD58B5D

Function 0040B9AD Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404837: LoadLibraryA.KERNEL32(comctl32.dll,76F90A60,?,00000000,?,?,?,0040B9C9,76F90A60), ref: 00404856
Part of subcall function 00404837: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
Part of subcall function 00404837: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,76F90A60), ref: 0040487C
Part of subcall function 00404837: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004048A7

??3@YAXPAX@Z.MSVCRT(?), ref: 0040BBF8
DeleteObject.GDI32(?), ref: 0040BC0E

Strings

Failed to load the executable file !, xrefs: 0040BA9F
/deleteregkey, xrefs: 0040BA4D
Software\NirSoft\MailPassView, xrefs: 0040BA5B
, xrefs: 0040B9E7
/savelangfile, xrefs: 0040BA1F
Error, xrefs: 0040BA9A

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MailPassView
API String ID: 745651260-414181363
Opcode ID: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
Instruction ID: 29be9d14b742f54cd69d53bb86675b71f99c80547e1740e7b57482248bd42427
Opcode Fuzzy Hash: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
Instruction Fuzzy Hash: 9D518D71108345ABC7209F61DD09A9BBBF8FF84705F00483FF685A22A1DB789914CB5E

Function 0040D9F9 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA2A
RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA44
RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E70,?), ref: 0040DA6F
RegCloseKey.ADVAPI32(?,?,?,?,?,00403E70,?), ref: 0040DB20

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DADD
memcpy.MSVCRT(?,?,?), ref: 0040DAF2

Part of subcall function 0040D6FB: RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
Part of subcall function 0040D6FB: memset.MSVCRT ref: 0040D743
Part of subcall function 0040D6FB: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
Part of subcall function 0040D6FB: RegCloseKey.ADVAPI32(?), ref: 0040D858

LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DB16
RegCloseKey.KERNELBASE(?,?,?,?,?,00403E70,?), ref: 0040DB2A

Strings

Software\Microsoft\IdentityCRL, xrefs: 0040DA20
Dynamic Salt, xrefs: 0040DA3B
Value, xrefs: 0040DA5E
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040DAB4, 0040DADB

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
API String ID: 2768085393-1693574875
Opcode ID: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
Instruction ID: 6117dd664a6da5d1700893ef21bfd696e4846e6baba0a559227c27352822965f
Opcode Fuzzy Hash: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
Instruction Fuzzy Hash: 95316D72504344AFD700DF55DC40D9BBBECEB88358F40493EFA84E2160E774DA188B6A

Function 00411654 Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,004123E0,00000070), ref: 00411669
__set_app_type.MSVCRT ref: 004116C2
__p__fmode.MSVCRT ref: 004116D7
__p__commode.MSVCRT ref: 004116E5
__setusermatherr.MSVCRT ref: 00411711
_initterm.MSVCRT ref: 00411727
__getmainargs.MSVCRT ref: 0041174A
_initterm.MSVCRT ref: 0041175D
GetStartupInfoA.KERNEL32(?), ref: 0041179C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004117C0
exit.KERNELBASE ref: 004117D3
_cexit.MSVCRT ref: 004117D9

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: 41bf5769df4a83a18def14d6c53a8daf24d942208a748090405ecb1c565cbbc5
Instruction ID: d7daaed26df3896bd014a213398510a4c94beeaf1e1b2d32e797684dc565bfa8
Opcode Fuzzy Hash: 41bf5769df4a83a18def14d6c53a8daf24d942208a748090405ecb1c565cbbc5
Instruction Fuzzy Hash: 60416DB0D40218DFCB209FA4D984AED7BB4AB08314F24857BE661D72A1D77D99C2CB5C

Function 00410D1B Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00410D3C

Part of subcall function 00406734: strlen.MSVCRT ref: 00406736
Part of subcall function 00406734: strlen.MSVCRT ref: 00406741
Part of subcall function 00406734: strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758

Part of subcall function 0040EE59: memset.MSVCRT ref: 0040EEAE
Part of subcall function 0040EE59: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
Part of subcall function 0040EE59: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25

memset.MSVCRT ref: 00410DAA
memset.MSVCRT ref: 00410DC5

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 00410DFE
strlen.MSVCRT ref: 00410E0C
_stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 00410E32

Strings

Software\Microsoft\Windows Live Mail, xrefs: 00410DDB
Store Root, xrefs: 00410DD6
\Microsoft\Windows Mail, xrefs: 00410D5A
\Microsoft\Windows Live Mail, xrefs: 00410D81

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
API String ID: 4071991895-2578778931
Opcode ID: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
Instruction ID: 656a87abbde68b626b6b67706479efffa51c3f1aad4b8967eb2d69b922da332e
Opcode Fuzzy Hash: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
Instruction Fuzzy Hash: 3D318DB2548348ABD324E799DC46FCB77DC9BC4318F04482FF649D7182E678D68487AA

Function 004037B1 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004037D2
memset.MSVCRT ref: 004037E6

Part of subcall function 00410F79: memset.MSVCRT ref: 00410F9B
Part of subcall function 00410F79: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

strchr.MSVCRT ref: 00403855
strcpy.MSVCRT(?,?,?,?,?), ref: 00403872
strlen.MSVCRT ref: 0040387E
sprintf.MSVCRT ref: 0040389E
strcpy.MSVCRT(?,?,?,?,?), ref: 004038B4

Strings

%s@yahoo.com, xrefs: 00403898

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$strcpystrlen$Closememcpysprintfstrchr
String ID: %s@yahoo.com
API String ID: 1649821605-3288273942
Opcode ID: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
Instruction ID: 59c64947ec9ad5e5fa7ad27033647646f0aae9e06f6053b7dc62ef58ab254070
Opcode Fuzzy Hash: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
Instruction Fuzzy Hash: 592184B3D0412C6EDB21EB55DD41FDA77AC9F85308F0404EBB64DE6041E6B8AB848BA5

Function 004034CB Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004034EB
memset.MSVCRT ref: 00403501

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

strcpy.MSVCRT(00000000,00000000), ref: 0040353C

Part of subcall function 00405F1F: strlen.MSVCRT ref: 00405F20
Part of subcall function 00405F1F: strcat.MSVCRT(00000000,00413044,004062BF,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 00405F37

strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 00403554

Strings

InstallPath, xrefs: 00403512
fb.dat, xrefs: 0040354E
Software\Group Mail, xrefs: 00403517

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetstrcat$Closestrcpystrlen
String ID: InstallPath$Software\Group Mail$fb.dat
API String ID: 1387626053-966475738
Opcode ID: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
Instruction ID: 7ff2b4ee0b8a45595852750e2855a272ac8b2b1e575441dca18af6517dfb7442
Opcode Fuzzy Hash: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
Instruction Fuzzy Hash: 2E01FC72D8012C75D720E6669C46FDA766C8F64745F0004A6BA4AF20C2DAFCABD48B69

Function 0040754D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040724C: memset.MSVCRT ref: 004072AE
Part of subcall function 0040724C: memset.MSVCRT ref: 004072C2
Part of subcall function 0040724C: memset.MSVCRT ref: 004072DC
Part of subcall function 0040724C: memset.MSVCRT ref: 004072F1
Part of subcall function 0040724C: GetComputerNameA.KERNEL32(?,?), ref: 00407313
Part of subcall function 0040724C: GetUserNameA.ADVAPI32(?,?), ref: 00407327
Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
Part of subcall function 0040724C: strlen.MSVCRT ref: 00407364
Part of subcall function 0040724C: strlen.MSVCRT ref: 00407373
Part of subcall function 0040724C: memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407385

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 0040759B

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

memset.MSVCRT ref: 004075EC
RegCloseKey.ADVAPI32(?,?,?), ref: 0040762A
RegCloseKey.ADVAPI32(?), ref: 00407651

Strings

Software\Google\Google Talk\Accounts, xrefs: 0040756C

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ByteCharCloseMulusermeWidestrlen$ComputerEnumOpenUsermemcpy
String ID: Software\Google\Google Talk\Accounts
API String ID: 2959138223-1079885057
Opcode ID: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
Instruction ID: 125b9810afc719f5725a34431a69a8fbc80fc1372edd2e7206a69bc0ee1a9f38
Opcode Fuzzy Hash: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
Instruction Fuzzy Hash: 6A21887150820A6FD610EF51DC42DEBB7ECDF94344F00083AF945E1191E635D96D9BA7

Function 0040A5AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_mbsicmp.MSVCRT ref: 0040A5CD
qsort.MSVCRT ref: 0040A676
SetCursor.USER32(/nosort,?,0040BAC6), ref: 0040A684

Strings

/nosort, xrefs: 0040A62A
/sort, xrefs: 0040A5C8

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Cursor_mbsicmpqsort
String ID: /nosort$/sort
API String ID: 882979914-1578091866
Opcode ID: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
Instruction ID: 1813cf3d9500be1981e9bba0c11058464626672cad6922460886ab76c06e8bc1
Opcode Fuzzy Hash: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
Instruction Fuzzy Hash: 4921B071304601EFC719AF75C880A99B7A9BF08314B10017EF429A7291CB39A9628B8A

Function 0040EE59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040EDAC: LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,76F90A60,?,00000000), ref: 0040EDBA
Part of subcall function 0040EDAC: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF

memset.MSVCRT ref: 0040EEAE
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25

Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040EEC9, 0040EED9

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 181880968-2036018995
Opcode ID: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
Instruction ID: b4f7ca4f0d473bdd6f3573a0ab4a655380742daec172f7a18688454dd959f7ad
Opcode Fuzzy Hash: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
Instruction Fuzzy Hash: D711D871800219FADB24A656DC89DEF77BCDB04309F1008B7F91572191D63D9FA886DD

Function 0040396C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 004039C5

Part of subcall function 0040D5DB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
Part of subcall function 0040D5DB: strlen.MSVCRT ref: 0040D6B7
Part of subcall function 0040D5DB: strcpy.MSVCRT(?,?), ref: 0040D6C8
Part of subcall function 0040D5DB: LocalFree.KERNEL32(?), ref: 0040D6D5

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039F7

Strings

Software\Microsoft\MessengerService, xrefs: 004039F1
Software\Microsoft\MSNMessenger, xrefs: 004039BF

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
API String ID: 1910562259-1741179510
Opcode ID: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
Instruction ID: e1373b66f94ab8684edf5be4eb08dc620599410c0cc400d8dd4f2e2a864aae35
Opcode Fuzzy Hash: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
Instruction Fuzzy Hash: 4F11F6B1608345AEC320DF5188819ABBBEC9B84355F50893FF584A2081D338DA09CAAB

Function 0040EA72 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EA9A

Part of subcall function 00406763: sprintf.MSVCRT ref: 0040679B
Part of subcall function 00406763: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 004067AE

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040EABE
memset.MSVCRT ref: 0040EAD5
GetPrivateProfileStringA.KERNEL32(?,?,Function_00012466,?,00002000,?), ref: 0040EAF3

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Writememcpysprintf
String ID:
API String ID: 3143880245-0
Opcode ID: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
Instruction ID: dd976746f5256500085d4a95e5c89bc7782f2e7a6919953fe2ebae93c0a04965
Opcode Fuzzy Hash: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
Instruction Fuzzy Hash: 6F01A172800219BFEF12AF51DC89DDB3B79EF04344F0044A6B609A2062D6359A64CB68

Function 0040B785 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040BA04), ref: 0040B7A3
??2@YAPAXI@Z.MSVCRT(00000F38,00000000,?,0040BA04), ref: 0040B7C1
DeleteObject.GDI32(?), ref: 0040B7FF
LoadIconA.USER32(00000065,00000000), ref: 0040B82E

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$DeleteIconLoadObject
String ID:
API String ID: 1986663749-0
Opcode ID: 5f5a747c87eaa1aeb5cd63e0915bac848b59c27e35686337973b5baa3b83aa76
Instruction ID: 38da8263615bef274e7c21802c355ecfe582676222a25676d72b73c1d19d8401
Opcode Fuzzy Hash: 5f5a747c87eaa1aeb5cd63e0915bac848b59c27e35686337973b5baa3b83aa76
Instruction Fuzzy Hash: 8C1151B09056509BCF519F259C887C53BA4EB84B41F1804BBFD08EF3A6DBB845418BAC

Function 00411932 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?), ref: 0041193C
??3@YAXPAX@Z.MSVCRT(?), ref: 0041194C
??3@YAXPAX@Z.MSVCRT(?), ref: 0041195C
??3@YAXPAX@Z.MSVCRT(?), ref: 0041196C

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
Instruction ID: d6dbe33ea61767d3fff50222484a645f5af73bc96bc71b3580d13e53834dfd00
Opcode Fuzzy Hash: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
Instruction Fuzzy Hash: E0E012B0319201A68E20AB7BBD40A9323AE2A44310354806FF206D2AB1DE38D8C0C63C

Function 0040787D Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078A5
??2@YAPAXI@Z.MSVCRT(00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078C3
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078E1
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078F1

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: e7dbc0ef46db47a5b5499b4ecfc17c41b9b5310e7ca2ac67ab4a857369e887a1
Instruction ID: 98653883aa4781a1616f5f21c4e99a92f1a36013e955d8e4b32a99e29624f39b
Opcode Fuzzy Hash: e7dbc0ef46db47a5b5499b4ecfc17c41b9b5310e7ca2ac67ab4a857369e887a1
Instruction Fuzzy Hash: E6F012B1589210BFDB549B39ED067A53AB2A748394F10917EE207CA6F5FB7454408B4C

Function 004060FA Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00406116
memcpy.MSVCRT(00000000,00000000,00000000,00000000,76F90A60,00406B49,00000001,?,00000000,76F90A60,00406D88,00000000,?,?), ref: 0040612E
free.MSVCRT ref: 00406137

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
Instruction ID: d153bd7f556b54fa1e8e463c7175d954409fdcf13f6af5892cc53e784d19f72a
Opcode Fuzzy Hash: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
Instruction Fuzzy Hash: 9DF0E9726052219FC7089F79B98145BB3DDAF84324B11482FF546D7292D7389C50C798

Function 0040B8D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00401E8B: memset.MSVCRT ref: 00401EAD
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401EC6
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401ED4
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F1A
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F28

_stricmp.MSVCRT(/stext,00412466,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B92B

Strings

/stext, xrefs: 0040B926

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$_stricmpmemset
String ID: /stext
API String ID: 3575250601-3817206916
Opcode ID: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
Instruction ID: 7d69c3f5364ef88ad9e24340ba35af89a1d621815374fdce2acadc9eabf4c73c
Opcode Fuzzy Hash: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
Instruction Fuzzy Hash: 45213EB1614111DFC35C9B29C881D65B3A8FB45314B1582BFF91AA7292C738ED518BCD

Function 00406252 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB

CreateFontIndirectA.GDI32(?), ref: 00406270

Strings

Arial, xrefs: 0040625C

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFontIndirectmemsetstrcpy
String ID: Arial
API String ID: 3275230829-493054409
Opcode ID: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
Instruction ID: 9d865b7f43533acfebf3b00b6ce8d331e43bccbbf35dbaed0a6f3a0435680c9f
Opcode Fuzzy Hash: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
Instruction Fuzzy Hash: B3D0C970E4020D76E600BAA0FD07B897BAC5B00605F508421BA41F51E2FAE8A15586A9

Function 004047A0 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806

LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID:
API String ID: 145871493-0
Opcode ID: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
Instruction ID: bd92e302f737a6b7e7c2aa8ed3bd721d1bcdfa8038008227cdd2def65d6b9a1b
Opcode Fuzzy Hash: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
Instruction Fuzzy Hash: F1F039B02007028BD7209F39D84879B77E8BF85700F00853EF266E3281EB78A951CB28

Function 0040EB0E Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 0040EB35

Part of subcall function 0040EA26: memset.MSVCRT ref: 0040EA44
Part of subcall function 0040EA26: _itoa.MSVCRT ref: 0040EA5B
Part of subcall function 0040EA26: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040EA6A

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
Instruction ID: f55a197cdd86fa31c53d12907dd8f70643f2484b8232c3448506387801693677
Opcode Fuzzy Hash: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
Instruction Fuzzy Hash: F2E0B632000109FBCF125F95EC01AAA7F76FF08314F148869FD5855161D332A570EF55

Function 004047F1 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?), ref: 00404806

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
Instruction ID: 9a892a7b4d94419058e15305363ecf1fbcdc16662e35282e5c511663eadef616
Opcode Fuzzy Hash: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
Instruction Fuzzy Hash: 90D012721003118FD7705F14EC0CBE133E8AF40312F2584B8EA55E7155C3749584CA58

Function 00405EE4 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
Instruction ID: 5973f86ffe51395cbbea2b6db375788de2bc2c82441068c359f9d196895a4387
Opcode Fuzzy Hash: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
Instruction Fuzzy Hash: F7C092B0290201BEFF208A10AD0AF77295DE780700F10C4207A00E40E0D2A14C109A24

Function 0040E894 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
Instruction ID: 5028da6d49437ecb3f89885db84a6a431b650c8c1a4919c17fb61c23058b4b99
Opcode Fuzzy Hash: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
Instruction Fuzzy Hash: 80C04C31110B018FE7219B12C949753B7E4BF00317F44C868955BD58A4D77CE4A4CE18

Function 0040ED91 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesA.KERNEL32(?,?,0040ED0B,00000000), ref: 0040EDA0

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
Instruction ID: b68387c5c0e4344f5c23b4f6c0320e636f75da40900f583e81955e3ef688938f
Opcode Fuzzy Hash: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
Instruction Fuzzy Hash: 11C09B31594342D7C7119F109D09F1B7A95FF58701F158C3D7251D40E0C7614034D605

Function 00406F5B Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,00406E75,?,?,00000000,rA,00410C7E,*.oeaccount,rA,?,00000104), ref: 00406F65

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
Instruction ID: b31b0b49456476ea20311e3f3804ac2d10f8d6de1d59c17087b16cfdac6e9e38
Opcode Fuzzy Hash: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
Instruction Fuzzy Hash: 67C048351145029AD22C9B38AA5942A77A2AA493303B50B6CB1F3D20E0E77884628A04

Function 0040614B Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
Instruction ID: f3b66c96cd424dd7ad3beae2567feb80d20b4231abd0f1b127a655f441aacc1c
Opcode Fuzzy Hash: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
Instruction Fuzzy Hash: CAB012752100005BCB0807349D4608E75505F45631720873CB033D00F0D730CC71BB01

Function 0040EB3F Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
Instruction ID: fbac0a3e3d82dbf35b582ab386aad6bc4faf60f338d600bbfef3ad5534bed626
Opcode Fuzzy Hash: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
Instruction Fuzzy Hash: 60C09B35544301BFDE118F40EE05F09BF62BB88B01F104814B394740B1C3718424FB17

Non-executed Functions

Function 0040F64B Relevance: 56.1, APIs: 20, Strings: 12, Instructions: 127libraryloaderstringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F674
strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040F68B
memset.MSVCRT ref: 0040F6B8
strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6CB
strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6DC
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F702
strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F713
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F722
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F739
GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F747
LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F755
GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040F775
GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040F781
GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040F78E
GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040F79B
GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040F7A8
GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040F7B5
GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040F7C2
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040F7CF
GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040F7DC

Strings

sqlite3_exec, xrefs: 0040F7D1
sqlite3_open, xrefs: 0040F76F
sqlite3_finalize, xrefs: 0040F7B7
\sqlite3.dll, xrefs: 0040F6D6
sqlite3_column_int64, xrefs: 0040F7AA
sqlite3_step, xrefs: 0040F783
sqlite3.dll, xrefs: 0040F741, 0040F746, 0040F754
\mozsqlite3.dll, xrefs: 0040F70D
sqlite3_prepare, xrefs: 0040F777
sqlite3_close, xrefs: 0040F7C4
sqlite3_column_text, xrefs: 0040F790
sqlite3_column_int, xrefs: 0040F79D

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$strcpy$HandleLibraryLoadModulememsetstrcat
String ID: \mozsqlite3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
API String ID: 3567885941-2042458128
Opcode ID: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
Instruction ID: 8fd3bcd04759d815ffa5d5b817f34976dc276f641444eb2ebd63b60ef60fef8a
Opcode Fuzzy Hash: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
Instruction Fuzzy Hash: C9416571940308AACB30AF718D85DCBBBF9AB58705F10497BE246E3550E778E685CF58

Function 00402D9A Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

strcpy.MSVCRT(?,?), ref: 00402EB1
strcpy.MSVCRT(?,?,?,?), ref: 00402EC4
strcpy.MSVCRT(?,?), ref: 00402F51
strcpy.MSVCRT(?,?,?,?), ref: 00402F5E
RegCloseKey.ADVAPI32(?), ref: 00402FB8

Strings

PopPassword, xrefs: 00402E8B
EmailAddress, xrefs: 00402E20
SMTPServer, xrefs: 00402EE6
DisplayName, xrefs: 00402DF3
PopLogSecure, xrefs: 00402E70
PopServer, xrefs: 00402E4C
PopPort, xrefs: 00402E5F
SMTPPassword, xrefs: 00402F2B
PopAccount, xrefs: 00402E36
SMTPPort, xrefs: 00402EFC
SMTPLogSecure, xrefs: 00402F10
SMTPAccount, xrefs: 00402ED0

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$QueryValue$CloseOpen
String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
API String ID: 4127491968-1534328989
Opcode ID: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
Instruction ID: 43883d4594eb94b0077ee0611f04b7cce421852a2964d1822423da303833eb9e
Opcode Fuzzy Hash: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
Instruction Fuzzy Hash: 5D514AB1A0021CBADB11EB56CD41FDE777CAF04354F1084A7BA08B2191D7B8ABA5CF58

Function 00405FC6 Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00405FD0

Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD

GetFileSize.KERNEL32(00000000,00000000), ref: 00405FED
GlobalAlloc.KERNEL32(00002000,00000001), ref: 00405FFE
GlobalLock.KERNEL32(00000000), ref: 0040600B
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040601E
GlobalUnlock.KERNEL32(00000000), ref: 0040602D
SetClipboardData.USER32(00000001,00000000), ref: 00406036
GetLastError.KERNEL32 ref: 0040603E
CloseHandle.KERNEL32(?), ref: 0040604A
GetLastError.KERNEL32 ref: 00406055
CloseClipboard.USER32 ref: 0040605E

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
Instruction ID: 732aa9399b2cd23c9d945101f46e029b0eae2bee8c87a14991e63b5ea8a72c25
Opcode Fuzzy Hash: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
Instruction Fuzzy Hash: 6A113371900205FBDB109BB4DE4DBDE7F78EB08351F118176F606E1190DBB48A20DB69

Function 00406069 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00406071
strlen.MSVCRT ref: 0040607E
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AEA7,?), ref: 0040608D
GlobalLock.KERNEL32(00000000), ref: 0040609A
memcpy.MSVCRT(00000000,?,00000001,?,?,?,?,0040AEA7,?), ref: 004060A3
GlobalUnlock.KERNEL32(00000000), ref: 004060AC
SetClipboardData.USER32(00000001,00000000), ref: 004060B5
CloseClipboard.USER32 ref: 004060C5

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
String ID:
API String ID: 3116012682-0
Opcode ID: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
Instruction ID: 7816216ade6a299d8ea944e6e9fe2aa84d769726faeb140b6a28ec5125b6acba
Opcode Fuzzy Hash: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
Instruction Fuzzy Hash: 0DF0B4375402296BC3102BA0AD4CEDB7B6CEBC8B557028139FB0AD3151EA78592487B9

Function 0040AC8A Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040ACA4
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ACB6
GetTempFileNameA.KERNEL32(?,0041341C,00000000,?), ref: 0040ACD8
OpenClipboard.USER32(?), ref: 0040ACF8
GetLastError.KERNEL32 ref: 0040AD11
DeleteFileA.KERNEL32(00000000), ref: 0040AD2E

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
String ID:
API String ID: 2014771361-0
Opcode ID: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
Instruction ID: 1632bef886f39339d389646b63a05c30f7573d4ca20e624e383ab74febbb07e7
Opcode Fuzzy Hash: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
Instruction Fuzzy Hash: E0118272504318ABDB209B60DD49FDB77BC9F14701F0001B6F689E2091DBB8DAD4CB29

Function 004033D7 Relevance: 7.6, Strings: 6, Instructions: 61COMMON

Download Yara Rule

Strings

ESMTPPassword, xrefs: 00403441
SMTPServer, xrefs: 00403413
POP3Server, xrefs: 00403453
POP3Username, xrefs: 00403465
ESMTPUsername, xrefs: 0040342F
POP3Password, xrefs: 00403477

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileString_mbscmpstrlen
String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
API String ID: 3963849919-1658304561
Opcode ID: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
Instruction ID: 83b6c818750e3233ea62b9214f8e154f1c79117fabd3a6fe6fd9d90b5f1d4615
Opcode Fuzzy Hash: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
Instruction Fuzzy Hash: DA21E271844218A9DB61EB11CD86BED7B7C9F44709F0000EBAA08B60D2DBBC5BD58F59

Function 00406278 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 0048191c24760b141b6f0d3a59878a03bd3f353eaae137afec5afafb810283da
Instruction ID: e834d2f23b9aa43ef3af26d4b93615f57df44b07edf01049b3dc0679de2eed13
Opcode Fuzzy Hash: 0048191c24760b141b6f0d3a59878a03bd3f353eaae137afec5afafb810283da
Instruction Fuzzy Hash: 7DC08C34548220BBC3105F28BC09BC136B8AB0A3A2F01C876E904E6352C3B80C41CBEC

Function 0040F808 Relevance: 189.3, APIs: 8, Strings: 100, Instructions: 307stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040FC27
strncmp.MSVCRT ref: 0040FC37
memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 0040FCB3
atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0040FCC4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040FCF0

Strings

Ecirc;, xrefs: 0040F9EF
sup2;, xrefs: 0040F8FF
middot;, xrefs: 0040F931
divide;, xrefs: 0040FBB8
atilde;, xrefs: 0040FAE9
Ntilde;, xrefs: 0040FA35
plusmn;, xrefs: 0040F8F5
Uacute;, xrefs: 0040FA8F
iacute;, xrefs: 0040FB5A
Ccedil;, xrefs: 0040F9D1
icirc;, xrefs: 0040FB64
Aring;, xrefs: 0040F9BD
reg;, xrefs: 0040F8D7
oslash;, xrefs: 0040FBBF
Icirc;, xrefs: 0040FA17
cedil;, xrefs: 0040F93B
Igrave;, xrefs: 0040FA03
sect;, xrefs: 0040F891
yacute;, xrefs: 0040FBE2
ntilde;, xrefs: 0040FB82
ordm;, xrefs: 0040F94F
egrave;, xrefs: 0040FB28
Atilde;, xrefs: 0040F9A9
iquest;, xrefs: 0040F981
frac34;, xrefs: 0040F977
macr;, xrefs: 0040F8E1
igrave;, xrefs: 0040FB50
Oslash;, xrefs: 0040FA7B
ucirc;, xrefs: 0040FBD4
szlig;, xrefs: 0040FAC1
laquo;, xrefs: 0040F8B9
yen;, xrefs: 0040F87D
agrave;, xrefs: 0040FACB
uml;, xrefs: 0040F89B
gt;, xrefs: 0040F821
uuml;, xrefs: 0040FBDB
oacute;, xrefs: 0040FB96
uacute;, xrefs: 0040FBCD
ograve;, xrefs: 0040FB8C
Ucirc;, xrefs: 0040FA99
eth;, xrefs: 0040FB78
Agrave;, xrefs: 0040F98B
aring;, xrefs: 0040FB0A
Otilde;, xrefs: 0040FA5D
auml;, xrefs: 0040FB00
brvbar;, xrefs: 0040F887
ugrave;, xrefs: 0040FBC6
ordf;, xrefs: 0040F8AF
para;, xrefs: 0040F927
frac12;, xrefs: 0040F96D
Egrave;, xrefs: 0040F9DB
AElig;, xrefs: 0040F9C7
times;, xrefs: 0040FA71
deg;, xrefs: 0040F8EB
sup1;, xrefs: 0040F945
yuml;, xrefs: 0040FBF0
euml;, xrefs: 0040FB46
raquo;, xrefs: 0040F959
shy;, xrefs: 0040F8CD
acute;, xrefs: 0040F913
Iacute;, xrefs: 0040FA0D
micro;, xrefs: 0040F91D
Euml;, xrefs: 0040F9F9
ccedil;, xrefs: 0040FB1E
copy;, xrefs: 0040F8A5
ecirc;, xrefs: 0040FB3C
Ugrave;, xrefs: 0040FA85
eacute;, xrefs: 0040FB32
apos;, xrefs: 0040F836
Yacute;, xrefs: 0040FAAD
sup3;, xrefs: 0040F909
not;, xrefs: 0040F8C3
Acirc;, xrefs: 0040F99F
Oacute;, xrefs: 0040FA49
thorn;, xrefs: 0040FBE9
ouml;, xrefs: 0040FBB1
ocirc;, xrefs: 0040FBA0
Aacute;, xrefs: 0040F995
THORN;, xrefs: 0040FAB7
nbsp;, xrefs: 0040F82F
Auml;, xrefs: 0040F9B3
acirc;, xrefs: 0040FADF
quot;, xrefs: 0040F828
iexcl;, xrefs: 0040F855
Uuml;, xrefs: 0040FAA3
Ouml;, xrefs: 0040FA67
Ograve;, xrefs: 0040FA3F
aacute;, xrefs: 0040FAD5
lt;, xrefs: 0040F81A
frac14;, xrefs: 0040F963
Ocirc;, xrefs: 0040FA53
ETH;, xrefs: 0040FA2B
iuml;, xrefs: 0040FB6E
Eacute;, xrefs: 0040F9E5
Iuml;, xrefs: 0040FA21
aelig;, xrefs: 0040FB14
otilde;, xrefs: 0040FBAA
curren;, xrefs: 0040F873
amp;, xrefs: 0040F813
cent;, xrefs: 0040F85F

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
API String ID: 1895597112-3255492765
Opcode ID: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
Instruction ID: 7b61ab7fda62f62168f3ac6a9ee0746413b6f8a7e258cbbb94e4f4552fbd63bc
Opcode Fuzzy Hash: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
Instruction Fuzzy Hash: 49F139B08012589EDB21CF95D8487DEBFB0AF96308F5481EAD5593B241C7B94BC9CF98

Function 004106BE Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 004106D0
strcmp.MSVCRT ref: 0041071C
strcmp.MSVCRT ref: 00410745
strcmp.MSVCRT ref: 0041076E
strcmp.MSVCRT ref: 00410797
strcmp.MSVCRT ref: 004107C0
strcmp.MSVCRT ref: 004107F3
strcmp.MSVCRT ref: 00410826
strcmp.MSVCRT ref: 0041088C
strcmp.MSVCRT ref: 004108B5
strcmp.MSVCRT ref: 004108DE
strcmp.MSVCRT ref: 00410907
strcmp.MSVCRT ref: 00410930
strcmp.MSVCRT ref: 00410959
strcmp.MSVCRT ref: 00410859

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

_stricmp.MSVCRT(?,SMTP_Port), ref: 004109A0
_stricmp.MSVCRT(?,NNTP_Port), ref: 004109C9
_stricmp.MSVCRT(?,IMAP_Port), ref: 004109DA
_stricmp.MSVCRT(?,POP3_Port), ref: 004109EB
_stricmp.MSVCRT(?,SMTP_Secure_Connection), ref: 00410A14
_stricmp.MSVCRT(?,NNTP_Secure_Connection), ref: 00410A3D
_stricmp.MSVCRT(?,IMAP_Secure_Connection), ref: 00410A4E
_stricmp.MSVCRT(?,POP3_Secure_Connection), ref: 00410A5F

Strings

Account_Name, xrefs: 004106CA
POP3_Server, xrefs: 00410710
NNTP_Email_Address, xrefs: 0041092A
NNTP_Server, xrefs: 00410768
NNTP_User_Name, xrefs: 00410820
POP3_User_Name, xrefs: 004107BA
SMTP_Port, xrefs: 00410994
POP3_Secure_Connection, xrefs: 00410A59
SMTP_User_Name, xrefs: 00410853
SMTP_Server, xrefs: 00410791
SMTP_Secure_Connection, xrefs: 00410A0E
NNTP_Secure_Connection, xrefs: 00410A37
POP3_Password2, xrefs: 00410886
NNTP_Port, xrefs: 004109C3
SMTP_Email_Address, xrefs: 00410953
SMTP_Password2, xrefs: 00410901
IMAP_Server, xrefs: 0041073F
IMAP_Port, xrefs: 004109D4
IMAP_User_Name, xrefs: 004107ED
IMAP_Password2, xrefs: 004108AF
POP3_Port, xrefs: 004109E5
IMAP_Secure_Connection, xrefs: 00410A48
NNTP_Password2, xrefs: 004108D8

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcmp$_stricmp$memcpystrlen
String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
API String ID: 1113949926-2499304436
Opcode ID: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
Instruction ID: 03d5d7842382467f3947e80262f6a1f2e973b0058f56c731c8fd5b97bb90a946
Opcode Fuzzy Hash: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
Instruction Fuzzy Hash: D391517220870569E624B7329C02FD773E8AF9032DF21052FF55BE61D2EEADB981465C

Function 0040C7CF Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C7F4
strlen.MSVCRT ref: 0040C7FF
strncmp.MSVCRT ref: 0040C80C
_stricmp.MSVCRT(00000000,server), ref: 0040C849
_stricmp.MSVCRT(00000000,identities), ref: 0040C86B
strlen.MSVCRT ref: 0040C88B
strncmp.MSVCRT ref: 0040C898
_stricmp.MSVCRT(00000000,username,00000000), ref: 0040C8E1
_stricmp.MSVCRT(00000000,type,00000000), ref: 0040C903
_stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040C925
_stricmp.MSVCRT(00000000,port,00000000), ref: 0040C947
atoi.MSVCRT(?,00000000), ref: 0040C955

Part of subcall function 0040C748: memset.MSVCRT ref: 0040C77E
Part of subcall function 0040C748: memcpy.MSVCRT(00000000,?,00000000), ref: 0040C7A0
Part of subcall function 0040C748: atoi.MSVCRT(00000000,00000000,?,00000000), ref: 0040C7B4

_stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040C969
_stricmp.MSVCRT(?,true,00000000), ref: 0040C97C
strlen.MSVCRT ref: 0040C997
strncmp.MSVCRT ref: 0040C9A4
_stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040C9E9
_stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CA0B
_stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CA2A
strlen.MSVCRT ref: 0040CA45
strlen.MSVCRT ref: 0040CA4F

Strings

type, xrefs: 0040C8FB
mail.server, xrefs: 0040C885, 0040C88A, 0040C893
identities, xrefs: 0040C863
fullname, xrefs: 0040CA03
useSecAuth, xrefs: 0040C961
mail.account.account, xrefs: 0040C7F9, 0040C807
username, xrefs: 0040C8D7
hostname, xrefs: 0040C91D
port, xrefs: 0040C93F
mail.identity, xrefs: 0040C991, 0040C996, 0040C99F
true, xrefs: 0040C974
signon.signonfilename, xrefs: 0040CA22
useremail, xrefs: 0040C9DF
server, xrefs: 0040C83F

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
API String ID: 736090197-593045482
Opcode ID: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
Instruction ID: 8e23c8f9271997a3be880b93158be8956f510041fead3e1da2e0ecaa9a645c54
Opcode Fuzzy Hash: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
Instruction Fuzzy Hash: E271C972504204FADF10EB65CC42BDE77A6DF50329F20426BF506B21E1EB79AF819A5C

Function 0040E4A4 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0040E4D1
GetDlgItem.USER32(?,000003E8), ref: 0040E4DD
GetWindowLongA.USER32(00000000,000000F0), ref: 0040E4EC
GetWindowLongA.USER32(?,000000F0), ref: 0040E4F8
GetWindowLongA.USER32(00000000,000000EC), ref: 0040E501
GetWindowLongA.USER32(?,000000EC), ref: 0040E50D
GetWindowRect.USER32(00000000,?), ref: 0040E51F
GetWindowRect.USER32(?,?), ref: 0040E52A
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040E53E
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040E54C
GetDC.USER32 ref: 0040E585
strlen.MSVCRT ref: 0040E5C5
GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040E5D6
ReleaseDC.USER32(?,?), ref: 0040E623
sprintf.MSVCRT ref: 0040E6E3
SetWindowTextA.USER32(?,?), ref: 0040E6F7
SetWindowTextA.USER32(?,00000000), ref: 0040E715
GetDlgItem.USER32(?,00000001), ref: 0040E74B
GetWindowRect.USER32(00000000,?), ref: 0040E75B
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040E769
GetClientRect.USER32(?,?), ref: 0040E780
GetWindowRect.USER32(?,?), ref: 0040E78A
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040E7D0
GetClientRect.USER32(?,?), ref: 0040E7DA
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040E812

Strings

STATIC, xrefs: 0040E687
EDIT, xrefs: 0040E6BE
%s:, xrefs: 0040E6DD

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
String ID: %s:$EDIT$STATIC
API String ID: 1703216249-3046471546
Opcode ID: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
Instruction ID: 2f6da9a5868e125b8128a3bf626dfa5428397bb468519cd7ccc35e9b597c58da
Opcode Fuzzy Hash: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
Instruction Fuzzy Hash: C9B1DE71108341AFD710DFA8C985A6BBBE9FF88704F008A2DF699D2260D775E814CF16

Function 004010E5 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 0040113D
ChildWindowFromPoint.USER32(?,?,?), ref: 0040114F
GetDlgItem.USER32(?,000003EE), ref: 00401184
ChildWindowFromPoint.USER32(?,?,?), ref: 00401191
GetDlgItem.USER32(?,000003EC), ref: 004011BF
ChildWindowFromPoint.USER32(?,?,?), ref: 004011D1
LoadCursorA.USER32(00000067), ref: 004011E0
SetCursor.USER32(00000000,?,?), ref: 004011E7
GetDlgItem.USER32(?,000003EE), ref: 00401207
ChildWindowFromPoint.USER32(?,?,?), ref: 00401214
GetDlgItem.USER32(?,000003EC), ref: 0040122E
SetBkMode.GDI32(?,00000001), ref: 0040123A
SetTextColor.GDI32(?,00C00000), ref: 00401248
GetSysColorBrush.USER32(0000000F), ref: 00401250
GetDlgItem.USER32(?,000003EE), ref: 00401270
EndDialog.USER32(?,00000001), ref: 0040129B
DeleteObject.GDI32(?), ref: 004012A7
GetDlgItem.USER32(?,000003ED), ref: 004012CB
ShowWindow.USER32(00000000), ref: 004012D4
GetDlgItem.USER32(?,000003EE), ref: 004012E0
ShowWindow.USER32(00000000), ref: 004012E3
SetDlgItemTextA.USER32(?,000003EE,00417348), ref: 004012F4
SetWindowTextA.USER32(?,Mail PassView), ref: 00401302
SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040131A
SetDlgItemTextA.USER32(?,000003EC,?), ref: 0040132B

Strings

Mail PassView, xrefs: 004012FA

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObject
String ID: Mail PassView
API String ID: 3628558512-272225179
Opcode ID: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
Instruction ID: a5e01e197ecdabf9e6bdb75eaf1794657044b10619e6b9182d208ef804a260cb
Opcode Fuzzy Hash: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
Instruction Fuzzy Hash: 68518130044248BFEB259F60DE85EAE7BB5EB04700F10853AFA56E65F0C7759D61EB08

Function 0040CE28 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 311stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF0F
Part of subcall function 0040DEEE: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
Part of subcall function 0040DEEE: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF62
Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF6C
Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF7A
Part of subcall function 0040DEEE: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038

memset.MSVCRT ref: 0040CEA6
memset.MSVCRT ref: 0040CEBF
MultiByteToWideChar.KERNEL32(00000000,00000000,0040D314,000000FF,?,00000104,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CED6
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CEF5
memset.MSVCRT ref: 0040CF68
memset.MSVCRT ref: 0040CF7A
strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040CFED
strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D003
strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D019
strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D02F
strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D045
strcpy.MSVCRT(?,0040D314,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D05B
memset.MSVCRT ref: 0040D076
memset.MSVCRT ref: 0040D08A
memset.MSVCRT ref: 0040D0ED
memset.MSVCRT ref: 0040D101
sprintf.MSVCRT ref: 0040D119
sprintf.MSVCRT ref: 0040D12B
_stricmp.MSVCRT(?,?,?,imap://%s,00000104,?,mailbox://%s,00000104,?,00000000,00000261,?,00000000,00000261,?,?), ref: 0040D13E
_stricmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D158
SetCurrentDirectoryA.KERNEL32(?,?,?,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040D1DD

Strings

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040CF2B
imap://%s, xrefs: 0040D125
mailbox://%s, xrefs: 0040D113

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$AddressProcstrcpy$CurrentDirectory$ByteCharLibraryLoadMultiWide_stricmpsprintfstrlen$HandleModule
String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s
API String ID: 4276617627-3913509535
Opcode ID: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
Instruction ID: 531ad7aca3640aed267cd003a13377454315b37e4b42da830508d09ae9ff7478
Opcode Fuzzy Hash: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
Instruction Fuzzy Hash: 58B10A72C00219ABDB20EFA5CC819DEB7BDEF04315F1445BBE619B2191DB38AB858F54

Function 0040A774 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 285windowregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407BB9: LoadMenuA.USER32(00000000), ref: 00407BC1
Part of subcall function 00407BB9: sprintf.MSVCRT ref: 00407BE4

SetMenu.USER32(?,00000000), ref: 0040A8A7
#6.COMCTL32(50000000,Function_00012466,?,00000101), ref: 0040A8C2
SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040A8DA
LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040A8F0
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040A91A
CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040A950
LoadIconA.USER32(00000066,00000000), ref: 0040A9BF
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9CD
_stricmp.MSVCRT(Function_00012466,/noloadsettings), ref: 0040AA17
RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MailPassView), ref: 0040AA2C
SetFocus.USER32(?,00000000), ref: 0040AA52
GetFileAttributesA.KERNEL32(00417660), ref: 0040AA6B
GetTempPathA.KERNEL32(00000104,00417660), ref: 0040AA7B
strlen.MSVCRT ref: 0040AA82
strlen.MSVCRT ref: 0040AA90
RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AAEC

Part of subcall function 00404925: strlen.MSVCRT ref: 00404942
Part of subcall function 00404925: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404966

SendMessageA.USER32(?,00000404,00000002,?), ref: 0040AB37
SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040AB4A

Strings

Software\NirSoft\MailPassView, xrefs: 0040AA22
report.html, xrefs: 0040AA89, 0040AAA1
commdlg_FindReplace, xrefs: 0040AAE7
SysListView32, xrefs: 0040A94A
`vA, xrefs: 0040AA5E
/noloadsettings, xrefs: 0040AA11

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Message$Send$Loadstrlen$CreateIconImageMenuWindow$AttributesDeleteFileFocusList_PathRegisterReplaceTempToolbar_stricmpsprintf
String ID: /noloadsettings$Software\NirSoft\MailPassView$SysListView32$`vA$commdlg_FindReplace$report.html
API String ID: 873469642-860065374
Opcode ID: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
Instruction ID: ca2bded9840d9beafebaacef77bacb5142d556b3fd29cdc4ce09694084a06bb6
Opcode Fuzzy Hash: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
Instruction Fuzzy Hash: 82B12271644388FFEB16CF74CC45BDABBA5BF14304F00406AFA44A7292C7B5A954CB5A

Function 0040DB39 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowstringCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0040DB81
GetDlgItem.USER32(?,000003EA), ref: 0040DB99
SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040DBB8
SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040DBC5
SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040DBCE
memset.MSVCRT ref: 0040DBF6
memset.MSVCRT ref: 0040DC16
memset.MSVCRT ref: 0040DC34
memset.MSVCRT ref: 0040DC4D
memset.MSVCRT ref: 0040DC6B
memset.MSVCRT ref: 0040DC84
GetCurrentProcess.KERNEL32 ref: 0040DC8C
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040DCB1
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040DCE7
memset.MSVCRT ref: 0040DD3E
GetCurrentProcessId.KERNEL32 ref: 0040DD4C
memcpy.MSVCRT(?,00416FF0,00000118), ref: 0040DD7B
strcpy.MSVCRT(?,00000000), ref: 0040DD9D
sprintf.MSVCRT ref: 0040DE08
SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040DE21
GetDlgItem.USER32(?,000003EA), ref: 0040DE2B
SetFocus.USER32(00000000), ref: 0040DE32

Strings

{Unknown}, xrefs: 0040DBFB
Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040DE02

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
API String ID: 138940113-3474136107
Opcode ID: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
Instruction ID: 36e6f19d437acde9dae1843bd1f228cb1d7049f577ea92cd8b51c55dddb48a69
Opcode Fuzzy Hash: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
Instruction Fuzzy Hash: 6D711C72844244BFD721EF51DC41EEB3BEDEF94344F00843EF649921A0DA399A58CBA9

Function 0040DEEE Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DF0F
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
memset.MSVCRT ref: 0040DF62
strlen.MSVCRT ref: 0040DF6C
strlen.MSVCRT ref: 0040DF7A
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E044

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

Strings

PK11_FreeSlot, xrefs: 0040E016
nss3.dll, xrefs: 0040DF67, 0040DF90
NSS_Init, xrefs: 0040DFF5
PK11SDR_Decrypt, xrefs: 0040E03A
NSS_Shutdown, xrefs: 0040DFFE
PK11_Authenticate, xrefs: 0040E02E
PK11_GetInternalKeySlot, xrefs: 0040E00A
PK11_CheckUserPassword, xrefs: 0040E022

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 1296682400-4029219660
Opcode ID: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
Instruction ID: fea3831f464983b0eef39fbf9020f470c327cc413978f8e1f023dd725517e53d
Opcode Fuzzy Hash: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
Instruction Fuzzy Hash: 2A4187B1940309AACB20AF75CC49FC6BBF8AF64704F10496AE185E2191E7B996D4CF58

Function 00402606 Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004026AE

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

strcpy.MSVCRT(?,?,?,?,?,76DBEB20,?,00000000), ref: 004026EC
strcpy.MSVCRT(?,?), ref: 004027A9

Strings

POP3 Port, xrefs: 00402668
POP3 Server, xrefs: 00402630
SMTP USer Name, xrefs: 00402629
SMTP Email Address, xrefs: 00402736
IMAP Server, xrefs: 00402637
POP3 Secure Connection, xrefs: 00402684
SMTP Password2, xrefs: 00402661
IMAP Port, xrefs: 0040266F
HTTPMail Password2, xrefs: 0040265A
POP3 User Name, xrefs: 00402614
IMAP Secure Connection, xrefs: 0040268B
SMTP Port, xrefs: 0040267D
HTTPMail Server, xrefs: 0040263E
IMAP User Name, xrefs: 0040261B
HTTPMail Secure Connection, xrefs: 00402692
SMTP Display Name, xrefs: 00402721
SMTP Server, xrefs: 00402645, 00402753
HTTPMail User Name, xrefs: 00402622
IMAP Password2, xrefs: 00402653
POP3 Password2, xrefs: 0040264C
HTTPMail Port, xrefs: 00402676
SMTP Secure Connection, xrefs: 00402699

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$QueryValuememset
String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
API String ID: 3373037483-1627711381
Opcode ID: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
Instruction ID: d93c2979c5964ee18a3e8d610d8756237e52e0a5809c5516356d8c5187ea57d6
Opcode Fuzzy Hash: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
Instruction Fuzzy Hash: E04186B190021CAADB10DF91DE49ADE37B8EF04348F10446BFD18E7191D3B89699CF98

Function 004027D0 Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 118stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402878

Part of subcall function 004029A7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029E9

strcpy.MSVCRT(?,?,76DBEB20,?,00000000), ref: 004028B2
strcpy.MSVCRT(?,?,?,?,?,?,?,?,76DBEB20,?,00000000), ref: 00402980

Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78

Strings

IMAP Use SPA, xrefs: 00402855
SMTP Password, xrefs: 004027F3
POP3 Port, xrefs: 00402832
POP3 Server, xrefs: 00402816
IMAP Server, xrefs: 0040281D
Email, xrefs: 004028F6
Display Name, xrefs: 004028E3
HTTP User, xrefs: 00402808
HTTP Port, xrefs: 00402840
IMAP Port, xrefs: 00402839
POP3 Use SPA, xrefs: 0040284E
SMTP User, xrefs: 0040280F
HTTPMail Use SSL, xrefs: 0040285C
HTTP Password, xrefs: 004027EC
SMTP Use SSL, xrefs: 00402863
SMTP Port, xrefs: 00402847, 00402925
IMAP User, xrefs: 00402801
POP3 Password, xrefs: 004027DE
IMAP Password, xrefs: 004027E5
SMTP Server, xrefs: 0040282B, 0040290E
HTTP Server URL, xrefs: 00402824
POP3 User, xrefs: 004027FA

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$ByteCharMultiQueryValueWidememset
String ID: Display Name$Email$HTTP Password$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP Password$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3 Password$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$SMTP Password$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
API String ID: 2416467034-4086712241
Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
Instruction ID: 2a04afc1b401ca52673312b513a052c1616a462ab9372f8060d899744f0eb97e
Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
Instruction Fuzzy Hash: FF513EB150025DABCF24DF61DE499DD7BB8FF04308F10416AF924A6191D3B999A9CF88

Function 0040F435 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F459
memset.MSVCRT ref: 0040F471

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 0040F4A9

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

_mbsnbicmp.MSVCRT ref: 0040F4D7
memset.MSVCRT ref: 0040F4F6
memset.MSVCRT ref: 0040F50E
_snprintf.MSVCRT ref: 0040F52B
_mbsrchr.MSVCRT ref: 0040F555
_mbsicmp.MSVCRT ref: 0040F589
strcpy.MSVCRT(?,?,?), ref: 0040F5A2
strcpy.MSVCRT(?,?,?,?,?), ref: 0040F5B5
RegCloseKey.ADVAPI32(0040F699), ref: 0040F5E0
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F5EE
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040F600
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F62D

Strings

mozilla, xrefs: 0040F4D1
%s\bin, xrefs: 0040F51A
SOFTWARE\Mozilla, xrefs: 0040F47A
PathToExe, xrefs: 0040F538
%programfiles%\Mozilla Thunderbird, xrefs: 0040F5FB

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 3269028891-3267283505
Opcode ID: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
Instruction ID: bd4ffbb0b4c73fbe97c341744dc0c87608cd01b58ef3e3991875b3aaf34b88fb
Opcode Fuzzy Hash: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
Instruction Fuzzy Hash: 5251A77284425DBADB31D7A18C46EDA7ABC9F14344F0404FBF645E2152EA788FC98B68

Function 0040F126 Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F147
memset.MSVCRT ref: 0040F15B
strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F188
sprintf.MSVCRT ref: 0040F1A3
strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F1B0
sprintf.MSVCRT ref: 0040F1DA
strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F1E7
strcat.MSVCRT(?,00413DF4,?,?,?,?,?), ref: 0040F1F5
strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F207
strcat.MSVCRT(?,00409631,?,?,?,?,?), ref: 0040F212
strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F224
strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F236

Strings

</b>, xrefs: 0040F21E
</font>, xrefs: 0040F230
color="#%s", xrefs: 0040F1D4
<b>, xrefs: 0040F201
<font, xrefs: 0040F182
size="%d", xrefs: 0040F19D

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcat$memsetsprintf$strcpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 1662040868-1996832678
Opcode ID: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
Instruction ID: 418722c3eca89b157b40b8f143ba28d640e3e929850bbea17599129c1cdb8299
Opcode Fuzzy Hash: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
Instruction Fuzzy Hash: 3F31D5B2841615BAC720AB55ED82DCAB36C9F10364F6041BFF215B31C2DA7C9FC48B98

Function 0040AF17 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AF3C
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040AF4D
strrchr.MSVCRT ref: 0040AF5C
strcat.MSVCRT(00000000,.cfg), ref: 0040AF76
strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040AFAA
strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040AFBB
GetWindowPlacement.USER32(?,?), ref: 0040B051

Strings

.cfg, xrefs: 0040AF70
SaveFilterIndex, xrefs: 0040AFED
General, xrefs: 0040AFB5
0@, xrefs: 0040AF92
ShowGridLines, xrefs: 0040AFD4
AddExportHeaderLine, xrefs: 0040B006
MarkOddEvenRows, xrefs: 0040B01F
WinPos, xrefs: 0040B065

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
String ID: .cfg$0@$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
API String ID: 1301239246-2014360536
Opcode ID: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
Instruction ID: 2fe98fd5fda5e8878426aecce951da02ffd08f2862891724b98557ab80592e30
Opcode Fuzzy Hash: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
Instruction Fuzzy Hash: 3A413972940118ABCB61DB54CC88FDAB7BCEB58304F4441AAF509E7191DB74ABC5CBA4

Function 00409482 Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004094A2
memset.MSVCRT ref: 004094C5
memset.MSVCRT ref: 004094DB
memset.MSVCRT ref: 004094EB
sprintf.MSVCRT ref: 0040951F
strcpy.MSVCRT(00000000, nowrap), ref: 00409566
sprintf.MSVCRT ref: 004095ED
strcat.MSVCRT(?, ), ref: 0040961C

Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090

strcpy.MSVCRT(?,?), ref: 00409601
sprintf.MSVCRT ref: 00409650

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

Strings

nowrap, xrefs: 00409560
<font color="%s">%s</font>, xrefs: 004095E5
<table border="1" cellpadding="5">, xrefs: 00409527
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 004094AA
bgcolor="%s", xrefs: 00409519
</table><p>, xrefs: 00409672
 , xrefs: 00409616

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 2822972341-601624466
Opcode ID: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
Instruction ID: 52fdeb1f016046010361db54033fcb762b78bd0ac31642afda0bfecd98a661c0
Opcode Fuzzy Hash: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
Instruction Fuzzy Hash: 2C619E32900218AFCF15EF59CC86EDE7B79EF04314F1005AAF905AB1E2DB399A85DB54

Function 00409EC4 Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409EF1
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409EFC
SendMessageA.USER32(?,00001003,00000001,?), ref: 00409F11
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409F26
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409F31
SendMessageA.USER32(?,00001003,00000000,?), ref: 00409F46
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409F52
ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409F5D
LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 00409F7B
LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 00409F97
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409FA3
GetSysColor.USER32(0000000F), ref: 00409FA7
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00409FC2
ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00409FCF
DeleteObject.GDI32(?), ref: 00409FDB
DeleteObject.GDI32(00000000), ref: 00409FDE
SendMessageA.USER32(00000000,00001208,00000000,?), ref: 00409FFC

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
String ID:
API String ID: 3411798969-0
Opcode ID: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
Instruction ID: 9f66d34d320d782a5b10da91aa20dc2822d11362667953dcc3c6c241c584b6d3
Opcode Fuzzy Hash: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
Instruction Fuzzy Hash: E23150716803087FFA316B70DC47FD67B95EB48B00F114829F395AA1E1CAF279909B18

Function 0040B841 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT(/shtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B847
_stricmp.MSVCRT(/sverhtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B85C

Strings

/stabular, xrefs: 0040B8AB
/skeepass, xrefs: 0040B8C0
/sxml, xrefs: 0040B86C
/scomma, xrefs: 0040B896
/stab, xrefs: 0040B881
/sverhtml, xrefs: 0040B857
/shtml, xrefs: 0040B842

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2884411883-1959339147
Opcode ID: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
Instruction ID: 4e6abd9895fa0fe71fc14c80fe1cf8958250247b4a97c707517fcc1bdd8d2f83
Opcode Fuzzy Hash: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
Instruction Fuzzy Hash: AD011A7328931038F82925662C17FC30A8ACBD1BBBF30856BF606E41E5EF5DA5C0506D

Function 0040F243 Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F264
memset.MSVCRT ref: 0040F278
memset.MSVCRT ref: 0040F28C
sprintf.MSVCRT ref: 0040F2B6
sprintf.MSVCRT ref: 0040F2E0
strcpy.MSVCRT(?,</font>,?,<font color="%s">,00000000,000000FF,?,?,?,?,?,?,?,?,?,00000006), ref: 0040F2F1
sprintf.MSVCRT ref: 0040F30C
memset.MSVCRT ref: 0040F347
sprintf.MSVCRT ref: 0040F362
sprintf.MSVCRT ref: 0040F396

Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090

Strings

</font>, xrefs: 0040F2EB
<th%s>%s%s%s, xrefs: 0040F390
bgcolor="%s", xrefs: 0040F2B0
<table border="1" cellpadding="5"><tr%s>, xrefs: 0040F306
<font color="%s">, xrefs: 0040F2DA
width="%s", xrefs: 0040F35C

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: sprintf$memset$strcpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 898937289-3842416460
Opcode ID: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
Instruction ID: 9a5c5c5b7b50b61a4e5f96e5236d764a10b70f2cfe31ee2b12760fde8c14bfcc
Opcode Fuzzy Hash: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
Instruction Fuzzy Hash: C3415FB284021D7ADF21EB55DC41FEB776CAF44344F0401FBBA09A2152E6389F988FA5

Function 0040E0DA Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,0040DD12), ref: 0040E0ED
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E106
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E117
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E128
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E139
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E14A
FreeLibrary.KERNEL32(00000000), ref: 0040E16A

Strings

EnumProcesses, xrefs: 0040E133
EnumProcessModules, xrefs: 0040E111
GetModuleFileNameExA, xrefs: 0040E122
psapi.dll, xrefs: 0040E0E8
GetModuleBaseNameA, xrefs: 0040E100
GetModuleInformation, xrefs: 0040E144

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
Instruction ID: ee37d54ff12c00b719d991246764d0af3e5b6fb2a2d0f9e8910a6c9c4b0fdd5c
Opcode Fuzzy Hash: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
Instruction Fuzzy Hash: F0015E31740311EAC711EB266D40FE73EB85B48B91B11843BE544E52A4D778C5928A6C

Function 00410525 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

strlen.MSVCRT ref: 0041054C
??2@YAPAXI@Z.MSVCRT(00000001), ref: 0041055C
memset.MSVCRT ref: 004105A8
memset.MSVCRT ref: 004105C5
strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 004105F3
RegCloseKey.ADVAPI32(?), ref: 00410637
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410688
LocalFree.KERNEL32(?), ref: 0041069D
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004106A6

Part of subcall function 00406512: strtoul.MSVCRT ref: 0040651A

Strings

Software\Microsoft\Windows Live Mail, xrefs: 004105E7
Salt, xrefs: 00410621
Software\Microsoft\Windows Mail, xrefs: 004105DB

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
API String ID: 1673043434-2687544566
Opcode ID: e26968150b8c48349edd6a01877549271a53a2337486a96049ecb3a108515df3
Instruction ID: 7afd7cd9a60bb03764dcbc3854d87102a14f95683297c5d7d0928fc071fa2b2b
Opcode Fuzzy Hash: e26968150b8c48349edd6a01877549271a53a2337486a96049ecb3a108515df3
Instruction Fuzzy Hash: D14186B2C0011CAECB11DBA5DC81ADEBBBCAF48344F1041ABE645F3251DA349A95CB68

Function 0040CBA7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_strnicmp.MSVCRT ref: 0040CBD6
_strnicmp.MSVCRT ref: 0040CBFB
memset.MSVCRT ref: 0040CC44
memset.MSVCRT ref: 0040CC5A
sprintf.MSVCRT ref: 0040CC79
sprintf.MSVCRT ref: 0040CC98
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCB7
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCD9

Part of subcall function 00401380: strlen.MSVCRT ref: 0040138D

Strings

mailbox://, xrefs: 0040CBD0
imap://, xrefs: 0040CBF5
mailbox://%s@%s, xrefs: 0040CC73
imap://%s@%s, xrefs: 0040CC92

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp_strnicmpmemsetsprintf$strlen
String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
API String ID: 4281260487-2229823034
Opcode ID: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
Instruction ID: 9e102a0fb77db954c7e66e430d6901f6f24083c0ab16dd7aca32eaa7b9d40139
Opcode Fuzzy Hash: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
Instruction Fuzzy Hash: B84163B1604205EFD724DB69C881F96B7E8AF04344F144A7BEA4AE7281D738FA448B58

Function 0040CBA5 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_strnicmp.MSVCRT ref: 0040CBD6
_strnicmp.MSVCRT ref: 0040CBFB
memset.MSVCRT ref: 0040CC44
memset.MSVCRT ref: 0040CC5A
sprintf.MSVCRT ref: 0040CC79
sprintf.MSVCRT ref: 0040CC98
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCB7
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCD9

Strings

mailbox://, xrefs: 0040CBD0
imap://, xrefs: 0040CBF5
mailbox://%s@%s, xrefs: 0040CC73
imap://%s@%s, xrefs: 0040CC92

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp_strnicmpmemsetsprintf
String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
API String ID: 2822975062-2229823034
Opcode ID: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
Instruction ID: 56d5f4bbafa72d85e66e322173295d9522024af121689b7315c9fa9ceefdefbd
Opcode Fuzzy Hash: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
Instruction Fuzzy Hash: 754150B1604605EFD724DB69C8C1F96B7E8AF04304F14466BEA4AE7281D738FA45CB58

Function 0040D6FB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
memset.MSVCRT ref: 0040D743
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040D770
RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040D799
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040D812
LocalFree.KERNEL32(?), ref: 0040D825
RegCloseKey.ADVAPI32(?), ref: 0040D830
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
RegCloseKey.ADVAPI32(?), ref: 0040D858

Strings

Creds, xrefs: 0040D71D
ps:password, xrefs: 0040D78A
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040D710

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
API String ID: 551151806-1288872324
Opcode ID: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
Instruction ID: ba0b8c8cecfa7ea512c31dd79fcda3fb233e403caecda4e29e00fc0c4110e127
Opcode Fuzzy Hash: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
Instruction Fuzzy Hash: 864129B2900209AFDB11DF95DD84EEFBBBCEB48344F0041A6FA15E2150DA749A94CB64

Function 004080A3 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 004080C4
LoadMenuA.USER32(?,?), ref: 004080D2

Part of subcall function 00407EFB: GetMenuItemCount.USER32(?), ref: 00407F10
Part of subcall function 00407EFB: memset.MSVCRT ref: 00407F31
Part of subcall function 00407EFB: GetMenuItemInfoA.USER32 ref: 00407F6C
Part of subcall function 00407EFB: strchr.MSVCRT ref: 00407F83

DestroyMenu.USER32(00000000), ref: 004080F0
sprintf.MSVCRT ref: 00408134
CreateDialogParamA.USER32(?,00000000,00000000,0040809E,00000000), ref: 00408149
memset.MSVCRT ref: 00408165
GetWindowTextA.USER32(00000000,?,00001000), ref: 00408176
EnumChildWindows.USER32(00000000,Function_00007FEB,00000000), ref: 0040819E
DestroyWindow.USER32(00000000), ref: 004081A5

Strings

dialog_%d, xrefs: 0040812A
menu_%d, xrefs: 004080BA
caption, xrefs: 0040818B

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
String ID: caption$dialog_%d$menu_%d
API String ID: 3259144588-3822380221
Opcode ID: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
Instruction ID: 30012a8f5e5a5bdbe68f816da8837f1ba63c4ed8b40bd3c0dd12f77501d21500
Opcode Fuzzy Hash: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
Instruction Fuzzy Hash: 14212172544248BBDB22AF60DD41EEF3B78EF05305F00407AFA41A2190DABC9DA58B6D

Function 0040E056 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DD19), ref: 0040E065
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E07E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E08F
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E0A0
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E0B1
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E0C2

Strings

Module32First, xrefs: 0040E089
Process32First, xrefs: 0040E0AB
kernel32.dll, xrefs: 0040E060
Module32Next, xrefs: 0040E09A
Process32Next, xrefs: 0040E0BC
CreateToolhelp32Snapshot, xrefs: 0040E078

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
Instruction ID: 921299a9b586d994e9bf5e85ab2a2688844625279e80e39ff2614b99c2d6d575
Opcode Fuzzy Hash: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
Instruction Fuzzy Hash: 8DF06D70A45222A9C320CB266D00FFA3DA85A44B81B15843BE900F1694DBF8D5528B7C

Function 00404647 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004046C2: FreeLibrary.KERNEL32(?,0040464F,?,0040D601,80000001,76DBEC10), ref: 004046C9

LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,76DBEC10), ref: 00404654
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

Strings

CredDeleteA, xrefs: 0040467B
CredEnumerateA, xrefs: 00404687
CredReadA, xrefs: 00404667
CredEnumerateW, xrefs: 00404693
advapi32.dll, xrefs: 0040464F
CredFree, xrefs: 0040466F

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
Instruction ID: 1c6fa8d05b29e269fad2443f962c2e8eb3052cc88d23d174a3c6f0c0958544ff
Opcode Fuzzy Hash: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
Instruction Fuzzy Hash: 380121705447009AC730AF75CD08B46BAF4EF85704F218D2EE281A3690E7BE9491DF88

Function 00411015 Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041103A

Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97

strlen.MSVCRT ref: 00411056
memset.MSVCRT ref: 00411090
memset.MSVCRT ref: 004110A4
memset.MSVCRT ref: 004110B8
memset.MSVCRT ref: 004110DE

Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCFE

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
Part of subcall function 0040BD0B: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 0040BD77
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81

memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 00411115

Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCB0
Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCDA

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52

memcpy.MSVCRT(?,?,00000010,?,?), ref: 00411151
memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 00411163
strcpy.MSVCRT(?,?), ref: 0041123A
memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 0041126B
memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 0041127D

Strings

salu, xrefs: 00411071

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset$strlen$strcpy
String ID: salu
API String ID: 2660478486-4177317985
Opcode ID: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
Instruction ID: 480a48fc981763c339c301d1addb7ab339a070bf665ce532ed27993edd9122c1
Opcode Fuzzy Hash: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
Instruction Fuzzy Hash: A4717F7190011DAADB10EBA9CC819DEB7BDFF08348F1445BAF609E7151DB749B888F94

Function 00403E87 Relevance: 19.6, APIs: 7, Strings: 6, Instructions: 98stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

memset.MSVCRT ref: 00403EBF
memset.MSVCRT ref: 00403ED3
memset.MSVCRT ref: 00403EE7
sprintf.MSVCRT ref: 00403F08
strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F24
sprintf.MSVCRT ref: 00403F5B
sprintf.MSVCRT ref: 00403F8C

Strings

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E97
<table dir="rtl"><tr><td>, xrefs: 00403F1E
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F36
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F02
Mail PassView, xrefs: 00403F72
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F86

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetsprintf$FileWritestrcpystrlen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$Mail PassView
API String ID: 1043021993-495024357
Opcode ID: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
Instruction ID: b86957a5e19b08f75c710fe46d40d6f019605627493d012667a382a844d4f915
Opcode Fuzzy Hash: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
Instruction Fuzzy Hash: A93196B2C40118BADB11EB55DC82EDE7BACEF44304F0045A7B60DA3151DE786FC88BA8

Function 00404288 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 004042BD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404304
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404318
strcpy.MSVCRT(?,?), ref: 00404328
strcpy.MSVCRT(?,?,?,?), ref: 0040433B
strchr.MSVCRT ref: 00404349
strlen.MSVCRT ref: 0040435D
sprintf.MSVCRT ref: 0040437E
strchr.MSVCRT ref: 0040438F

Strings

%s@gmail.com, xrefs: 00404378
www.google.com, xrefs: 004042B7

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
String ID: %s@gmail.com$www.google.com
API String ID: 1359934567-4070641962
Opcode ID: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
Instruction ID: 90bd0330eeb49ee3a27dc93359d6b9986b282e86ae315167fefd13048bcd18fc
Opcode Fuzzy Hash: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
Instruction Fuzzy Hash: 793188B290021D7FDB21D791DD81FDAB3ACDB44354F1005A7F709E2181D678AF858A58

Function 0040827A Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 00408292
strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082A2

Part of subcall function 00407E55: memset.MSVCRT ref: 00407E7A
Part of subcall function 00407E55: GetPrivateProfileStringA.KERNEL32(004172C0,00000104,00412466,?,00001000,004171B8), ref: 00407E9E
Part of subcall function 00407E55: WritePrivateProfileStringA.KERNEL32(004172C0,?,?,004171B8), ref: 00407EB5

EnumResourceNamesA.KERNEL32(00000104,00000004,004080A3,00000000), ref: 004082D8
EnumResourceNamesA.KERNEL32(00000104,00000005,004080A3,00000000), ref: 004082E2
strcpy.MSVCRT(004172C0,strings,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082EA
memset.MSVCRT ref: 00408306
LoadStringA.USER32(00000104,00000000,?,00001000), ref: 0040831A

Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4

Strings

strings, xrefs: 004082E4
TranslatorURL, xrefs: 004082B8
general, xrefs: 00408297
TranslatorName, xrefs: 004082AD

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
String ID: TranslatorName$TranslatorURL$general$strings
API String ID: 1060401815-3647959541
Opcode ID: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
Instruction ID: d5eae57ffc3fdd8f11c9b4c351fac369e1a37aafa95eb04bb89d09d1e585c4c7
Opcode Fuzzy Hash: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
Instruction Fuzzy Hash: 6E1104319802543AD7212B56DC06FCB3E6DCF85B59F1040BBB708B6191C9BC9EC087AD

Function 0040D1EC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406C2F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D205,?,?,?,?), ref: 00406C48
Part of subcall function 00406C2F: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406C74

Part of subcall function 0040462E: free.MSVCRT ref: 00404635

Part of subcall function 004061FF: strcpy.MSVCRT(?,?,0040D228,?,?,?,?,?), ref: 00406204
Part of subcall function 004061FF: strrchr.MSVCRT ref: 0040620C

Part of subcall function 0040C530: memset.MSVCRT ref: 0040C551
Part of subcall function 0040C530: memset.MSVCRT ref: 0040C565
Part of subcall function 0040C530: memset.MSVCRT ref: 0040C579
Part of subcall function 0040C530: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C646
Part of subcall function 0040C530: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C6A6

strlen.MSVCRT ref: 0040D241
strlen.MSVCRT ref: 0040D24F

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

memset.MSVCRT ref: 0040D28F
strlen.MSVCRT ref: 0040D29E
strlen.MSVCRT ref: 0040D2AC
_stricmp.MSVCRT(00000504,none,?,?,?), ref: 0040D339
strcpy.MSVCRT(00000004,00000204,?,?,?), ref: 0040D354

Strings

signons.sqlite, xrefs: 0040D2A5, 0040D2C3
none, xrefs: 0040D333
signons.txt, xrefs: 0040D248, 0040D266

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetstrlen$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
String ID: none$signons.sqlite$signons.txt
API String ID: 2681923396-1088577317
Opcode ID: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
Instruction ID: 747294efef189d2a86bae337d02489a359e47e35f4212505bb9232dde5c11721
Opcode Fuzzy Hash: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
Instruction Fuzzy Hash: 3041E3B1508246AAD710EBB1CC81BDAB798AF40305F10057FE596E21C2EB7CE9C9876D

Function 00402C44 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 00402C84

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

RegCloseKey.ADVAPI32(?), ref: 00402D86

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

memset.MSVCRT ref: 00402CDE
sprintf.MSVCRT ref: 00402CF7
sprintf.MSVCRT ref: 00402D35

Part of subcall function 00402BB8: memset.MSVCRT ref: 00402BD8
Part of subcall function 00402BB8: RegCloseKey.ADVAPI32 ref: 00402C3C

Strings

Username, xrefs: 00402CB7
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00402CE3
Identities, xrefs: 00402C52
%s\%s, xrefs: 00402CA6, 00402CF5, 00402D33
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00402D21

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Closememset$sprintf$EnumOpen
String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
API String ID: 1831126014-3814494228
Opcode ID: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
Instruction ID: 6c0256c292ffb55b53f7a2730c4bcad7d13cefd93b753116a94389aae211c0df
Opcode Fuzzy Hash: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
Instruction Fuzzy Hash: 25315C72D0011DBADB11EA96CD46EEFB77CAF04344F0405BABA19F2091E6B49F988F54

Function 0040B53C Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040B5B5
SetTextColor.GDI32(?,00FF0000), ref: 0040B5C3
SelectObject.GDI32(?,?), ref: 0040B5D8
DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B60D
SelectObject.GDI32(00000014,?), ref: 0040B619

Part of subcall function 0040B372: GetCursorPos.USER32(?), ref: 0040B37F
Part of subcall function 0040B372: GetSubMenu.USER32(?,00000000), ref: 0040B38D
Part of subcall function 0040B372: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B3BA

LoadCursorA.USER32(00000067), ref: 0040B63A
SetCursor.USER32(00000000), ref: 0040B641
PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040B663
SetFocus.USER32(?), ref: 0040B69E
SetFocus.USER32(?), ref: 0040B6EF

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
String ID:
API String ID: 1416211542-0
Opcode ID: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
Instruction ID: 8f05fcf81e8b57b2917fe7890bba9475612e1218cdf4c3fdd04c744704700eb5
Opcode Fuzzy Hash: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
Instruction Fuzzy Hash: E741A271100605EFCB119F64CD89EEE7775FB08300F104936E615A62A1CB799D91DBDE

Function 0040EDDB Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,Common Programs,0040EEF9,?,?,?,?,?,00000104), ref: 0040EE4E

Strings

Startup, xrefs: 0040EE06
AppData, xrefs: 0040EE33
Common Desktop, xrefs: 0040EE3A
Desktop, xrefs: 0040EDF8
Programs, xrefs: 0040EE14
Start Menu, xrefs: 0040EDFF
Common Start Menu, xrefs: 0040EE1B
Common Programs, xrefs: 0040EE48
Common Startup, xrefs: 0040EE41
Favorites, xrefs: 0040EE0D

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 3177657795-318151290
Opcode ID: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
Instruction ID: 838bbb5fcb7671a25bd4d31fd75230584a1d4f3c41bb848f6a939ae912ddcdf8
Opcode Fuzzy Hash: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
Instruction Fuzzy Hash: 66F0BDB32A878EF0D429496BCD4AEB744429151B46B7C4D37A002B46D5E87D8AF260DF

Function 0040765B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,76DBEC10), ref: 00404654
Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

wcslen.MSVCRT ref: 004076C5
wcsncmp.MSVCRT ref: 00407709
memset.MSVCRT ref: 0040779D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 004077C1
wcschr.MSVCRT ref: 00407815
LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040783F

Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806

Strings

Microsoft_WinInet, xrefs: 004076B9
hyA, xrefs: 0040774B
J, xrefs: 00407743

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet$hyA
API String ID: 2413121283-319027496
Opcode ID: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
Instruction ID: ab6451454baefbc6762688e22d5ebab6c31fbbbf8d38218599acfc9a6d4ef790
Opcode Fuzzy Hash: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
Instruction Fuzzy Hash: 2751E4B1908345AFC710EF65C88495AB7E8FF89304F00492EFA99D3250E778E955CB57

Function 00402FC2 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 00403005

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

memset.MSVCRT ref: 00403052
sprintf.MSVCRT ref: 0040306A
memset.MSVCRT ref: 0040309B
RegCloseKey.ADVAPI32(?), ref: 004030E3
RegCloseKey.ADVAPI32(?), ref: 0040310C

Strings

Software\IncrediMail\Identities, xrefs: 00402FD3
Identity, xrefs: 0040302B
%s\Accounts, xrefs: 00403064

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$Close$EnumOpensprintf
String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
API String ID: 3672803090-3168940695
Opcode ID: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
Instruction ID: 2ec2bfd25db4f87ede08292043277b4916c0dadc31aa5cf960337fea200e46ca
Opcode Fuzzy Hash: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
Instruction Fuzzy Hash: D6314EB290021CBADB11EB95CC81EEEBB7CAF14344F0041B6B909A1051E7799F948F64

Function 00407A64 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00407A7A
memset.MSVCRT ref: 00407A9E
GetMenuItemInfoA.USER32(?), ref: 00407AD4
memset.MSVCRT ref: 00407B01
strchr.MSVCRT ref: 00407B0D
strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84

Strings

6, xrefs: 00407AC4
0, xrefs: 00407AB9

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
String ID: 0$6
API String ID: 1757351179-3849865405
Opcode ID: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
Instruction ID: 1677788af10e21d8d50b2ad3b046da146c202dfcbfc60db105475917acddfa9f
Opcode Fuzzy Hash: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
Instruction Fuzzy Hash: 1A316D71808385AFD7109F55D84099BBBF9EB84358F14883FFA9492250D378EA44CF6B

Function 0040E988 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9B9
UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 0040EA04
CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13

Strings

220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9AD
220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9B4
417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040E9C1
220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9A0

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
API String ID: 1640410171-2022683286
Opcode ID: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
Instruction ID: a0dda8305716182b94471eb279f6daf9a8f1529c8f3e89cbb35285eb134eabf6
Opcode Fuzzy Hash: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
Instruction Fuzzy Hash: 3811607251412DAACB11EEA5DD40EEB37ECAB48354F044837FD12F3241F674E9248BA5

Function 00404837 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(comctl32.dll,76F90A60,?,00000000,?,?,?,0040B9C9,76F90A60), ref: 00404856
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,76F90A60), ref: 0040487C
#17.COMCTL32(?,00000000,?,?,?,0040B9C9,76F90A60), ref: 0040488A
MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004048A7

Strings

comctl32.dll, xrefs: 0040483F
InitCommonControlsEx, xrefs: 00404862
Error: Cannot load the common control classes., xrefs: 004048A1
Error, xrefs: 0040489C

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
Instruction ID: 848b23aeb75660b77c3c697252adc3032e5e70f3caa3a854567a53d2e3e71345
Opcode Fuzzy Hash: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
Instruction Fuzzy Hash: 3E0126723102017FD7156BA08D48BAF7AACEB84749F008139F602E21C0EBF8C912D6AC

Function 004081B5 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

strcpy.MSVCRT(004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081CF
strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081DF
GetPrivateProfileIntA.KERNEL32(004172C0,rtl,00000000,004171B8), ref: 004081F0

Part of subcall function 00407DC1: GetPrivateProfileStringA.KERNEL32(004172C0,?,00412466,00417308,?,004171B8), ref: 00407DDC

Strings

TranslatorURL, xrefs: 00408228
HsA, xrefs: 00408219
rtl, xrefs: 004081EA
general, xrefs: 004081D4
charset, xrefs: 004081FE
TranslatorName, xrefs: 00408214

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfilestrcpy$AttributesFileString
String ID: HsA$TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 185930432-2094606381
Opcode ID: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
Instruction ID: cb939eedfd3a0989361dc9c28bcf1dbf68e7932df9513b818d47ffc3c6ffa7d5
Opcode Fuzzy Hash: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
Instruction Fuzzy Hash: 07F0F631ED821532DB113A622C03FEA39248FA2B16F04407FBC04B72C3DA7C4A81929E

Function 0040DEA9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(nss3.dll,76F91620,?,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEB8
GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEC1
GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DECA
FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DED9
FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE0
FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE7

Strings

nss3.dll, xrefs: 0040DEB3
sqlite3.dll, xrefs: 0040DEBA
mozsqlite3.dll, xrefs: 0040DEC3

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeHandleLibraryModule
String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
API String ID: 662261464-3550686275
Opcode ID: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
Instruction ID: d16a25c46baa9326af0e84a0bffbb5276bbaca378281f61e1b061e0aef5cb77a
Opcode Fuzzy Hash: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
Instruction Fuzzy Hash: 72E0DF62F4132D67892066F19E84DABBE5CC895AE13150033AA00F3240DDE89C058AF8

Function 0040E172 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040E18A
strcpy.MSVCRT(?,-00000001), ref: 0040E198

Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A

strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1E8
strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1F3
memset.MSVCRT ref: 0040E1CF

Part of subcall function 00406325: GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
Part of subcall function 00406325: strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A

memset.MSVCRT ref: 0040E217
memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E232
strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E23D

Strings

\systemroot, xrefs: 0040E1A5

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
String ID: \systemroot
API String ID: 1680921474-1821301763
Opcode ID: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
Instruction ID: c94fb6c7bd1247ab7199cb5b48e8c216c8115a4167fd8e2fb1b5c3c0fa66e4da
Opcode Fuzzy Hash: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
Instruction Fuzzy Hash: 7021F97554C20879E720A3635C82FEA77DC9F55348F5008AFF6CAA10C1EABC96D5862A

Function 00405BE4 Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00405BFB
GetWindow.USER32(?,00000005), ref: 00405C13
GetWindow.USER32(00000000), ref: 00405C16

Part of subcall function 00401657: GetWindowRect.USER32(?,?), ref: 00401666
Part of subcall function 00401657: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00401681

GetWindow.USER32(00000000,00000002), ref: 00405C22
GetDlgItem.USER32(?,000003ED), ref: 00405C39
GetDlgItem.USER32(?,00000000), ref: 00405C4B
GetDlgItem.USER32(?,00000000), ref: 00405C5D
GetDlgItem.USER32(?,00000000), ref: 00405C6F
GetDlgItem.USER32(?,000003ED), ref: 00405C7D
SetFocus.USER32(00000000), ref: 00405C80

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemWindow$Rect$ClientFocusPoints
String ID:
API String ID: 2187283481-0
Opcode ID: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
Instruction ID: 7666b00b3ddace13e8d54cd994e266c410995bf231072ec337e33f1596805ccb
Opcode Fuzzy Hash: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
Instruction Fuzzy Hash: 1A115471500304ABDB116F25CD49E6BBFADDF41758F05843AF544AB591CB79D8028A68

Function 00401A50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00401A5C
abs.MSVCRT ref: 00401B5C
abs.MSVCRT ref: 00401B93
log.MSVCRT ref: 00401C42
log.MSVCRT ref: 00401C54
free.MSVCRT ref: 00401C75
free.MSVCRT ref: 00401C89

Strings

, xrefs: 00401A8A

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$strlen
String ID:
API String ID: 667451143-3916222277
Opcode ID: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
Instruction ID: 06eee62d74eb4b55ebb23f84067d794473d6c8b6021198aa51b9bcc42ccbae70
Opcode Fuzzy Hash: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
Instruction Fuzzy Hash: DA6178704083859FDB249F26948046BBBF1FB85315F54997FF5D2A22A1E738E8468B0B

Function 0040D4A6 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,76DBEC10), ref: 0040D4D5
RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040D5AA

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

memcpy.MSVCRT(00000020,?,?,?,00000000,?), ref: 0040D546
LocalFree.KERNEL32(?,?,00000000,?), ref: 0040D558
RegCloseKey.ADVAPI32(?), ref: 0040D5CC

Strings

, xrefs: 0040D4ED
User.NET Messenger Service, xrefs: 0040D5A0
Password.NET Messenger Service, xrefs: 0040D4C3

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
String ID: $Password.NET Messenger Service$User.NET Messenger Service
API String ID: 3289975857-105384665
Opcode ID: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
Instruction ID: 7f1cec63b8765f81c3836bbc11e71f1516ceea0880c28a2d93855dc55ce36bd3
Opcode Fuzzy Hash: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
Instruction Fuzzy Hash: AE314DB1D01219AFDB11DF94CC44BDEBBB9AF48318F1040B6E905B7290D6789B94CF99

Function 0040706C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040708D

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

WideCharToMultiByte.KERNEL32(00000000,00000000,?,!r@,?,000000FD,00000000,00000000,?,00000000,!r@,?,?,?,?,00000000), ref: 00407128
LocalFree.KERNEL32(?,?,?,?,?,00000000,76DBEB20,?), ref: 00407138

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

Strings

!r@, xrefs: 0040716F
POP3_host, xrefs: 00407160
POP3_name, xrefs: 00407145
!r@, xrefs: 004070FB, 0040711D, 004070FE, 00407122
POP3_credentials, xrefs: 0040709D

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
String ID: !r@$!r@$POP3_credentials$POP3_host$POP3_name
API String ID: 604216836-250559020
Opcode ID: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
Instruction ID: f8ca724a3b3a12fba31c48434a973b8369f3aae8d57bdfed2f45406e53e98f37
Opcode Fuzzy Hash: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
Instruction Fuzzy Hash: C331707194021CAFDB11EB698C81ADE7BBCEF19344F0084B6FA05A2281D6389B598F65

Function 00405E46 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F65,?,?), ref: 00405E6B
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F65,?,?), ref: 00405E89
strlen.MSVCRT ref: 00405E96
strcpy.MSVCRT(?,?,?,?,00405F65,?,?), ref: 00405EA6
LocalFree.KERNEL32(?,?,?,00405F65,?,?), ref: 00405EB0
strcpy.MSVCRT(?,Unknown Error,?,?,00405F65,?,?), ref: 00405EC0

Strings

netmsg.dll, xrefs: 00405E66
Unknown Error, xrefs: 00405EB8

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
String ID: Unknown Error$netmsg.dll
API String ID: 3198317522-572158859
Opcode ID: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
Instruction ID: 3a45a8761f4bc18c8cc8ce1e33cdf84813ecacbbbbff7bb38409c5e389e3efd7
Opcode Fuzzy Hash: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
Instruction Fuzzy Hash: A901B131604118BAE7155B61ED46EDF7E6DDB14792B20443AF602F00A0DA785F409A98

Function 0040875C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040857E
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040858C
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040859D
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085B4
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085BD

??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,76F90A60,?,00000000), ref: 00408793
??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,76F90A60,?,00000000), ref: 004087AF
memcpy.MSVCRT(?,hA,00000014,?,?,00000000,76F90A60), ref: 004087D7
memcpy.MSVCRT(?,hA,00000010,?,hA,00000014,?,?,00000000,76F90A60), ref: 004087F4
??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,76F90A60), ref: 0040887D
??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,?,?,?,?,00000000,76F90A60), ref: 00408887
??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,76F90A60), ref: 004088BF

Part of subcall function 004078FF: LoadStringA.USER32(00000000,0000000D,?,?), ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76F90A60), ref: 00407A07

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,76F90A60), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

Strings

d, xrefs: 0040889E
hA, xrefs: 004087C0, 004087DC, 00408847, 004087CD, 004087E7

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
String ID: d$hA
API String ID: 3781940870-4030989184
Opcode ID: 5e50d2b62f6993c86ffac77c026433a38f7ee8811e4eb043570a690e7a3712a1
Instruction ID: 2ee817cab8fb9d662dc1fdc17dcda2a390100e1008d8253a008a3d74f0a2914d
Opcode Fuzzy Hash: 5e50d2b62f6993c86ffac77c026433a38f7ee8811e4eb043570a690e7a3712a1
Instruction Fuzzy Hash: 76518D72A01704AFDB24DF2AC582B9AB7E5FF48354F10852EE54ADB391EB74E940CB44

Function 0040314D Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040311F: GetPrivateProfileStringA.KERNEL32(00000000,?,Function_00012466,?,?,?), ref: 00403143

strchr.MSVCRT ref: 00403262

Strings

UsesIMAP, xrefs: 0040316F
RealName, xrefs: 004031E1
ReturnAddress, xrefs: 004031FA
SavePasswordText, xrefs: 00403212
1, xrefs: 00403190
PopServer, xrefs: 004031AF
PopAccount, xrefs: 0040324D
LoginName, xrefs: 004031CB

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringstrchr
String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
API String ID: 1348940319-1729847305
Opcode ID: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
Instruction ID: 1cfb9ddeec5dd782170234712f417fe000b4b626ad5f21becf6162a2306db812
Opcode Fuzzy Hash: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
Instruction Fuzzy Hash: 7631B370A04209BEEF119F20CC06FD97F6CAF14318F10816AF95C7A1D2C7B95B958B54

Function 0040F09D Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,",00000006,?,?,00000000,004096EC,?,?), ref: 0040F0CD
memcpy.MSVCRT(?,&,00000005,?,?,00000000,004096EC,?,?), ref: 0040F0F3
memcpy.MSVCRT(?,<,00000004,?,?,00000000,004096EC,?,?), ref: 0040F10B

Strings

<, xrefs: 0040F0AE
<br>, xrefs: 0040F105
&, xrefs: 0040F0ED
", xrefs: 0040F0C7
>, xrefs: 0040F0BA
°, xrefs: 0040F0E0

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
Instruction ID: 3259d816fa1e591736f6461b451ad75962e4f861ee845343ab42ffe8f3feec31
Opcode Fuzzy Hash: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
Instruction Fuzzy Hash: 450171B2E852A4B5DA350905AC07FA70B865BA6B11F350037F58639AC2E1AD0D8F516F

Function 0040D865 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

memset.MSVCRT ref: 0040D917
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040D92E
_strnicmp.MSVCRT ref: 0040D948
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D974
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D994

Strings

windowslive:name=, xrefs: 0040D942
WindowsLive:name=*, xrefs: 0040D88C, 0040D8C3

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$Version_strnicmpmemset
String ID: WindowsLive:name=*$windowslive:name=
API String ID: 945165440-3589380929
Opcode ID: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
Instruction ID: 27d6d704735a973bd95cec350459a8e2137e61d4893fa240fc9d50cc053063f8
Opcode Fuzzy Hash: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
Instruction Fuzzy Hash: FD4183B1904345AFC720EF54D9849ABBBECEB84344F044A3EF995A3291D734DD48CB66

Function 00407FEB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408011
GetDlgCtrlID.USER32(?), ref: 0040801C
GetWindowTextA.USER32(?,?,00001000), ref: 0040802F
memset.MSVCRT ref: 00408055
GetClassNameA.USER32(?,?,000000FF), ref: 00408068
_stricmp.MSVCRT(?,sysdatetimepick32), ref: 0040807A

Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4

Strings

sysdatetimepick32, xrefs: 00408074

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
String ID: sysdatetimepick32
API String ID: 896699463-4169760276
Opcode ID: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
Instruction ID: 1a4d9fd07e56cfca2567f2ea4562d04845e15f14fd3b0b17285a92413f4c7fe9
Opcode Fuzzy Hash: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
Instruction Fuzzy Hash: 8811E3728040187EDB119B64DC81DEB7BACEF58355F0440BBFB49E2151EA789FC88B69

Function 00405715 Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004057BD
GetDlgItem.USER32(?,000003E9), ref: 004057D0
GetDlgItem.USER32(?,000003E9), ref: 004057E5
GetDlgItem.USER32(?,000003E9), ref: 004057FD
EndDialog.USER32(?,00000002), ref: 00405819
EndDialog.USER32(?,00000001), ref: 0040582C

Part of subcall function 004054C6: GetDlgItem.USER32(?,000003E9), ref: 004054D4
Part of subcall function 004054C6: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054E9
Part of subcall function 004054C6: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405505

SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405844
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405950

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Item$DialogMessageSend
String ID:
API String ID: 2485852401-0
Opcode ID: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
Instruction ID: 996ad43d7974a89766dbed28e3aed2d7518275209d6347d70af2c8e68d8db374
Opcode Fuzzy Hash: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
Instruction Fuzzy Hash: 8361BE31600A05AFDB21AF25C986A2BB3A5EF40724F04C13EF915A76D1D778A960CF59

Function 00405960 Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405971
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040598D
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004059B4
memset.MSVCRT ref: 004059C5
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 004059F4
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405A41
SetFocus.USER32(?,?,?,?), ref: 00405A4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00405A58

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 6b93eb81a39c48deb163be1aa812a1225973fe05519ee775c3dac3ae0dcb2c41
Instruction ID: c71b172428599a8aed3dd41af9edf36fe528ac6939486576e3287dd5c50b91d7
Opcode Fuzzy Hash: 6b93eb81a39c48deb163be1aa812a1225973fe05519ee775c3dac3ae0dcb2c41
Instruction Fuzzy Hash: 9931C6B2600605BFDB149F29D88591AF7A5FF44354B10863FF54AE72A0DB78EC408F98

Function 0040A698 Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040A6B7
GetWindowRect.USER32(?,?), ref: 0040A6CD
GetWindowRect.USER32(?,?), ref: 0040A6E0
BeginDeferWindowPos.USER32(00000003), ref: 0040A6FD
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A71A
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A73A
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A761
EndDeferWindowPos.USER32(?), ref: 0040A76A

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
Instruction ID: 87e3885615821b4149b7d1c90d618f2f4546f2004ccbdac015d6c62594ca92fd
Opcode Fuzzy Hash: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
Instruction Fuzzy Hash: 1E21A771A00209FFDB11CFA8DE89FEEBBB9FB08710F104465F655E2160C771AA519B24

Function 0040C530 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C551
memset.MSVCRT ref: 0040C565
memset.MSVCRT ref: 0040C579

Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C646
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C689
memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C6A6

Strings

user_pref(", xrefs: 0040C5AF

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset$strlen$_memicmp
String ID: user_pref("
API String ID: 765841271-2487180061
Opcode ID: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
Instruction ID: b5bbfaa39c0e48752cfa6ff41fc25d90fc637c7d31dd27b270ce5155e9a91379
Opcode Fuzzy Hash: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
Instruction Fuzzy Hash: A74168B2904118AADB10DB95DCC0EDA77AD9F44314F1046BBE605F7181EA389F49CFA8

Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004055B6
SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 004055CF
SendMessageA.USER32(?,00001036,00000000,00000026), ref: 004055DC
SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 004055E8
memset.MSVCRT ref: 00405652
SendMessageA.USER32(?,00001019,?,?), ref: 00405683
SetFocus.USER32(?), ref: 00405708

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
Instruction ID: c9ec69d2b7f122f2474fbd4df523f5fea2365e5f162f49a3354b930d279265bd
Opcode Fuzzy Hash: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
Instruction Fuzzy Hash: 304126B5D00109AFDB209F99DC81DAEBBB9FF04348F00846AE918B7291D7759E50CFA4

Function 0040D5DB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,76DBEC10), ref: 00404654
Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
strlen.MSVCRT ref: 0040D6B7
strcpy.MSVCRT(?,?), ref: 0040D6C8
LocalFree.KERNEL32(?), ref: 0040D6D5

Strings

hwA, xrefs: 0040D680
Passport.Net\*, xrefs: 0040D61D

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
String ID: Passport.Net\*$hwA
API String ID: 3335197805-2625321100
Opcode ID: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
Instruction ID: 2e6419ae4a5a1056fcde8d8ccc48918818cbcf4cd0f285746335566170a6875e
Opcode Fuzzy Hash: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
Instruction Fuzzy Hash: D4315C76D00109ABCB10EF96D9449EEB7BDEF84300F10047AF605E7291DB399A45CB68

Function 00407EFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00407F10
memset.MSVCRT ref: 00407F31
GetMenuItemInfoA.USER32 ref: 00407F6C
strchr.MSVCRT ref: 00407F83

Strings

0, xrefs: 00407F4C
6, xrefs: 00407F54

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetstrchr
String ID: 0$6
API String ID: 2300387033-3849865405
Opcode ID: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
Instruction ID: e6a74f55cf859b5146a282672b091174d688b167a10cd96a0b5acbf0203f559b
Opcode Fuzzy Hash: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
Instruction Fuzzy Hash: B821917190C381AFD7109F21D88199BBBE8FB84348F44897FF68496290E779E944CB5B

Function 004044DA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

_stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 0040456B
_stricmp.MSVCRT(?,imap), ref: 00404589

Strings

smtp, xrefs: 004045A0
pop3, xrefs: 00404565
imap, xrefs: 00404583

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp$memcpystrlen
String ID: imap$pop3$smtp
API String ID: 445763297-821077329
Opcode ID: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
Instruction ID: 85134e65636b23d23915c58aa006eeb0f313b09a76600224a93e2cbe40a0dcf5
Opcode Fuzzy Hash: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
Instruction Fuzzy Hash: 8F2174B2500318ABC711DB61CD41BDBB3FDAF50314F10056BE64AB3181DBB87B858B9A

Function 004036CC Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E906: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
Part of subcall function 0040E906: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
Part of subcall function 0040E906: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040E966
Part of subcall function 0040E906: CoTaskMemFree.OLE32(?,?), ref: 0040E975

strchr.MSVCRT ref: 00403706
strcpy.MSVCRT(?,00000001,?,?,?), ref: 0040372F
strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 0040373F
strlen.MSVCRT ref: 0040375F
sprintf.MSVCRT ref: 00403783
strcpy.MSVCRT(?,?), ref: 00403799

Strings

%s@gmail.com, xrefs: 0040377D

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
String ID: %s@gmail.com
API String ID: 2649369358-4097000612
Opcode ID: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
Instruction ID: 7e171057c748ab9e8bd63aa8a265ef6dac548e8f33c4ed25ddb9a168741e2a8b
Opcode Fuzzy Hash: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
Instruction Fuzzy Hash: B221ABF294411C6EDB11DB55DC85FDA77ACAB54308F4004BBE609E2081EA789BC48B69

Function 0040684D Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040686D
sprintf.MSVCRT ref: 0040689A
strlen.MSVCRT ref: 004068A6
memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004068BB
strlen.MSVCRT ref: 004068C9
memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004068D9

Strings

%s (%s), xrefs: 00406894

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpystrlen$memsetsprintf
String ID: %s (%s)
API String ID: 3756086014-1363028141
Opcode ID: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
Instruction ID: 70c58cdfc2d4abbd805528426562f63df61edbbac87544aa2a0c8fc412f19922
Opcode Fuzzy Hash: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
Instruction Fuzzy Hash: 371193B2800158BFDF21DF58CC44BD9BBEDEF41308F00856AEA49EB112D674EA55CB98

Function 0040E906 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040E966
CoTaskMemFree.OLE32(?,?), ref: 0040E975

Strings

00000000-0000-0000-0000-000000000000, xrefs: 0040E925
5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040E918

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
API String ID: 1640410171-3316789007
Opcode ID: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
Instruction ID: cd3b670b1268c91d98ef63b10095ff511f923cb8a4afa2e2ee491a09b7572d99
Opcode Fuzzy Hash: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
Instruction Fuzzy Hash: AD01ADB350011CBADF01ABA6CD40DEB7BACAF08354F004833FD45E6150E634EA198BA4

Function 00410BC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD

GetFileSize.KERNEL32(00000000,00000000,?,00000000,rA,00410C96,?,?,*.oeaccount,rA,?,00000104), ref: 00410BE1
??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 00410BF3
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 00410C02

Part of subcall function 004066F6: ReadFile.KERNEL32(00000000,?,00410C15,00000000,00000000,?,?,00410C15,?,00000000), ref: 0040670D

Part of subcall function 00410A8A: wcslen.MSVCRT ref: 00410A9D
Part of subcall function 00410A8A: ??2@YAPAXI@Z.MSVCRT(00000001,00410C2C,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410AA6
Part of subcall function 00410A8A: WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
Part of subcall function 00410A8A: strlen.MSVCRT ref: 00410B02
Part of subcall function 00410A8A: memcpy.MSVCRT(?,00000000,00410C2C), ref: 00410B1C
Part of subcall function 00410A8A: ??3@YAXPAX@Z.MSVCRT(00000000,00410C2C,?,00000000), ref: 00410BAF

??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00410C2D
CloseHandle.KERNEL32(?), ref: 00410C37

Strings

rA, xrefs: 00410BC7

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
String ID: rA
API String ID: 1886237854-474049127
Opcode ID: 211283d2fc670f5901c0f7876466260a577e4cfe0cc3df3f6eb0d2a5b0cdbf91
Instruction ID: e5b0438d6bc675850ae5605026c1b4582ede65e06839efbb6018c27a8e90e269
Opcode Fuzzy Hash: 211283d2fc670f5901c0f7876466260a577e4cfe0cc3df3f6eb0d2a5b0cdbf91
Instruction Fuzzy Hash: 4E01B532400248BEDB206B75EC4ECDB7B6CEF55364B10812BF91486261EA758D54CB68

Function 00409E32 Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
LoadIconA.USER32(000000CE), ref: 00409E7D
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
LoadIconA.USER32(000000CF), ref: 00409E9B
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
String ID:
API String ID: 3673709545-0
Opcode ID: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
Instruction ID: 438777344fc2c20ac6f2013a54106063ce42bca0c095daa55fabf7fed0819ee6
Opcode Fuzzy Hash: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
Instruction Fuzzy Hash: 4E013C71280304BFFA325B60EE4BFD67AA6EB48B01F004425F349A90E1C7F56C61DA18

Function 00409E33 Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
LoadIconA.USER32(000000CE), ref: 00409E7D
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
LoadIconA.USER32(000000CF), ref: 00409E9B
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
String ID:
API String ID: 3673709545-0
Opcode ID: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
Instruction ID: f483db5831cad9889e7f207d848437a4a82f195d6e7bb7359e2425aa16285a4b
Opcode Fuzzy Hash: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
Instruction Fuzzy Hash: 98011971281304BFFA321B60EE47FD97BA6EB48B00F014425F749A90E2CBF16860DA18

Function 00407D0A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407D35
sprintf.MSVCRT ref: 00407D4A

Part of subcall function 00407DE5: memset.MSVCRT ref: 00407E09
Part of subcall function 00407DE5: GetPrivateProfileStringA.KERNEL32(004172C0,0000000A,00412466,?,00001000,004171B8), ref: 00407E2B
Part of subcall function 00407DE5: strcpy.MSVCRT(?,?), ref: 00407E45

SetWindowTextA.USER32(?,?), ref: 00407D71
EnumChildWindows.USER32(?,Function_00007CAD,00000000), ref: 00407D81

Strings

dialog_%d, xrefs: 00407D40
caption, xrefs: 00407D56

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
String ID: caption$dialog_%d
API String ID: 246480800-4161923789
Opcode ID: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
Instruction ID: 1b9ef3c80e7b29f71c03deb4ce56ff4662aaf0b85baafec8cd622ba642293ebf
Opcode Fuzzy Hash: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
Instruction Fuzzy Hash: 40F02B305482887EEB12AB91DC06FE83B685F08786F0040B6BB44E11E0D7F85AC0C71E

Function 0040E255 Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040DD5F,00000000,00000000), ref: 0040E28C
memset.MSVCRT ref: 0040E2E9
memset.MSVCRT ref: 0040E2FB

Part of subcall function 0040E172: strcpy.MSVCRT(?,-00000001), ref: 0040E198

memset.MSVCRT ref: 0040E3E2
strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040E407
CloseHandle.KERNEL32(00000000,0040DD5F,?), ref: 0040E451

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$strcpy$CloseHandleOpenProcess
String ID:
API String ID: 3799309942-0
Opcode ID: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
Instruction ID: 14fca006082a3f7ea55a807dd49808cd12c96cdbdfea8439eb00a9ee5a281ce1
Opcode Fuzzy Hash: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
Instruction Fuzzy Hash: A2512DB1900218ABDB10DF95DC85ADEBBB8FF44304F1045AAF609B6291D7749F90CF69

Function 00409369 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

strcat.MSVCRT(?, ), ref: 0040942E
sprintf.MSVCRT ref: 00409450

Strings

<td bgcolor=#%s nowrap>%s, xrefs: 00409374
<tr>, xrefs: 0040938E
<td bgcolor=#%s>%s, xrefs: 00409380
 , xrefs: 00409428

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWritesprintfstrcatstrlen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 3813295786-4153097237
Opcode ID: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
Instruction ID: 5cc8281df9b45005db58bfc05dfa6f470ea1610febbae0d5d066e94f32a410cd
Opcode Fuzzy Hash: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
Instruction Fuzzy Hash: 0C316B31900208AFCF15DF94C8869DE7BB6FF44310F1041AAFD11AB2E2D776AA55DB84

Function 00410A8A Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00410A9D
??2@YAPAXI@Z.MSVCRT(00000001,00410C2C,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410AA6
WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF

Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE1A
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE38
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE53
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE7C
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FEA0

strlen.MSVCRT ref: 00410B02

Part of subcall function 0040FF76: ??3@YAXPAX@Z.MSVCRT(?,?,00410B10), ref: 0040FF81
Part of subcall function 0040FF76: ??2@YAPAXI@Z.MSVCRT(00000001,?,00410B10), ref: 0040FF90

memcpy.MSVCRT(?,00000000,00410C2C), ref: 00410B1C
??3@YAXPAX@Z.MSVCRT(00000000,00410C2C,?,00000000), ref: 00410BAF

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
String ID:
API String ID: 577244452-0
Opcode ID: 584188bec913278fc047c89b290e140bf37b0e2a195c06d1a8000b4b9f09aa03
Instruction ID: 5b66efc9566b80317fa540751e9ebc59d69584110078b55da7be64cca713082c
Opcode Fuzzy Hash: 584188bec913278fc047c89b290e140bf37b0e2a195c06d1a8000b4b9f09aa03
Instruction Fuzzy Hash: 44317672804219AFCF21EFA1C8809EDBBB5AF44314F1440AAE508A3251DB796FC4CF98

Function 0040AB54 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AB74

Part of subcall function 004078FF: LoadStringA.USER32(00000000,0000000D,?,?), ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76F90A60), ref: 00407A07

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,76F90A60), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

Part of subcall function 0040684D: memset.MSVCRT ref: 0040686D
Part of subcall function 0040684D: sprintf.MSVCRT ref: 0040689A
Part of subcall function 0040684D: strlen.MSVCRT ref: 004068A6
Part of subcall function 0040684D: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004068BB
Part of subcall function 0040684D: strlen.MSVCRT ref: 004068C9
Part of subcall function 0040684D: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004068D9

Part of subcall function 00406680: GetSaveFileNameA.COMDLG32(?), ref: 004066CF
Part of subcall function 00406680: strcpy.MSVCRT(?,?), ref: 004066E6

Strings

*.txt, xrefs: 0040AB8D
*.htm;*.html, xrefs: 0040ABBA
txt, xrefs: 0040AC24, 0040AC27
*.csv, xrefs: 0040ABEF
*.xml, xrefs: 0040ABE3

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 4021364944-3614832568
Opcode ID: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
Instruction ID: 4d38638b85bcf07ffefc140bede2392a268d493de89ddae44be4c2da79bd640a
Opcode Fuzzy Hash: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
Instruction Fuzzy Hash: B62101B2D442589ECB01FF99D8857DDBBB4BB04304F10417BE619B7282D7381A45CB5A

Function 00406491 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0040649C
GetDeviceCaps.GDI32(00000000,00000008), ref: 004064AD
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004064B4
ReleaseDC.USER32(00000000,00000000), ref: 004064BC
GetWindowRect.USER32(?,?), ref: 004064C9
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00406507

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CapsDeviceWindow$MoveRectRelease
String ID:
API String ID: 3197862061-0
Opcode ID: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
Instruction ID: 542b186de9fc11de55873c3549d90df3c6ab5362d14aa96611489808ae4c73e2
Opcode Fuzzy Hash: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
Instruction Fuzzy Hash: FC117C31A0011AAFDB009BB9CE4DEEFBFB8EB84711F014165E901E7250D6B0AD01CBA0

Function 00403A8D Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403AB2
memset.MSVCRT ref: 00403ACB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AE2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403B01
strlen.MSVCRT ref: 00403B13
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403B24

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidememset$FileWritestrlen
String ID:
API String ID: 1786725549-0
Opcode ID: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
Instruction ID: d8056d974a042835a8b53dd5956248081512f57f3cb7fafeec888b91cb2496ed
Opcode Fuzzy Hash: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
Instruction Fuzzy Hash: 6A1161B244012CBEFB009B94DD85DEB77ADEF08354F0041A6B70AD2091D6349F94CB78

Function 00406585 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004065A4
sprintf.MSVCRT ref: 004065C5
strcat.MSVCRT(?,00413078), ref: 004065D7
strcat.MSVCRT(?,00413084,00000000), ref: 004065F4
strcat.MSVCRT(?,00000000), ref: 00406603

Strings

%2.2X, xrefs: 004065BF

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcat$memsetsprintf
String ID: %2.2X
API String ID: 582077193-791839006
Opcode ID: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
Instruction ID: 9ba21b13147b7bc42f3eaeb5b708c7057566a78b4f06b3a82068ff28b5e275af
Opcode Fuzzy Hash: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
Instruction Fuzzy Hash: 54014C7294421476D7315725ED03BEA379C9B84704F10407FF986A61C5EABCDBD48798

Function 0040FEED Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00410BC0,00410C2C,?,00000000), ref: 0040FEFB
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF16
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF2C
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF42
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF58
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF6E

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
Instruction ID: b81094b12df4fb27198692459327ff2c1ceec6e662cd9000025ff3e54110b63d
Opcode Fuzzy Hash: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
Instruction Fuzzy Hash: B0015E72A029322AC5257B26680178AA3557F41B14B06013FFA0577B824F7C799246ED

Function 0040173B Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040174A
GetSystemMetrics.USER32(00000015), ref: 00401758
GetSystemMetrics.USER32(00000014), ref: 00401764
BeginPaint.USER32(?,?), ref: 0040177E
DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 0040178D
EndPaint.USER32(?,?), ref: 0040179A

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
Instruction ID: a11a87b208587c0640a8feba78a21dda7633aea5bad1576310b301da0c27fea9
Opcode Fuzzy Hash: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
Instruction Fuzzy Hash: B6014B72900218FFDF08DFA8DD489FE7BB9FB44301F004469EE11EA194DAB1AA14CB64

Function 00411366 Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411387
memset.MSVCRT ref: 004113A0
memset.MSVCRT ref: 004113B4

Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97

strlen.MSVCRT ref: 004113D0
memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 004113F5
memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 0041140B

Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCFE

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
Part of subcall function 0040BD0B: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 0040BD77
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81

memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 0041144B

Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCB0
Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCDA

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset$strlen
String ID:
API String ID: 2142929671-0
Opcode ID: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
Instruction ID: c39f5f8930626063bf72b6da9320efac153577eb3bd573588316f9f93fa8d4dc
Opcode Fuzzy Hash: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
Instruction Fuzzy Hash: C4515C7290011DABCB10EF55CC819EEB7A9BF44308F5445BAE609A7151EB34AB898F94

Function 004078FF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,76F90A60), ref: 0040797A

Part of subcall function 00407D89: _itoa.MSVCRT ref: 00407DAA

strlen.MSVCRT ref: 00407998
LoadStringA.USER32(00000000,0000000D,?,?), ref: 004079C8
memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76F90A60), ref: 00407A07

Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT(00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078A5
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT(00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078C3
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078E1
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078F1

Strings

strings, xrefs: 00407970

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$LoadString_itoamemcpystrcpystrlen
String ID: strings
API String ID: 1748916193-3030018805
Opcode ID: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
Instruction ID: bfec9983b2359add980c5e43b0d452c2fda20e15e3ba6c634c10b5a9b6e313b6
Opcode Fuzzy Hash: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
Instruction Fuzzy Hash: F73189B1A8C101BFD7159B59FD80DB63377EB84304710807AE902A7AB1E639B851CF9D

Function 0040329E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040314D: strchr.MSVCRT ref: 00403262

memset.MSVCRT ref: 004032F2
GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 0040330C
strchr.MSVCRT ref: 00403341

Part of subcall function 00402407: _mbsicmp.MSVCRT ref: 0040243F

strlen.MSVCRT ref: 00403383

Part of subcall function 00402407: _mbscmp.MSVCRT ref: 0040241B

Strings

Personalities, xrefs: 00403307

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
String ID: Personalities
API String ID: 2103853322-4287407858
Opcode ID: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
Instruction ID: ece583472a64ba9cf1aca627ef0740b0f3020b1d2d3fce26046d940835a048de
Opcode Fuzzy Hash: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
Instruction Fuzzy Hash: 8C21BA72A00108AADB119F69DD81ADE7F6C9F50349F0040BBEA45F3181DA38EF86866D

Function 00410F79 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410F9B

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007

Strings

Yahoo! User ID, xrefs: 00410FBF
Software\Yahoo\Pager, xrefs: 00410FA4
EOptions string, xrefs: 00410FDA

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuememset
String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
API String ID: 1830152886-1703613266
Opcode ID: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
Instruction ID: 4a1c6cf285358ebc60a306e6e4607d202acce7e44454db846991f846a9516d87
Opcode Fuzzy Hash: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
Instruction Fuzzy Hash: 820184B5A00118BBDB10A6569D02FDE7A6C9B94399F004076FF08F2251E2389F95C698

Function 00405F41 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?), ref: 00405F51
sprintf.MSVCRT ref: 00405F79
MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00405F92

Strings

Error %d: %s, xrefs: 00405F73
Error, xrefs: 00405F83

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLastMessagesprintf
String ID: Error$Error %d: %s
API String ID: 1670431679-1552265934
Opcode ID: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
Instruction ID: dfdfd8ae3da356d4892d02c8fdfc7d0b76dc1d64d686e07e92b09a376f71314b
Opcode Fuzzy Hash: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
Instruction Fuzzy Hash: 9BF0A7B640010876CB10A764DC05FDA76BCAB44704F1440B6BA05E2141EAB4DB458FAC

Function 0040F037 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,753D8FB0,00405C41,00000000), ref: 0040F040
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F04E
FreeLibrary.KERNEL32(00000000), ref: 0040F066

Strings

shlwapi.dll, xrefs: 0040F039
SHAutoComplete, xrefs: 0040F048

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
Instruction ID: e435a3077eadc7ffcc94e3fda903fcc6a6103b68d0c251917c13f6f883115a60
Opcode Fuzzy Hash: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
Instruction Fuzzy Hash: 70D0C2323002106B96605B326C0CAEB2D55EBC47527048032F505E1250EB648A86C1A8

Function 00407406 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00407415
memset.MSVCRT ref: 0040744D
memcpy.MSVCRT(?,00000000,?,?,?,?,76DBEB20,?,00000000), ref: 0040750A
LocalFree.KERNEL32(?,?,?,?,?,76DBEB20,?,00000000), ref: 00407535

Strings

&v@, xrefs: 0040750F

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLocalmemcpymemsetstrlen
String ID: &v@
API String ID: 3110682361-3426253984
Opcode ID: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
Instruction ID: 0225f7a5d6cb17f6a7661d1d380ab710e59dbb599c3936da0c6da93344c8566d
Opcode Fuzzy Hash: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
Instruction Fuzzy Hash: B731F772D0411DABDB10DB68CC81BDEBBB8EF45318F1001B6E645B3281DA78AE858B95

Function 00409695 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

memset.MSVCRT ref: 004096CB

Part of subcall function 0040F09D: memcpy.MSVCRT(?,<,00000004,?,?,00000000,004096EC,?,?), ref: 0040F10B

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 00409710

Strings

</item>, xrefs: 0040972A
<%s>%s</%s>, xrefs: 00409708
<item>, xrefs: 0040969F

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 3200591283-2769808009
Opcode ID: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
Instruction ID: f0c093cdac9801847eaa7418f237768de61d650e358e632480a4b045718b8cde
Opcode Fuzzy Hash: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
Instruction Fuzzy Hash: FE11E731500515BFC711AF25CC42E967B64FF04318F10006AF549369A2EB76BA64DFD8

Function 00407BF9 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00407C0B
GetWindowRect.USER32(?,?), ref: 00407C18
GetClientRect.USER32(00000000,?), ref: 00407C23
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00407C33
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407C4F

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
Instruction ID: 06ac4e87c023cdd11bbb76a881eefb098f7857fbb12a9e12d40a619b69e20d01
Opcode Fuzzy Hash: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
Instruction Fuzzy Hash: A7014C32800129BBDB119BA5DD89EFF7FBCEF46750F048129F901E2150D7B89541CBA9

Function 0040A4C8 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040A4F5

Part of subcall function 00405E2C: LoadCursorA.USER32(00000000,00007F02), ref: 00405E33
Part of subcall function 00405E2C: SetCursor.USER32(00000000,?,0040BAC6), ref: 00405E3A

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040A518

Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A45D
Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A487
Part of subcall function 0040A437: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
Part of subcall function 0040A437: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0

SetCursor.USER32(?,?,0040B6B6), ref: 0040A53D
SetFocus.USER32(?,?,?,0040B6B6), ref: 0040A54F
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040A566

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
String ID:
API String ID: 2210206837-0
Opcode ID: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
Instruction ID: 5ceab2a0550c6f7be61398745e2f8fe4621b0361104972d0b8848fcf02267a2c
Opcode Fuzzy Hash: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
Instruction Fuzzy Hash: 12116DB1200600EFD722AB74DC85FAA77EDFF48344F0644B9F1599B2B1CA716D018B10

Function 00409867 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040988A
memset.MSVCRT ref: 004098A0

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 004098D7

Strings

<%s>, xrefs: 004098D1
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004098A5

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3202206310-1998499579
Opcode ID: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
Instruction ID: 66925a684df18266fce8bb701fa3a75b356ea9bacad4fe0319972b489c667c97
Opcode Fuzzy Hash: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
Instruction Fuzzy Hash: BC01A77290011976D721A759CC46FDA7B6C9F44304F0400FAB509B3192DB789F858BA8

Function 00408572 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040857E
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040858C
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040859D
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085B4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085BD

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
Instruction ID: 0a64c6e0650ef7a992325d71cca8afebdafc0e64b7e6075a64aa0ecb46f153ec
Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
Instruction Fuzzy Hash: C2F0F4725057016FDB209F6A99C0497B7D6BB48714B64083FF18AD3741CF78AD818A18

Function 004085D8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040857E
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040858C
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040859D
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085B4
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085BD

??3@YAXPAX@Z.MSVCRT(?,?,00404244), ref: 004085F3
??3@YAXPAX@Z.MSVCRT(?,?,00404244), ref: 00408606
??3@YAXPAX@Z.MSVCRT(?,?,00404244), ref: 00408619
??3@YAXPAX@Z.MSVCRT(?,?,00404244), ref: 0040862C
free.MSVCRT ref: 00408640

Part of subcall function 00406B5B: free.MSVCRT ref: 00406B62

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
Instruction ID: 9ddd328a78e70669a2f2a4495a49ad6ad9a3331e0dda25fcf26d4743fc91c851
Opcode Fuzzy Hash: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
Instruction Fuzzy Hash: E3F0F6729028306BC9213B275011A8EB3657D4171431B056FF946BB7A28F3C6E9246FD

Function 0040E81A Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 004062D1: memset.MSVCRT ref: 004062F1
Part of subcall function 004062D1: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
Part of subcall function 004062D1: _stricmp.MSVCRT(00000000,edit), ref: 00406316

SetBkMode.GDI32(?,00000001), ref: 0040E841
GetSysColor.USER32(00000005), ref: 0040E849
SetBkColor.GDI32(?,00000000), ref: 0040E853
SetTextColor.GDI32(?,00C00000), ref: 0040E861
GetSysColorBrush.USER32(00000005), ref: 0040E869

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Color$BrushClassModeNameText_stricmpmemset
String ID:
API String ID: 1869857563-0
Opcode ID: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
Instruction ID: 70d3a7b2db974a4d4567ef1bfe72cf66993607b5e30e9ab541cb73924f0fe55d
Opcode Fuzzy Hash: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
Instruction Fuzzy Hash: 8CF01D32100205BBDF152FA6DD09E9E3F25EF08711F10C53AFA19A51E1CAB5D970DB58

Function 0040B105 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 0040B13E
SetFocus.USER32(?,?,?), ref: 0040B1E4
InvalidateRect.USER32(?,00000000,00000000), ref: 0040B2E1

Strings

`5A, xrefs: 0040B1EA

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DestroyFocusInvalidateRectWindow
String ID: `5A
API String ID: 3502187192-343712130
Opcode ID: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
Instruction ID: 7dc3b259c8ef6dbe6f4b6ee630ad47b8a618685bd7b93527759b10f323b3e488
Opcode Fuzzy Hash: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
Instruction Fuzzy Hash: 2B519130A043019BCB25BF658845E9AB3E0EF54724F44C57FF4696F2E1CB7999818B8E

Function 00405CEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

BeginDeferWindowPos.USER32(0000000B), ref: 00405D07

Part of subcall function 0040169B: GetDlgItem.USER32(?,?), ref: 004016AB
Part of subcall function 0040169B: GetClientRect.USER32(?,?), ref: 004016BD
Part of subcall function 0040169B: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401727

EndDeferWindowPos.USER32(?), ref: 00405DD8
InvalidateRect.USER32(?,?,00000001), ref: 00405DE3

Strings

$, xrefs: 00405DEF

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
Instruction ID: 46e20a5f719da2480e3b09a58904212cef45bdfb275aa5f1a4c21840a4711c1e
Opcode Fuzzy Hash: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
Instruction Fuzzy Hash: EB316D30641254BBCB216F13DD49D9F3F7CEF86BA4F10483DB409762A1C6798E10DAA8

Function 0040719C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 004071D7

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407225
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407242

Strings

Software\Google\Google Desktop\Mailboxes, xrefs: 004071AF

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Close$EnumOpenmemset
String ID: Software\Google\Google Desktop\Mailboxes
API String ID: 2255314230-2212045309
Opcode ID: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
Instruction ID: abca04dfe3767426288f52b4a512d9ce3e2bfadbcd13eaa8a3c626f28e0c8a54
Opcode Fuzzy Hash: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
Instruction Fuzzy Hash: A71142728083456BD710EE52DC01EAB7BECEB84344F04093EF995E1191E735E628DAA7

Function 0040B70A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(?), ref: 0040B74B
CreateWindowExA.USER32(00000000,MailPassView,Mail PassView,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,?), ref: 0040B776

Strings

MailPassView, xrefs: 0040B770
Mail PassView, xrefs: 0040B76B

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClassCreateRegisterWindow
String ID: Mail PassView$MailPassView
API String ID: 3469048531-1277648965
Opcode ID: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
Instruction ID: f223c9819260e0b75888b36d0bfde8daf7ba5992c102a2aca34afaaeb944facf
Opcode Fuzzy Hash: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
Instruction Fuzzy Hash: 3601ECB5D01248ABDB10CF96CD45ADFFFF8EB99B00F10812AE555F2250D7B46544CB68

Function 00401085 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB

CreateFontIndirectA.GDI32(?), ref: 004010A4
SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0

Strings

MS Sans Serif, xrefs: 00401090

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
String ID: MS Sans Serif
API String ID: 4251605573-168460110
Opcode ID: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
Instruction ID: 11d026e54a5ae2454c64c325e08d9e616df03e05f7163fa19ba200447038793b
Opcode Fuzzy Hash: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
Instruction Fuzzy Hash: 73F0A775A8034877E72167A0ED47F8A7BACAB40B00F10C135FB61B51E1D6F47554DB58

Function 0040DE43 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00416E70,?,00000050,?,004014FF,?), ref: 0040DE5D
memcpy.MSVCRT(00416BA0,?,000002CC,00416E70,?,00000050,?,004014FF,?), ref: 0040DE6F
DialogBoxParamA.USER32(0000006B,?,Function_0000DB39,00000000), ref: 0040DE93

Strings

V7, xrefs: 0040DE6F

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$DialogParam
String ID: V7
API String ID: 392721444-2959985473
Opcode ID: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
Instruction ID: 1a8743d5fef8bbef7923f2c95fec7d45d4f15d0a806a7122114c86eec2fd18b9
Opcode Fuzzy Hash: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
Instruction Fuzzy Hash: 93F0A7716843207BD7116F54AC06BC63BF2B704B5AF114926F149E40E1D3F56550CBCC

Function 004062D1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004062F1
GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
_stricmp.MSVCRT(00000000,edit), ref: 00406316

Strings

edit, xrefs: 00406310

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClassName_stricmpmemset
String ID: edit
API String ID: 3665161774-2167791130
Opcode ID: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
Instruction ID: 6efc07277a00def775dca084f59963aaad452a70fda198cb5006c56c80a8bddd
Opcode Fuzzy Hash: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
Instruction Fuzzy Hash: 75E09BB3C4412A7ADB21A764DC05FE53BAC9F59305F0001B6BD46E10D5E5B497C887A5

Function 0040EDAC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,76F90A60,?,00000000), ref: 0040EDBA
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF

Strings

shell32.dll, xrefs: 0040EDB5
SHGetSpecialFolderPathA, xrefs: 0040EDC9

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathA$shell32.dll
API String ID: 2574300362-543337301
Opcode ID: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
Instruction ID: 9298da647e7f97f850720a93b521a1101e1548fa407b312faad19db7241a3124
Opcode Fuzzy Hash: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
Instruction Fuzzy Hash: 4BD0C970649202EFC7008F21AE097813ABABB18703F10C537A506E1AA0F7B88190CF5C

Function 0040FE05 Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00406549: memset.MSVCRT ref: 00406557

??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE1A
??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE38
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE53
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE7C
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FEA0

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 1f0eb692bf4756200005e253d6c900365ae8e51c0a9d530db6412e15fefa842e
Instruction ID: d938b1c2a289ef47e5423cea375f2860c04713c819a512dfc676868f3ea794ac
Opcode Fuzzy Hash: 1f0eb692bf4756200005e253d6c900365ae8e51c0a9d530db6412e15fefa842e
Instruction Fuzzy Hash: CC3146B0A107008FD7609F3AD845666FBE4EF80355F25887FD20ADB6B2E7B8D4448B59

Function 0040BD0B Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BD2A
memset.MSVCRT ref: 0040BD40
memset.MSVCRT ref: 0040BD52
memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 0040BD77
memset.MSVCRT ref: 0040BD81

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
Instruction ID: 14e83d3a51f9c3b731822f35bbce0da2433a64988b134a744f8d54487411a0b4
Opcode Fuzzy Hash: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
Instruction Fuzzy Hash: 6F01F5B1680B0026D2356B26CC02F9A77A5AFA0714F000B1EF643666D1D7ACE244869C

Function 0040246C Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 0040252C
memset.MSVCRT ref: 004024F5

Part of subcall function 0040E988: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
Part of subcall function 0040E988: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
Part of subcall function 0040E988: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 0040EA04
Part of subcall function 0040E988: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025E4
LocalFree.KERNEL32(?), ref: 004025EE

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
String ID:
API String ID: 3503910906-0
Opcode ID: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
Instruction ID: 8b275e149f62785490509d2466391155d2af3f8991a5b00387cc308873e1222d
Opcode Fuzzy Hash: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
Instruction Fuzzy Hash: 7041B4B1408384BFD711DB608D44AEBBBDCBB48308F44493EFA98A21D1D678DA54DB5A

Function 0040B3C4 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B42E
SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040B472
GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B48C
PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040B52F

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Message$MenuPostSendStringmemset
String ID:
API String ID: 3798638045-0
Opcode ID: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
Instruction ID: e99ea3cd5ae45d968ce1bb78ba156cefd6297a3afaf0c32d246f8b1269deedf3
Opcode Fuzzy Hash: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
Instruction Fuzzy Hash: 5041F430600611EBCB25DF24CC85A96B7A4FF14324F1482B6E958AB2C6C378DE91CBDC

Function 0040A119 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 0040894E
Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00408A15

strlen.MSVCRT ref: 0040A13F
atoi.MSVCRT(?,00000000,?,76F90A60,?,00000000), ref: 0040A14D
_mbsicmp.MSVCRT ref: 0040A1A0
_mbsicmp.MSVCRT ref: 0040A1B3

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _mbsicmp$??2@??3@atoistrlen
String ID:
API String ID: 4107816708-0
Opcode ID: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
Instruction ID: ad5e67b725479cd3c0fe98911646f79d6f4c04cefe3616236e53ea043d5b2769
Opcode Fuzzy Hash: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
Instruction Fuzzy Hash: 24414B75900304AFCB10DFA9C580A9ABBF5FB48308F1084BEEC05AB392D7399A51CB59

Function 00410E8A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00410E97

Strings

>, xrefs: 00410ED2
>, xrefs: 00410EF8
>, xrefs: 00410EBD

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen
String ID: >$>$>
API String ID: 39653677-3911187716
Opcode ID: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
Instruction ID: 69dee6f6c2e5f632f5f5b053a668a00b89048f502478ac4f4f3cd81ce8891ac8
Opcode Fuzzy Hash: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
Instruction Fuzzy Hash: D331D5318097C49ED7218B6980563EFFFA14F26304F188ADAD0E557343D2EC96CAC75A

Function 0040BC6D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCB0
memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCDA
memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCFE

Strings

@, xrefs: 0040BCEC

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
Instruction ID: cecad1072309209c94eeb2778a75b30bbc980c70aaade9bdc77468b7d13379ad
Opcode Fuzzy Hash: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
Instruction Fuzzy Hash: 8B112BB29003056BDB288F16D8809AA77EAEF50344700063FFD0796291FB39DE55C6DC

Function 00406F6F Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,?,?,004014BB,?,?,?,?,00414588,0000000C), ref: 00406FA4
memset.MSVCRT ref: 00406FB5
memcpy.MSVCRT(00416AC0,?,00000000,00000000,00000000,00000000,00000000,?,?,004014BB,?,?,?,?,00414588,0000000C), ref: 00406FC1
??3@YAXPAX@Z.MSVCRT ref: 00406FCE

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 28b3a4642f3a3c0ced8ee47f767df9dcead146173574c86910ac67de2723ebda
Instruction ID: 30667c860212afb2fcb1bf0ba773cc68d22997902d766bb0abd15f5aaececc89
Opcode Fuzzy Hash: 28b3a4642f3a3c0ced8ee47f767df9dcead146173574c86910ac67de2723ebda
Instruction Fuzzy Hash: 81118F71204601AFD328DF1DD881A27F7E6FFD8340B21892EE59B87391DA35E841CB54

Function 0040EFAE Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0040EFBE
SHBrowseForFolderA.SHELL32(?), ref: 0040EFF0
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F004
strcpy.MSVCRT(?,?), ref: 0040F017

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathstrcpy
String ID:
API String ID: 409945605-0
Opcode ID: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
Instruction ID: 0bece651b4572a5d25d0fced66708dfb83f65978f11dfbdadd7c1eadd6bf4f14
Opcode Fuzzy Hash: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
Instruction Fuzzy Hash: DD11F7B5900208AFCB10DFA9D9889EEBBFCFB49310F10447AEA05E7241D779DA458B64

Function 0040A437 Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004078FF: LoadStringA.USER32(00000000,0000000D,?,?), ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76F90A60), ref: 00407A07

sprintf.MSVCRT ref: 0040A45D
SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,76F90A60), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

sprintf.MSVCRT ref: 0040A487
strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
String ID:
API String ID: 919693953-0
Opcode ID: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
Instruction ID: 75288aada6eb4f7a447a9cf13bdf828529425e42ebb21a5188d22772f738aad9
Opcode Fuzzy Hash: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
Instruction Fuzzy Hash: 2601DBB250030466D721B775DD86FEB73AC6F00304F40447BB74AF6082DABCE9808B29

Function 0040F3BA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F3DC
strlen.MSVCRT ref: 0040F3E4
strlen.MSVCRT ref: 0040F3F1

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

Strings

sqlite3.dll, xrefs: 0040F3E9, 0040F3EE, 0040F401

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$memsetstrcatstrcpy
String ID: sqlite3.dll
API String ID: 1581230619-1155512374
Opcode ID: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
Instruction ID: fec7c4afce47c381fe657df57b8ff367c384fd882de8837a2d08c6e6e293e1f2
Opcode Fuzzy Hash: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
Instruction Fuzzy Hash: 4BF02D3144C1286ADB10E769DC45FCA7BAC8FA1318F1040B7F586E60D2D9B89AC98668

Function 004098F4 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409917
memset.MSVCRT ref: 0040992D

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 00409957

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

Strings

</%s>, xrefs: 00409951

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
String ID: </%s>
API String ID: 3202206310-259020660
Opcode ID: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
Instruction ID: adbfc7571eef3522ba50f6b4148bdf50dea618c8f0168b60c77ad4ff43fabaf4
Opcode Fuzzy Hash: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
Instruction Fuzzy Hash: B201D1729001297AD720A719CC45FDA7AACAF84304F0400FAB60AF3182DA749F848BA8

Function 00406734 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00406736
strlen.MSVCRT ref: 00406741
strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758

Strings

dA, xrefs: 00406751

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$strcat
String ID: dA
API String ID: 2335785903-82490789
Opcode ID: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
Instruction ID: 8adb96eafe51badce5d1f431fd236154b3227263db9247bb640c15329514921a
Opcode Fuzzy Hash: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
Instruction Fuzzy Hash: EFD05E3350852036C5152316BC429DE5B82CBC037CB15445FF609921A1E93D84D1859D

Function 00402221 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_ultoa.MSVCRT ref: 00402286
sprintf.MSVCRT ref: 004022FA

Strings

%s %s %s, xrefs: 004022F4

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _ultoasprintf
String ID: %s %s %s
API String ID: 432394123-3850900253
Opcode ID: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
Instruction ID: d9c328b9b741649d7ae815da5d558f3ae5f994b92098e95e7c9169487fd3f945
Opcode Fuzzy Hash: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
Instruction Fuzzy Hash: C4410932504B15C7C636956487CCBEBA264A742304F6508BFEC5AF72D1C2FCAD41976B

Function 0040D37A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

Strings

prefs.js, xrefs: 0040D3E6
*.*, xrefs: 0040D3A3

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$FileFindFirst
String ID: *.*$prefs.js
API String ID: 2516927864-1592826420
Opcode ID: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
Instruction ID: f0fdac10561689b7590a9d658f3f63ad40faf00aab35cef1d8d79f75c7dff1a2
Opcode Fuzzy Hash: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
Instruction Fuzzy Hash: 2711E731408349AAD720EAA5C8019DB77DC9F85324F00493FF869E21C1DB38E61E87AB

Function 00406680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

GetSaveFileNameA.COMDLG32(?), ref: 004066CF
strcpy.MSVCRT(?,?), ref: 004066E6

Strings

L, xrefs: 004066B4

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileNameSavestrcpy
String ID: L
API String ID: 1182090483-2909332022
Opcode ID: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
Instruction ID: a38c0b8f1c2b7ba0f1b8aa2faef71ae79cae630a3543d59e66951d479f2b4fd1
Opcode Fuzzy Hash: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
Instruction Fuzzy Hash: 7F0125B1E102199FDF00CFA9D8807AEBBF8FF08319F10442AE915E6280DBB88915CF44

Function 0040ADB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040ADD3
SetFocus.USER32(?,?), ref: 0040AE5B

Part of subcall function 0040AD9D: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040ADAC

Strings

l, xrefs: 0040AE03

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FocusMessagePostmemset
String ID: l
API String ID: 3436799508-2517025534
Opcode ID: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
Instruction ID: a3aa1947760d1632b5ff20bf1b11b778d92a779fff19439862dc3abef3b95f30
Opcode Fuzzy Hash: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
Instruction Fuzzy Hash: 1011A1719002589BDF21AB14CC047CA7BAAAF80308F0804F5A94C7B292C7B55B88CFA9

Function 00408441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040845A
SendMessageA.USER32(?,00001019,00000000,?), ref: 00408488

Strings

", xrefs: 00408481

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
Instruction ID: 3d4b9897b9e590d379032152458179bae83636b6f0047c21005e3f982915147a
Opcode Fuzzy Hash: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
Instruction Fuzzy Hash: 4F01D635900205AFDB20CF95C941EAFB7F8FF84759F10842EE891AA240E738DA85CB75

Function 00406618 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

GetOpenFileNameA.COMDLG32(?), ref: 00406662
strcpy.MSVCRT(?,?), ref: 00406670

Strings

L, xrefs: 0040663C

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileNameOpenstrcpy
String ID: L
API String ID: 812585365-2909332022
Opcode ID: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
Instruction ID: 13dc2997c8553d865726dff807e233ea18e6c60b58d53e24b26ad6de5975139e
Opcode Fuzzy Hash: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
Instruction Fuzzy Hash: 5201B2B1D10218AFCF40DFA9D8456CEBFF8BB08308F00812AE519E6240E7B886458F98

Function 00407BB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000), ref: 00407BC1
sprintf.MSVCRT ref: 00407BE4

Part of subcall function 00407A64: GetMenuItemCount.USER32(?), ref: 00407A7A
Part of subcall function 00407A64: memset.MSVCRT ref: 00407A9E
Part of subcall function 00407A64: GetMenuItemInfoA.USER32(?), ref: 00407AD4
Part of subcall function 00407A64: memset.MSVCRT ref: 00407B01
Part of subcall function 00407A64: strchr.MSVCRT ref: 00407B0D
Part of subcall function 00407A64: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
Part of subcall function 00407A64: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84

Strings

menu_%d, xrefs: 00407BDA

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
String ID: menu_%d
API String ID: 3671758413-2417748251
Opcode ID: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
Instruction ID: 3be60505ea2565ef11dfa3f51dd36ce0e69a3f53bb310b440500eec60165980c
Opcode Fuzzy Hash: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
Instruction Fuzzy Hash: 9FD01D71A4D14037D72033356D09FCF19794BD3B15F5440A9F200722D1D57C5755857D

Function 00406325 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A

Strings

PuA, xrefs: 0040632D

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DirectoryWindowsstrcpy
String ID: PuA
API String ID: 531766897-3228437271
Opcode ID: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
Instruction ID: dc620c75b08fae7ca861cc569808ec9e0c9c78cdcec5c9dc17d9b47d99426002
Opcode Fuzzy Hash: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
Instruction Fuzzy Hash: D2D0A77184E2907FE3015728BC45AC63FB5DB05330F10807BF508A25A0E7741C90879C

Function 00408348 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406160: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,0040834E,00000000,0040826C,?,00000000,00000104,?), ref: 0040616B

strrchr.MSVCRT ref: 00408351
strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 00408366

Strings

_lng.ini, xrefs: 00408360

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileModuleNamestrcatstrrchr
String ID: _lng.ini
API String ID: 3097366151-1948609170
Opcode ID: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
Instruction ID: a8d2890f819e62600bf11f9c0364550bfc67884382c2ab22ce71db24782b6e2f
Opcode Fuzzy Hash: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
Instruction Fuzzy Hash: 37C01275686A5438D11622355E03B8F01454F52745F24409BF903391D6DE5D569141AE

Function 00403397 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(Server Details,?,Function_00012466,(4@,0000007F,?), ref: 004033AF

Strings

(4@, xrefs: 0040339D
Server Details, xrefs: 004033AA

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileString
String ID: (4@$Server Details
API String ID: 1096422788-3984282551
Opcode ID: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
Instruction ID: 5387a3ffe087b7673ef104c15d829f3f0df010b9e50aa15a0af8b6122c5a167a
Opcode Fuzzy Hash: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
Instruction Fuzzy Hash: A0C04031544301FAC5114F909F05E4D7F516B54B40F118415B24450065C1E54574DB26

Function 004084CE Relevance: 5.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00406549: memset.MSVCRT ref: 00406557

??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040401F,00000000,?,0040B7D2,00000000,?,0040BA04), ref: 004084E3
??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040401F,00000000,?,0040B7D2,00000000,?,0040BA04), ref: 0040850C
??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040401F,00000000,?,0040B7D2,00000000,?,0040BA04), ref: 0040852D
??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040401F,00000000,?,0040B7D2,00000000,?,0040BA04), ref: 0040854E

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: e0b7386c77e7a01b56b751958be04bef72ccb72ccdbc98b166978a9f85b8d0ac
Instruction ID: 33d46294e57da76ea2c08804649fae6184d1477937e8cd9eb119e1572679ad16
Opcode Fuzzy Hash: e0b7386c77e7a01b56b751958be04bef72ccb72ccdbc98b166978a9f85b8d0ac
Instruction Fuzzy Hash: F321B3B0A01300AED7518F2B9945955FBE4FF94355B2AC8AFD149DB2B2EBB8C8408F14

Function 00406A74 Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00406A80
free.MSVCRT ref: 00406AA0

Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
Part of subcall function 004060FA: memcpy.MSVCRT(00000000,00000000,00000000,00000000,76F90A60,00406B49,00000001,?,00000000,76F90A60,00406D88,00000000,?,?), ref: 0040612E
Part of subcall function 004060FA: free.MSVCRT ref: 00406137

free.MSVCRT ref: 00406AC3
memcpy.MSVCRT(?,?,?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AE3

Memory Dump Source

Source File: 00000005.00000002.1485373201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1485373201.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$memcpy$mallocstrlen
String ID:
API String ID: 3669619086-0
Opcode ID: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
Instruction ID: e46d755c35f7a0493bef025674ad9543d325b8c94dab604409744cdcda2aebf9
Opcode Fuzzy Hash: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
Instruction Fuzzy Hash: 70116D71200700EFC730EF18D8819AAB7F5EF45328B108A2EF957A7691DB35F9658B54

Analysis Process: vbc.exePID: 7968, Parent PID: 7556COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.1%
Total number of Nodes:	1583
Total number of Limit Nodes:	48

Executed Functions

Function 00408441 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00410790,?), ref: 00408457
FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00410790,?), ref: 00408475
wcslen.MSVCRT ref: 004084A5
wcslen.MSVCRT ref: 004084AD

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileFindwcslen$FirstNext
String ID:
API String ID: 2163959949-0
Opcode ID: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
Instruction ID: 6e3c8222864954d55df90d51b8e56744ea09e2897b7152e8bd6019cb1af30d80
Opcode Fuzzy Hash: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
Instruction Fuzzy Hash: E5118272515706AFD7149B24D984A9B73DCAF04725F604A3FF09AD31C0FF78A9448B29

Function 00415F87 Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00415EAF: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
Part of subcall function 00415EAF: malloc.MSVCRT ref: 00415EE6
Part of subcall function 00415EAF: free.MSVCRT ref: 00415EF6

Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416001
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416029
free.MSVCRT ref: 00416032

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
String ID:
API String ID: 1355100292-0
Opcode ID: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
Instruction ID: 7d405d749a0edc351a3ddf496a078fe72cac754ac47b8191c628d3d1323914f3
Opcode Fuzzy Hash: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
Instruction Fuzzy Hash: 45219276804108EEEB21EBA4C8849EF7BBCEF09304F1100ABE641D7141E778CEC597A5

Function 00410168 Relevance: 56.4, APIs: 23, Strings: 9, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004101DA
wcsrchr.MSVCRT ref: 004101F2
memset.MSVCRT ref: 004102D9
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,00000000,00000104), ref: 00410326

Part of subcall function 00409A34: _wcslwr.MSVCRT ref: 00409AFC
Part of subcall function 00409A34: wcslen.MSVCRT ref: 00409B11

Part of subcall function 00408619: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 00408652
Part of subcall function 00408619: wcslen.MSVCRT ref: 00408678
Part of subcall function 00408619: wcsncmp.MSVCRT ref: 004086AE
Part of subcall function 00408619: memset.MSVCRT ref: 00408725
Part of subcall function 00408619: memcpy.MSVCRT(?,?,?,?,00000001,?,?,00000000,?), ref: 00408746

Part of subcall function 00409EB8: LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
Part of subcall function 00409EB8: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC

Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F309
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F31E
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F333
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F348
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F35D
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F383
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F394
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3CC
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3DA
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F413
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F421

memset.MSVCRT ref: 004103AA
memset.MSVCRT ref: 004103C6
memset.MSVCRT ref: 004103E2
memset.MSVCRT ref: 004104F9

Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E17
Part of subcall function 00406DD9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E69
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E81
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E99
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406EB1
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EBC
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406ECA
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EF9
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406F07

wcslen.MSVCRT ref: 00410437
wcslen.MSVCRT ref: 00410446
wcslen.MSVCRT ref: 0041048B
wcslen.MSVCRT ref: 0041049A
memset.MSVCRT ref: 00410562
memset.MSVCRT ref: 0041057A
wcslen.MSVCRT ref: 00410593
wcslen.MSVCRT ref: 004105A1
wcslen.MSVCRT ref: 004105FC
wcslen.MSVCRT ref: 0041060A
memset.MSVCRT ref: 0041068A
wcslen.MSVCRT ref: 00410699
wcslen.MSVCRT ref: 00410720
wcslen.MSVCRT ref: 0041072E
wcslen.MSVCRT ref: 004106A7

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083BC
Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083CD

Strings

Path, xrefs: 004102E1
Opera, xrefs: 004106A0, 004106BE
Google\Chrome\User Data, xrefs: 00410432, 0041045D
Opera\Opera\wand.dat, xrefs: 0041059A, 004105B8
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe, xrefs: 004102E6
Google\Chrome SxS\User Data, xrefs: 00410486, 004104B1
wand.dat, xrefs: 00410727, 00410745
%programfiles%\Sea Monkey, xrefs: 00410321
Opera\Opera7\profile\wand.dat, xrefs: 00410603, 00410621

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$memset$wcscmp$AddressByteCharCredEnumerateEnvironmentExpandLibraryLoadMultiProcStringsWide_wcslwrmemcpywcscatwcscpywcsncmpwcsrchr
String ID: %programfiles%\Sea Monkey$Google\Chrome SxS\User Data$Google\Chrome\User Data$Opera$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$wand.dat
API String ID: 3717286792-109336846
Opcode ID: f13f96fbde304a81fdc24d66a109aaecf4b7903a0817bb42302798235a986fce
Instruction ID: 5236af18994b30efd903e1d9b734594bd5ee8d83944705dbeea0fe3cf72f0f99
Opcode Fuzzy Hash: f13f96fbde304a81fdc24d66a109aaecf4b7903a0817bb42302798235a986fce
Instruction Fuzzy Hash: A0F17771901218ABDB20EB51DD85ADEB378AF04714F5444ABF508A7181E7B8AFC4CF9E

Function 0040FAFF Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040FB20
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
memset.MSVCRT ref: 0040FB90
wcslen.MSVCRT ref: 0040FB9D
wcslen.MSVCRT ref: 0040FBAC
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040FC6B
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040FC77

Part of subcall function 0040648C: memset.MSVCRT ref: 004064AD
Part of subcall function 0040648C: memset.MSVCRT ref: 004064FA
Part of subcall function 0040648C: RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
Part of subcall function 0040648C: wcscpy.MSVCRT ref: 00406642
Part of subcall function 0040648C: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
Part of subcall function 0040648C: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695

Strings

PK11_FreeSlot, xrefs: 0040FC49
PK11_Authenticate, xrefs: 0040FC61
nss3.dll, xrefs: 0040FB98, 0040FBC0
PK11_GetInternalKeySlot, xrefs: 0040FC3D
NSS_Shutdown, xrefs: 0040FC31
PK11_CheckUserPassword, xrefs: 0040FC55
NSS_Init, xrefs: 0040FC28
PK11SDR_Decrypt, xrefs: 0040FC6D

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 2554026968-4029219660
Opcode ID: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
Instruction ID: eeb2f36212a21d3aa086fe7dd3a0485c0e35c5a93e030d286215ed8b11f998db
Opcode Fuzzy Hash: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
Instruction Fuzzy Hash: 15418371940309ABEB209F61CC85E9AB7F8BF58744F10087EE58593191EBB999848F58

Function 0040E2F1 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403926: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
Part of subcall function 00403926: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
Part of subcall function 00403926: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
Part of subcall function 00403926: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002), ref: 0040E319
GetModuleHandleW.KERNEL32(00000000,00411F7E,00000000,?,00000002), ref: 0040E332
EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 0040E339
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040E4CB
DeleteObject.GDI32(?), ref: 0040E4E1

Strings

/deleteregkey, xrefs: 0040E3B3
, xrefs: 0040E34D
/savelangfile, xrefs: 0040E385

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$??3@AddressDeleteEnumErrorFreeHandleLoadMessageModeModuleObjectProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 3591293073-28296030
Opcode ID: c7f6c6ad16e89a48cb0e0d64ac08aa0b3efbd1f5f4a19e75b38d6438d40399e7
Instruction ID: 121834c48f7c844bba9a1922674ad86b62a86fe916e360ab8a1a69ef7a5829fa
Opcode Fuzzy Hash: c7f6c6ad16e89a48cb0e0d64ac08aa0b3efbd1f5f4a19e75b38d6438d40399e7
Instruction Fuzzy Hash: 5451B171408345ABD720AFA2DD4895FB7A8FF84709F000D3EF640A3191DB79D9158B2A

Function 00406DD9 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB20
Part of subcall function 0040FAFF: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
Part of subcall function 0040FAFF: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB90
Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FB9D
Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FBAC
Part of subcall function 0040FAFF: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F

memset.MSVCRT ref: 00406E17
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
memset.MSVCRT ref: 00406E69
memset.MSVCRT ref: 00406E81
memset.MSVCRT ref: 00406E99
memset.MSVCRT ref: 00406EB1
wcslen.MSVCRT ref: 00406EBC
wcslen.MSVCRT ref: 00406ECA
wcslen.MSVCRT ref: 00406EF9
wcslen.MSVCRT ref: 00406F07
wcslen.MSVCRT ref: 00406F36
wcslen.MSVCRT ref: 00406F44
wcslen.MSVCRT ref: 00406F73
wcslen.MSVCRT ref: 00406F81
SetCurrentDirectoryW.KERNEL32(?), ref: 00407074

Part of subcall function 0040697E: memset.MSVCRT ref: 004069BD
Part of subcall function 0040697E: memset.MSVCRT ref: 00406A3C
Part of subcall function 0040697E: memset.MSVCRT ref: 00406A51

Strings

signons.sqlite, xrefs: 00406F7A, 00406F8F
signons2.txt, xrefs: 00406F00, 00406F15
signons3.txt, xrefs: 00406F3D, 00406F52
signons.txt, xrefs: 00406EC3, 00406ED8

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetwcslen$AddressProc$CurrentDirectory$LibraryLoad$ByteCharHandleModuleMultiWide
String ID: signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 1908949080-2435954524
Opcode ID: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
Instruction ID: 8f96e2222c77d76af5181fd0f533d019f0899d465181413e0b466bd376840954
Opcode Fuzzy Hash: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
Instruction Fuzzy Hash: 8871B07180461AABDB21EF61DC41A9E77BCFF04318F1004AEF909F2181E779AE548F69

Function 0040648C Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 173
registrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004064AD

Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

_wcsnicmp.MSVCRT ref: 00406520
memset.MSVCRT ref: 00406544
memset.MSVCRT ref: 00406560
_snwprintf.MSVCRT ref: 00406580
wcsrchr.MSVCRT ref: 004065A7
CompareFileTime.KERNEL32(?,?,00000000), ref: 004065DA
wcscpy.MSVCRT ref: 004065FC
memset.MSVCRT ref: 004064FA

Part of subcall function 00411BFE: RegEnumKeyExW.ADVAPI32(00000000,0040FB38,0040FB38,?,00000000,00000000,00000000,0040FB38,0040FB38,00000000), ref: 00411C21

RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
wcscpy.MSVCRT ref: 00406642
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695

Strings

SOFTWARE\Mozilla, xrefs: 004064C9
%programfiles%\Mozilla Firefox, xrefs: 00406654
mozilla, xrefs: 0040651A
%s\bin, xrefs: 0040656F
PathToExe, xrefs: 00406585

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 1094916163-2797892316
Opcode ID: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
Instruction ID: 63e98d9b0590a06fe0611c8d8f76d67a06a86b9579f74a21c863053dc4382b5e
Opcode Fuzzy Hash: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
Instruction Fuzzy Hash: F5515472D00218BAEF20EB61DC45ADFB7BCAF04354F0104A6F905F2191EB799B94CB99

Function 00408D9D Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28

Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2

free.MSVCRT ref: 00408F8C

Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A

memset.MSVCRT ref: 00408E72

Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
Part of subcall function 0040805C: memcpy.MSVCRT(?,?,00000000,00000001,00401A18,Function_000434FC,?,00000001,00401A71,?,00401E44), ref: 0040808E

wcschr.MSVCRT ref: 00408EAA
memcpy.MSVCRT(?,-00000121,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408EDE
memcpy.MSVCRT(?,-00000121,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408EF9
memcpy.MSVCRT(?,-00000220,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408F14
memcpy.MSVCRT(?,-00000220,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408F2F

Strings

ModifiedTime, xrefs: 00408E42
AccessedTime, xrefs: 00408E35
Url, xrefs: 00408E4F
AccessCount, xrefs: 00408E0E
EntryID, xrefs: 00408E5C
CreationTime, xrefs: 00408E1B
, xrefs: 00408DCF
ExpiryTime, xrefs: 00408E28

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3849927982-2252543386
Opcode ID: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
Instruction ID: 190f3b00b4426260eb01f26a53b79380eacfea7d83453a492e965ac02b193b52
Opcode Fuzzy Hash: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
Instruction Fuzzy Hash: 64510C72E00309AAEF10EFA5DD45A9EB7B9AF54314F14403FA544F7281EA78AA048F58

Function 004422C7 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000,00442385,?,00000000,?), ref: 004422D4
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004422E9
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004422F6
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00442303
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00442310
GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 0044231D
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044232B
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00442334

Strings

VaultEnumerateItems, xrefs: 004422F8
VaultGetItem, xrefs: 0044231F, 00442324, 0044232D
vaultcli.dll, xrefs: 004422CF
VaultGetInformation, xrefs: 00442312
VaultOpenVault, xrefs: 004422E0
VaultCloseVault, xrefs: 004422EB
VaultFree, xrefs: 00442305

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2238633743-2107673790
Opcode ID: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
Instruction ID: a68d3860b1f677998bacfaa0c7abd00484677722be3dbe7bb4ba7aced869f3e7
Opcode Fuzzy Hash: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
Instruction Fuzzy Hash: CB012874941B04AEEB306F728E88E07BEF4EF94B017108D2EE49A92A10D779A800CE14

Function 00402846 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040286E
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00402882
CopyFileW.KERNEL32(?,?,00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028A3
CloseHandle.KERNELBASE(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028AE
memset.MSVCRT ref: 004028C7
DeleteFileW.KERNEL32(?,?,?,?,?,00000003,00000000,00000000), ref: 00402B1A

Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
Part of subcall function 004074C6: GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00407506

memset.MSVCRT ref: 0040293C

Part of subcall function 004027D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 0040280F
Part of subcall function 004027D7: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040283C

Part of subcall function 00407DF5: MultiByteToWideChar.KERNEL32(00000000,00000000,004029BE,000000FF,?,?,004029BE,?,?,000003FF), ref: 00407E07

Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897

memset.MSVCRT ref: 00402A95
memcpy.MSVCRT(?,00000000,00000003,00000000,00000000,00000003), ref: 00402AA8
LocalFree.KERNEL32(00000000,?,?,000000FF,?,?,?,00000000,00000000,00000003), ref: 00402AD2

Strings

chp, xrefs: 0040288D
SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402908

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$Timememset$FreeLibraryLocalTemp$AddressByteCharCloseCopyCreateDeleteDirectoryHandleLoadMulusermePathProcSystemWideWindowsmemcpy
String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
API String ID: 3056168783-1844170479
Opcode ID: c551c8ead9241b310b8bcb9c6efc278ae78950a419ddbbe9be8331bb2a37ce42
Instruction ID: e637edadd966e00c71b87c8ff6cc297e5f4b8f19ec80fc414d035a4907c068e8
Opcode Fuzzy Hash: c551c8ead9241b310b8bcb9c6efc278ae78950a419ddbbe9be8331bb2a37ce42
Instruction Fuzzy Hash: 37815172D001186BDB11EBA59D46BEEB7BCAF04304F5404BAF509F7281EB786F448B69

Function 0040F0D5 Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040F0F8
memset.MSVCRT ref: 0040F10D
memset.MSVCRT ref: 0040F122
memset.MSVCRT ref: 0040F137
memset.MSVCRT ref: 0040F14C

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcslen.MSVCRT ref: 0040F172
wcslen.MSVCRT ref: 0040F183
wcslen.MSVCRT ref: 0040F1BB
wcslen.MSVCRT ref: 0040F1C9
wcslen.MSVCRT ref: 0040F202
wcslen.MSVCRT ref: 0040F210
memset.MSVCRT ref: 0040F296

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Mozilla\SeaMonkey\Profiles, xrefs: 0040F16D, 0040F19A, 0040F1B6, 0040F1E1
Mozilla\SeaMonkey, xrefs: 0040F1FD, 0040F228

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 2775653040-2068335096
Opcode ID: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
Instruction ID: ad2d2467b554b91bbb49091aa47d9e820c56345a74be7af74479530b55ef6358
Opcode Fuzzy Hash: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
Instruction Fuzzy Hash: 2A514472905219AADB20E751DD86ECF73BC9F44344F5004FBF109F6181EBB96B888B69

Function 0040F2E6 Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040F309
memset.MSVCRT ref: 0040F31E
memset.MSVCRT ref: 0040F333
memset.MSVCRT ref: 0040F348
memset.MSVCRT ref: 0040F35D

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcslen.MSVCRT ref: 0040F383
wcslen.MSVCRT ref: 0040F394
wcslen.MSVCRT ref: 0040F3CC
wcslen.MSVCRT ref: 0040F3DA
wcslen.MSVCRT ref: 0040F413
wcslen.MSVCRT ref: 0040F421
memset.MSVCRT ref: 0040F4A7

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Mozilla\Firefox, xrefs: 0040F40E, 0040F439
Mozilla\Firefox\Profiles, xrefs: 0040F37E, 0040F3AB, 0040F3C7, 0040F3F2

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 2775653040-3369679110
Opcode ID: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
Instruction ID: 627aa7309af3ce9e50a65207db29ad7cec2a96110015b88e099c10597549be0d
Opcode Fuzzy Hash: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
Instruction Fuzzy Hash: B15174729052196ADB20EB51CD85ECF73BC9F54304F5004FBF508F2081EBB96B888B69

Function 00408619 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004037C3: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
Part of subcall function 004037C3: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819

CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 00408652
wcslen.MSVCRT ref: 00408678
wcsncmp.MSVCRT ref: 004086AE
memset.MSVCRT ref: 00408725
memcpy.MSVCRT(?,?,?,?,00000001,?,?,00000000,?), ref: 00408746
_wcsnicmp.MSVCRT ref: 0040878B
wcschr.MSVCRT ref: 004087B3
LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 004087D7

Strings

J, xrefs: 004086F6
Microsoft_WinInet_, xrefs: 00408785
Microsoft_WinInet, xrefs: 0040866A

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet$Microsoft_WinInet_
API String ID: 1313344744-1864008983
Opcode ID: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
Instruction ID: ae9214853af189039b11f9ecdcfbf9e5a6a1e8940f9aa775dff38fc8017bd4cb
Opcode Fuzzy Hash: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
Instruction Fuzzy Hash: E45129B5D00209AFDB20DFA4C981A9EB7F8FF08304F14446EE959F7241EB34A945CB19

Function 00442628 Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00443490,00000070), ref: 00442637
__set_app_type.MSVCRT ref: 00442696
__p__fmode.MSVCRT ref: 004426AB
__p__commode.MSVCRT ref: 004426B9
__setusermatherr.MSVCRT ref: 004426E5
_initterm.MSVCRT ref: 004426FB
__wgetmainargs.KERNELBASE ref: 0044271E
_initterm.MSVCRT ref: 00442731
GetStartupInfoW.KERNEL32(?), ref: 0044278E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004427B4
exit.KERNELBASE ref: 004427CB
_cexit.MSVCRT ref: 004427D1

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 2058148763841eb6e814cfbd421e32e46215803419e112ecbbbfb28c93f0ce14
Instruction ID: 706d3d187beade5fd8be42c29aa928e65c4a76933a7b40434c1f532ca5c4ff1d
Opcode Fuzzy Hash: 2058148763841eb6e814cfbd421e32e46215803419e112ecbbbfb28c93f0ce14
Instruction Fuzzy Hash: 1E51C674C00305DFEB21AF64DA44AADB7B4FB05B15FA0422BF811A7291D7B84982CF5C

Function 00409508 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040952C

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 004090DF: memset.MSVCRT ref: 00409102
Part of subcall function 004090DF: memset.MSVCRT ref: 0040911A
Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409136
Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409145
Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040918C
Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040919B

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401DDF), ref: 004085F4

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
wcschr.MSVCRT ref: 004095B8
wcschr.MSVCRT ref: 004095D8
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
GetLastError.KERNEL32 ref: 00409607
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 00409633
FindCloseUrlCache.WININET(?), ref: 00409644

Strings

visited:, xrefs: 0040959C

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 615219573-1702587658
Opcode ID: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
Instruction ID: 77a6c5406e07bb2a3f369751b76910ce3bd9900599f044f3c0855e39104cf3e1
Opcode Fuzzy Hash: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
Instruction Fuzzy Hash: 7F417F72D00219BBDB11DF95CD85A9EBBB8EF05714F10406AE505F7281DB38AF41CBA8

Function 00408C67 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28

memset.MSVCRT ref: 00408CAF

Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2

free.MSVCRT ref: 00408D7D

Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A

Part of subcall function 00408116: wcslen.MSVCRT ref: 00408125
Part of subcall function 00408116: _memicmp.MSVCRT ref: 00408153

_snwprintf.MSVCRT ref: 00408D49

Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
Part of subcall function 00407EDE: free.MSVCRT ref: 00407F16
Part of subcall function 00407EDE: free.MSVCRT ref: 00407F39
Part of subcall function 00407EDE: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F5D

Strings

Name, xrefs: 00408CFB
Container_%I64d, xrefs: 00408D38
, xrefs: 00408CCA
Containers, xrefs: 00408C87
ContainerId, xrefs: 00408CEE

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 2804212203-2982631422
Opcode ID: 09aae5b0b0c39f723feed05769d2c33e4e37e3ecce69608b47f5a2af3b34356b
Instruction ID: ce292a4a65043f2a6a20625204029b960355a9169e5f8c073e361fa6e4a76ec5
Opcode Fuzzy Hash: 09aae5b0b0c39f723feed05769d2c33e4e37e3ecce69608b47f5a2af3b34356b
Instruction Fuzzy Hash: 1E313E72D00219AADF50EFA5DD85ADEB7B8AF04354F50017FA508B21C1DE78AE458F68

Function 00409A34 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00407EB8: free.MSVCRT ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT ref: 00407EC3

Part of subcall function 00408037: free.MSVCRT ref: 0040803E

Part of subcall function 00409508: memset.MSVCRT ref: 0040952C
Part of subcall function 00409508: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
Part of subcall function 00409508: wcschr.MSVCRT ref: 004095B8
Part of subcall function 00409508: wcschr.MSVCRT ref: 004095D8
Part of subcall function 00409508: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
Part of subcall function 00409508: GetLastError.KERNEL32 ref: 00409607

Part of subcall function 00409657: memset.MSVCRT ref: 004096C7
Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
Part of subcall function 00409657: _wcsupr.MSVCRT ref: 0040970F
Part of subcall function 00409657: memset.MSVCRT ref: 0040975E
Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789

Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

_wcslwr.MSVCRT ref: 00409AFC
wcslen.MSVCRT ref: 00409B11

Strings

/, xrefs: 00409B31
http://www.facebook.com/, xrefs: 00409A83
/, xrefs: 00409B1D
https://login.yahoo.com/config/login, xrefs: 00409A90
https://www.google.com/accounts/servicelogin, xrefs: 00409A76

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 4091582287-4196376884
Opcode ID: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
Instruction ID: 093a45ac9553ae88d2071121675ee446b985e814abadd75c8d2b77a0ae050712
Opcode Fuzzy Hash: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
Instruction Fuzzy Hash: F731D872A1015466CB20BB6ACC4599F77A8AF80344B25087AF804B72C3CBBCEE45D699

Function 004090DF Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409102
memset.MSVCRT ref: 0040911A

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

wcslen.MSVCRT ref: 00409136
wcslen.MSVCRT ref: 00409145
wcslen.MSVCRT ref: 0040918C
wcslen.MSVCRT ref: 0040919B

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 00409187, 004091AF
Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409130, 00409135, 0040915E

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2036768262-2114579845
Opcode ID: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
Instruction ID: 077c1189ed55963ee46c09665a9aee7869ceb3b17950e6b23e47196ee9b08e55
Opcode Fuzzy Hash: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
Instruction Fuzzy Hash: 0B21D972A4411D66E710E651DC85DDF73ACAF14354F5008BFF505E2082FAB89F844A6D

Function 00441683 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000048,00446E40,0000002C), ref: 00441734

Strings

main, xrefs: 00441866
NOCASE, xrefs: 004417F7
no such vfs: %s, xrefs: 0044177E
RTRIM, xrefs: 004417C6
BINARY, xrefs: 0044179D, 004417A2, 004417AE, 004417BA, 004417DF
temp, xrefs: 00441876

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
Instruction ID: 3c8b5220aebea45aa68cfe54a9ecef019ebf38e5b75abdf02c998a5d3c6681b4
Opcode Fuzzy Hash: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
Instruction Fuzzy Hash: 8E71D4B1600301BFF310AF16DCC1A6ABB98BB45318F14452FF459DB252D7B9A8D18B99

Function 0040320A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00402778: free.MSVCRT ref: 0040277F

Part of subcall function 00410168: memset.MSVCRT ref: 004101DA
Part of subcall function 00410168: wcsrchr.MSVCRT ref: 004101F2
Part of subcall function 00410168: memset.MSVCRT ref: 004102D9

Part of subcall function 0040FF51: SetCurrentDirectoryW.KERNEL32(?,?,?,00403292,?), ref: 0040FF9E

memset.MSVCRT ref: 0040330A
memcpy.MSVCRT(?,00000000,00001002), ref: 0040331C
wcscmp.MSVCRT ref: 00403348
_wcsicmp.MSVCRT ref: 00403385

Strings

J/@, xrefs: 004032EC
, xrefs: 00403235

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
String ID: $J/@
API String ID: 1763786148-830378395
Opcode ID: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
Instruction ID: 978c6ac20941b4c482f16f8c8dbf1af5ea5d331337d981433e161efedc4cfbbc
Opcode Fuzzy Hash: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
Instruction Fuzzy Hash: 36416B71A083819AD730DF61C945A9BB7E8AF85315F004C3FE88D93681EB7896498B5B

Function 0040EDFA Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 0040F026: memset.MSVCRT ref: 0040F042
Part of subcall function 0040F026: memset.MSVCRT ref: 0040F057
Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F080
Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F0A9

memset.MSVCRT ref: 0040EE42
wcslen.MSVCRT ref: 0040EE59
wcslen.MSVCRT ref: 0040EE61
wcslen.MSVCRT ref: 0040EEBC
wcslen.MSVCRT ref: 0040EECA

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

history.dat, xrefs: 0040EE22, 0040EE5E, 0040EE70
places.sqlite, xrefs: 0040EEC3, 0040EED8

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$memsetwcscat$wcscpy
String ID: history.dat$places.sqlite
API String ID: 2541527827-467022611
Opcode ID: aa9bc2c37030d368e81c4810d71f0128bb751f7763ce2d8d4360e2c5eeceedff
Instruction ID: 5a7552f2f2193819142f663f69cd0b376b18013dc8e05bcebec127321fadfdaa
Opcode Fuzzy Hash: aa9bc2c37030d368e81c4810d71f0128bb751f7763ce2d8d4360e2c5eeceedff
Instruction Fuzzy Hash: AD315232D0411DAADF10EBA6D845ACDB3B8AF00319F6048BBE514F21C1E77CAA45CF59

Function 00410075 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410097
wcslen.MSVCRT ref: 004100A2
wcslen.MSVCRT ref: 004100B0
wcslen.MSVCRT ref: 00410105
wcslen.MSVCRT ref: 00410113

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Web Data, xrefs: 004100A8, 004100AD, 004100C3
Login Data, xrefs: 0041010B, 00410110, 00410121

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$memsetwcscatwcscpy
String ID: Login Data$Web Data
API String ID: 3932597654-4228647177
Opcode ID: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
Instruction ID: 391ffb8f75831278f4964df5f57522d74f6eb7522eeef9a3bb7e860aca09f0fd
Opcode Fuzzy Hash: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
Instruction Fuzzy Hash: 3621B83294411C7BDB10AB55DC89ACA73ACAF10368F10487BF418E6181EBF9AEC48A5C

Function 00415BAE Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,-7FBEAA6E,00000003,00000000,?,?,00000000), ref: 00415C86
CreateFileA.KERNEL32(?,-7FBEAA6E,00000003,00000000,00415512,00415512,00000000), ref: 00415C9E
GetLastError.KERNEL32 ref: 00415CAD
free.MSVCRT ref: 00415CBA

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile$ErrorLastfree
String ID:
API String ID: 77810686-0
Opcode ID: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
Instruction ID: e414679dc355763f7cb5844f7b2dc3c916de6b309c6ec43d815c5638ef366406
Opcode Fuzzy Hash: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
Instruction Fuzzy Hash: 7741D0B1508701EFE7109F25EC4169BBBE5EFC4324F14892EF49596290E378D9848B96

Function 0040F026 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F042
memset.MSVCRT ref: 0040F057

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 0040719A: wcslen.MSVCRT ref: 0040719B
Part of subcall function 0040719A: wcscat.MSVCRT ref: 004071B3

wcscat.MSVCRT ref: 0040F080

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcscat.MSVCRT ref: 0040F0A9

Strings

Mozilla\Profiles, xrefs: 0040F07A
Mozilla\Firefox\Profiles, xrefs: 0040F0A3

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
Instruction ID: 125a097a9f26af6413fbc01dcc411eb2579d6a3fd62fad3348166db73649eeaa
Opcode Fuzzy Hash: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
Instruction Fuzzy Hash: BF018EB294021C75DB207B668C86ECF732CDF45358F1044BEB504E7182D9B88E888AA9

Function 00412270 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004121C3: LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
Part of subcall function 004121C3: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
memset.MSVCRT ref: 004122C9
RegCloseKey.ADVAPI32(?), ref: 00412330
wcscpy.MSVCRT ref: 0041233E

Part of subcall function 00407674: GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122E4, 004122F4

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2699640517-2036018995
Opcode ID: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
Instruction ID: c2720df25ff2a98c700ebd4409fa2125fd2182e4a6debc52b8ada4298b6a052e
Opcode Fuzzy Hash: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
Instruction Fuzzy Hash: 29110831800114BAEB24E7599E4EEEF737CEB05304F5100E7F914E2151E6B85FE5969E

Function 00411A13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00411A2D
_snwprintf.MSVCRT ref: 00411A52
WritePrivateProfileStringW.KERNEL32(?,?,?,004495A0), ref: 00411A70
GetPrivateProfileStringW.KERNEL32(?,?,0040F73A,?,00000000,004495A0), ref: 00411A88

Strings

"%s", xrefs: 00411A41

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
Instruction ID: ae5f1e9df6cd2f4a0780795b96407545f38e06b3c9618b8e9942ee44aab69889
Opcode Fuzzy Hash: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
Instruction Fuzzy Hash: 2101283240521ABAEF219F81EC05FDA3A6AFF04785F104066BA1960161D779C661EB98

Function 0041C9D5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,00000007,00000004,00000007,?), ref: 0041CA32
memcmp.MSVCRT(?,SQLite format 3,00000010,00000007,?), ref: 0041CA5D
memcmp.MSVCRT(?,@ ,00000003,?,00000007,?), ref: 0041CAC9

Strings

@ , xrefs: 0041CAC3
SQLite format 3, xrefs: 0041CA50

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 321c330f537f46145afcffa81e667367735ed72d1b124427cbcabdf079f64c68
Instruction ID: bd67d5102a3eb66ea4de4e64a8b31fca419cb069452d494a6197ab8253893597
Opcode Fuzzy Hash: 321c330f537f46145afcffa81e667367735ed72d1b124427cbcabdf079f64c68
Instruction Fuzzy Hash: D351D1719442149FDF10DF69C8827EAB7F4AF44314F14019BE804EB346E778EA85CB99

Function 0040E0AC Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000A68,00000000,?,?,00000000,0040E36A), ref: 0040E0CE
??2@YAPAXI@Z.MSVCRT(000002DC,00000000,?,?,00000000,0040E36A), ref: 0040E0F7
DeleteObject.GDI32(?), ref: 0040E129
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,00000000,0040E36A), ref: 0040E171
LoadIconW.USER32(00000000,00000065), ref: 0040E17A

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$DeleteHandleIconLoadModuleObject
String ID:
API String ID: 659443934-0
Opcode ID: 8011550206ddb2dc108774534a209f3a3ccfe9b7d84422505c829ce805c5916c
Instruction ID: 1cba439d4a63bd06fd13ecdd31e81b6a0d9710d4e5327182bdbee0994cb59d35
Opcode Fuzzy Hash: 8011550206ddb2dc108774534a209f3a3ccfe9b7d84422505c829ce805c5916c
Instruction Fuzzy Hash: 322193B19012989FDB30EF768C496DEB7A9AF84715F10863BF80CDB241DF794A118B58

Function 00409F53 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409F8D
??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409FAB
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409FC9
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409FE7

Strings

8N_, xrefs: 00409FEF

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@
String ID: 8N_
API String ID: 1033339047-1075266516
Opcode ID: 6aa46ae1d8c9445a9210858e0e2028d810c6148e0e2ef15dbc7156f8f0a2735d
Instruction ID: 97910a1e78d05b4995072b8892bf30812772bdb2f497aa37043254e3fee4362a
Opcode Fuzzy Hash: 6aa46ae1d8c9445a9210858e0e2028d810c6148e0e2ef15dbc7156f8f0a2735d
Instruction Fuzzy Hash: AB01DEB16523406FEB58DB39EE67B2A66949B58351F48453EF207C91F6EAB4C840CA08

Function 00408FA4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00408B10: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
Part of subcall function 00408B10: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
Part of subcall function 00408B10: DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00408BB1
Part of subcall function 00408B10: GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6
Part of subcall function 00408B10: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
Part of subcall function 00408B10: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
Part of subcall function 00408B10: WriteFile.KERNEL32(?,00000000,00000104,004091EB,00000000), ref: 00408C20
Part of subcall function 00408B10: UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
Part of subcall function 00408B10: CloseHandle.KERNEL32(?), ref: 00408C30

CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409074

Part of subcall function 00408D9D: memset.MSVCRT ref: 00408E72
Part of subcall function 00408D9D: wcschr.MSVCRT ref: 00408EAA
Part of subcall function 00408D9D: memcpy.MSVCRT(?,-00000121,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408EDE

DeleteFileW.KERNEL32(?,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409095
CloseHandle.KERNEL32(000000FF,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 004090BC

Part of subcall function 00408C67: memset.MSVCRT ref: 00408CAF
Part of subcall function 00408C67: _snwprintf.MSVCRT ref: 00408D49
Part of subcall function 00408C67: free.MSVCRT ref: 00408D7D

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00408FB4

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
API String ID: 1979745280-1514811420
Opcode ID: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
Instruction ID: f61eabc5127fffa0127996e1b9e76e3c42d0daca9916cdcd83e0194a9dfe4be1
Opcode Fuzzy Hash: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
Instruction Fuzzy Hash: 10314CB1C006289BCF60DFA5CD855CEFBB8AF40315F1002ABA518B31A2DB756E85CF59

Function 0040CFDE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040CFFF
qsort.MSVCRT ref: 0040D0A9

Strings

/sort, xrefs: 0040CFFA
/nosort, xrefs: 0040D05F

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
Instruction ID: 426287280b2395c37d482f654794667c251e21b6a2c3e86ec69022cc6db77350
Opcode Fuzzy Hash: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
Instruction Fuzzy Hash: 4821F8317006019FD714AB75C981E55B3A9FF95318F01053EF519A72D2CB7ABC11CB9A

Function 00409EB8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004117E3: FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF

LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC

Strings

pstorec.dll, xrefs: 00409EC4
PStoreCreateInstance, xrefs: 00409ED6

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: PStoreCreateInstance$pstorec.dll
API String ID: 145871493-2881415372
Opcode ID: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
Instruction ID: b7b877f0cca51cf4ed89ca0d343beedc6eb81d3109fbfde12955c258fb57ec89
Opcode Fuzzy Hash: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
Instruction Fuzzy Hash: 4DF0E2713047035BE7206BB99C45B9776E85F40715F10842EB126D16E2DBBCD9808BA9

Function 00411EF8 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 00411F05
SizeofResource.KERNEL32(?,00000000), ref: 00411F16
LoadResource.KERNEL32(?,00000000), ref: 00411F26
LockResource.KERNEL32(00000000), ref: 00411F31

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
Instruction ID: cfb809c5d0a350ba8a2f28afb84d758f7034e38599ab5d81eab5ea4ee58a4c6c
Opcode Fuzzy Hash: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
Instruction Fuzzy Hash: 140192367042156BCB295FA5DC4999BBFAEFF867917088036F909C7331DB30D941C688

Function 0043800C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043804F
memset.MSVCRT ref: 004383F8

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 004380DE

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
Instruction ID: 9afff8ac9fdfbc15a9c7ae9a6e2295b57ef319e934304d2411a679509b53bb08
Opcode Fuzzy Hash: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
Instruction Fuzzy Hash: 36826971A00318AFDF25DF69C881AAEBBA1EF08318F14511EFD1597292DB79E841CB94

Function 0041C702 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041C7B0

Strings

5lA, xrefs: 0041C8A3
BINARY, xrefs: 0041C70E

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset
String ID: 5lA$BINARY
API String ID: 2221118986-2383938406
Opcode ID: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
Instruction ID: bfb3245fc00688105b1f81726e77846e409aff0e69a2cb21cfce066b793b8303
Opcode Fuzzy Hash: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
Instruction Fuzzy Hash: 52519C719443459FDB21DF68C8C1AEA7BE4AF08351F14446FE859CB381D778D980CBA9

Function 00414E1C Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00414D9F: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD1
Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD7

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00414E4C
GetLastError.KERNEL32 ref: 00414E56

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
Instruction ID: 78f6fc62e556ae6391f2b7d02d7635eeebb8002b3cc976368f6d55ef40470767
Opcode Fuzzy Hash: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
Instruction Fuzzy Hash: 20016D36244305BBEB108F65EC45BEB7B6CFB95761F100427F908D6240E774ED908AE9

Function 00414D9F Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
GetLastError.KERNEL32 ref: 00414DD1
GetLastError.KERNEL32 ref: 00414DD7

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
Instruction ID: ce6d17c8e1bf95b997c08e1a60c9ed70337bd99ba9d8843779863386e1f48c80
Opcode Fuzzy Hash: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
Instruction Fuzzy Hash: 16F03936A10119BBCF009F74EC019EA7BA8EB45760B104726E822E6690EB30EA409AD4

Function 0040797A Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040EDAE,00000000,?,00000000,?,00000000), ref: 00407992
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004079A6
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004101ED), ref: 004079AF

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 041c31d9e9407fe9e03cbdecb7ea826a160ca95df4d7bd98ee38a75b77e0e8fe
Instruction ID: e6bbff5c08a4198af29315d7d42b7ef31a127eb680a29a9dbd76eb9c303c227a
Opcode Fuzzy Hash: 041c31d9e9407fe9e03cbdecb7ea826a160ca95df4d7bd98ee38a75b77e0e8fe
Instruction Fuzzy Hash: 17E04F3620025077E7311B26AC0DF4B6EA9EBC7F22F250629FA11A21E0D6604A11C678

Function 00407475 Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407491
memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074A9
free.MSVCRT ref: 004074B2

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: a552214b4f396ffe3b978ec953857254dfa688d2005ab474b6786e0315961ce8
Instruction ID: e360d5709d2f3202c1ca25caae3d4aa805c65bf3858a1f44a91d23c9b12a71fe
Opcode Fuzzy Hash: a552214b4f396ffe3b978ec953857254dfa688d2005ab474b6786e0315961ce8
Instruction Fuzzy Hash: FFF0E972A082229FD708EB75A94180B779DAF44364710442FF404E3281D738AC40C7A9

Function 0044233C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,0040FF66,?,?,00403292,?), ref: 0044234D

Strings

Lh@, xrefs: 00442344

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: Lh@
API String ID: 3664257935-1564020105
Opcode ID: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
Instruction ID: 76fd25b73cfe59c43d76c33e9e0e0ec1b0c89da13299cefcee144e01fa2b623b
Opcode Fuzzy Hash: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
Instruction Fuzzy Hash: 33E0F6B5900B008F93308F2BE944407FBF9BFE56113108E1FE4AAC2A24C3B4A6458F54

Function 00407B93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

Strings

5"D, xrefs: 00407BA1

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 5"D
API String ID: 2738559852-199376320
Opcode ID: ff886d5e1a4997402200634e3e0df398fd9a7f66ba8de1bb0dfe65b9a394ad27
Instruction ID: b1f5ca1499e8e2fa5163bdfa5e58581682f5a8fdc606d8935362a09f0a3b37d8
Opcode Fuzzy Hash: ff886d5e1a4997402200634e3e0df398fd9a7f66ba8de1bb0dfe65b9a394ad27
Instruction Fuzzy Hash: 46D0923501020DBBDF018F80DC06B997B6DEB0575AF108054BA0095060C7759A10AB64

Function 004349F1 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

d, xrefs: 00434BB1

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 517c0493c2b8c096f9ee19803c23be0c64cd4e098d133ab64b39e574cf884c8f
Instruction ID: 01fd0a19dca965820be780cd5e1a180e940d32085fcd4292c33d665daa4a4ca3
Opcode Fuzzy Hash: 517c0493c2b8c096f9ee19803c23be0c64cd4e098d133ab64b39e574cf884c8f
Instruction Fuzzy Hash: B7819D716083519FCB10EF1AC84169FBBE0AFC8318F15592FF88497251D778EA85CB9A

Function 0040E227 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E274

Strings

/stext, xrefs: 0040E26F

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
Instruction ID: 5da650caeba3f583edd317abe6dc9e2273d49bc4fc560570e2d9775ed52fc578
Opcode Fuzzy Hash: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
Instruction Fuzzy Hash: 37218170B00105AFD704FFAA89C1A9DB7A9BF94304F1045BEE415F7382DB79AD218B59

Function 0040946C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

index.dat, xrefs: 004094CB

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$FileFindFirst
String ID: index.dat
API String ID: 1858513025-427268347
Opcode ID: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
Instruction ID: ea6e303a67c95597c7ba2300e155a691c3aaaa96276431a044c3ae834a976286
Opcode Fuzzy Hash: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
Instruction Fuzzy Hash: 8601527180526999EB20E662CD426DE727CAF00314F1041BBA858F21D2EB3CDF868F4D

Function 004161B0 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004161BB
GetSystemInfo.KERNELBASE(00451CE0,?,00000000,00440C34,00000000,?,?,00000003,00000000,00000000), ref: 004161C4

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
Instruction ID: 01e0680712ac90f889d23e176cd2934d89dbbab4f1fad96818c53916f6f4ffc6
Opcode Fuzzy Hash: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
Instruction Fuzzy Hash: D6E02230A0062067E3217732BE07FCF22848F02348F00403BFA00DA366F6AC881506ED

Function 00412B2E Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00412B3D

Strings

failed to allocate %u bytes of memory, xrefs: 00412B57

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 5b5a248cf51c062ed88202fa4447692d12f7a24d46f4087129949bf54e3fefc0
Instruction ID: 83e647f58a001b4b33716092e1dc9084e7a57e1649cb419fd0ecfe0012ae2b1c
Opcode Fuzzy Hash: 5b5a248cf51c062ed88202fa4447692d12f7a24d46f4087129949bf54e3fefc0
Instruction Fuzzy Hash: B1E026B7F4561267C2004F1AEC019866790AFC032171A063BF92CD7380D678E9A683A9

Function 0041946A Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041960E
memcmp.MSVCRT(0000006B,?,00000010,?,?,?,?,?,?,?,?,0041C9E4,00000007,?), ref: 00419620

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
Instruction ID: 09c6ddd7a7fbafff04f5e46546a8ec227a467f18660dcb1fea67ae87f7adc2a4
Opcode Fuzzy Hash: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
Instruction Fuzzy Hash: EB6170B1E05205FFDB11EFA489A09EEB7B8AB04308F14806FE108E3241D7789ED5DB59

Function 0040C5B3 Relevance: 2.6, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,0040CBD1,?), ref: 0040B1D4
Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,0040CBD1,?), ref: 0040B29B

GetStdHandle.KERNEL32(000000F5,?,00000000,00000001,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040C5DC
CloseHandle.KERNELBASE(00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000), ref: 0040C6E9

Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

Part of subcall function 004071BD: GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
Part of subcall function 004071BD: _snwprintf.MSVCRT ref: 004071FE
Part of subcall function 004071BD: MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
String ID:
API String ID: 1381354015-0
Opcode ID: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
Instruction ID: 8008e0f7e2c68a0a7dbf7afa260ddf7c08443fea941bd9d01fd0dc6d198c04cd
Opcode Fuzzy Hash: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
Instruction Fuzzy Hash: 82415F31B00100EBCB359F69C8C9E5E76A5AF45710F215A2BF406A73D1CB7AAD80CA5D

Function 004098C2 Relevance: 2.6, APIs: 2, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

wcslen.MSVCRT ref: 00409901
memset.MSVCRT ref: 00409980

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadmemsetwcslen
String ID:
API String ID: 1960736289-0
Opcode ID: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
Instruction ID: eeeebaecff14eb5a2c3d0f3031068d4b6d2ebef8e1bb4496a3092dc18c5c1f6a
Opcode Fuzzy Hash: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
Instruction Fuzzy Hash: C0318172510249BBCF11EFA5CCC19EE77B9AF48304F14887EF505B7282D638AE499B64

Function 0042D857 Relevance: 2.6, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042D91C
memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,0044102C,00000000,00000000,00000000,00000000,?,?,00000003,00000000,00000000), ref: 0042D93C

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 86320a4430fdaa62a7cfe41e17bad7842192f66c2505b9b7b6a14f4601f4776d
Instruction ID: 8924df9a0b73475da4b238d73e0a6e7a22eb6b5713ba87d11c8eaeba374ce509
Opcode Fuzzy Hash: 86320a4430fdaa62a7cfe41e17bad7842192f66c2505b9b7b6a14f4601f4776d
Instruction Fuzzy Hash: CD319072E00215EBDB00DF59D981A9DB7B4FF40314F6484AAE815AF242D774EA81CBA8

Function 00414DE6 Relevance: 2.5, APIs: 2, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00414DFF
CloseHandle.KERNELBASE(0CC483FF,00000000,00000000,0045162C,00415453,00000008,00000000,00000000,?,00415610,?,00000000), ref: 00414E08

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
Instruction ID: a5fc701692feba82469beb2995ebf65a4cce15204005db1f3291e32cb0673270
Opcode Fuzzy Hash: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
Instruction Fuzzy Hash: 95E0CD372006155FD7005B7CDCC09D77399AF85734725032AF261C3190C665D4424664

Function 00407EB8 Relevance: 2.5, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00407EBB
free.MSVCRT ref: 00407EC3

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: db2564747f6c9b0ce10efe63d809efe4206ca8195b6051940f8a726424b803a7
Instruction ID: 678242c8279a805cd99e0fe810509e5398187bdd4f5249f6459e69a2283f8bf1
Opcode Fuzzy Hash: db2564747f6c9b0ce10efe63d809efe4206ca8195b6051940f8a726424b803a7
Instruction Fuzzy Hash: 6AD042B0404B009FE7B1DF39D901602BBF0AB083103108D2EA0AAD2A50E775A1049F04

Function 0040ED6C Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EDFA: memset.MSVCRT ref: 0040EE42
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE59
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE61
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EEBC
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EECA

Part of subcall function 0040797A: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040EDAE,00000000,?,00000000,?,00000000), ref: 00407992
Part of subcall function 0040797A: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004079A6
Part of subcall function 0040797A: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004101ED), ref: 004079AF

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 0040EDB8

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 4204647287-0
Opcode ID: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
Instruction ID: 7375e5b5c48a3cf746583bdb812c6cb833081a8f043ffb24ec2f547d3e817a13
Opcode Fuzzy Hash: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
Instruction Fuzzy Hash: 58114C72C00219ABCF11EBA5D9419DEBBB9EF44300F20047BE801F3280D634AF44CB96

Function 00405149 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(0040511F,?,?,00000000,00000000,000000FF,0040571F,000000FF,000000FF,?,00000000,0040511F,?,?,?,0040566C), ref: 00405165

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 8e3300ccc99ceaafd88bf63aedabe6f8cf4ec2b06029cc1f8c5137446a6ac1ce
Instruction ID: 13fe659266928e09ca291fdb8c13dcfe3ff2a23a31d494a2ddaccb8188200d23
Opcode Fuzzy Hash: 8e3300ccc99ceaafd88bf63aedabe6f8cf4ec2b06029cc1f8c5137446a6ac1ce
Instruction Fuzzy Hash: 5CE0C736100100FFE6208F08CC06F6BBBF9EBC4B00F10883EB2A49A0B1C2326812CB24

Function 00411B36 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00411B5D

Part of subcall function 004119C6: memset.MSVCRT ref: 004119E5
Part of subcall function 004119C6: _itow.MSVCRT ref: 004119FC
Part of subcall function 004119C6: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00411A0B

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
Instruction ID: e4974885a9e011c02de9f8347c72c3dce1736aa6ad634daf2893e710d343c839
Opcode Fuzzy Hash: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
Instruction Fuzzy Hash: ABE0B672000149AFDF125F80EC01AA97BA6FF04315F248459FA5805631D73695B0EB95

Function 00407BB2 Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040C605,00000000,00448B84,00000002,?,?,?,0040E2DC,00000000), ref: 00407BC9

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
Instruction ID: 7a92458e03063ade3ff171a8f73d1b131da45bdd434acd56d38c8090c64c1cda
Opcode Fuzzy Hash: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
Instruction Fuzzy Hash: 47D0C93511020DFBDF01CF80DC06FDD7B7DEB04759F108054BA1495060D7B59B14AB54

Function 00407144 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
Instruction ID: 81d2dec17d2b84b4128be66cdd24e97b0dbf61b8fa3bcd6fd5fd384be9d73f32
Opcode Fuzzy Hash: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
Instruction Fuzzy Hash: E4C092B0240201BEFF228B10ED16F36695CD740B01F2044247E00E40E0D1A04F108924

Function 0040715D Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
Instruction ID: 6739adb68e03e12f7f7c1d8ccdc83ffe2e18cb8bef7d19e3acfe4a72d1b5eace
Opcode Fuzzy Hash: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
Instruction Fuzzy Hash: 49C092F02502017EFF208B10AD0AF37695DD780B01F2084207E00E40E0D2A14C008924

Function 00408604 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00000000,00401A20,Function_000434FC,?,00000001,00401A71,?,00401E44), ref: 0040860B

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 7a03e879792b5fe31c33d7af5755a579040ef1194e7f819d695dad1928dde993
Instruction ID: b86fd1081c12c971c14e25096d529e9df9055785cb1c99d48f6af2a57df14557
Opcode Fuzzy Hash: 7a03e879792b5fe31c33d7af5755a579040ef1194e7f819d695dad1928dde993
Instruction Fuzzy Hash: D3C09BB15127015BFB345E15D50571273E45F50727F354C1DB4D1D24C2DB7CD4408518

Function 004084DA Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,004083EE,?,00000000,00000000,?,00410708,?), ref: 004084E4

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
Instruction ID: a26663696ee19f03613d77843e46d9f39b2dea1a9069363f3edb82d48ea13a69
Opcode Fuzzy Hash: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
Instruction Fuzzy Hash: FFC092346205028BE23C5F38AD5A82A77E0BF4A3313B40F6CA0F3D20F0EB3884428A04

Function 004117E3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
Instruction ID: 28a9858cfff7e6e2b1914a1c804994c03dcb5394f8963e6e43683e707f81cfe3
Opcode Fuzzy Hash: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
Instruction Fuzzy Hash: 83C04C351107028BE7218B12C849753B7F8BB00717F40C818A566859A0D77CE454CE18

Function 00411F7E Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,?,00411EF8,00000000), ref: 00411F8D

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
Instruction ID: 6c621939844f31da33ced499d0f7f7abb962291178acb537878d9391fa7c1b50
Opcode Fuzzy Hash: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
Instruction Fuzzy Hash: C8C09B32194342BBD7019F508C05F1B7A95BB55703F104C297561940B0C75140549605

Function 00407548 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
Instruction ID: 786af1a6681fc588f4ed673612d44b37cd66a9ddadc6b0c90f2aca86fde3c3ed
Opcode Fuzzy Hash: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
Instruction Fuzzy Hash: 41B012792100404BCB080B349C4504D75506F46B32B20473CB073C00F0DB30CD70BA00

Function 00411B67 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
Instruction ID: 8fd1618fdc001f910610ea30bed12e65be45571f6aff6d2ea6de46bc6098db87
Opcode Fuzzy Hash: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
Instruction Fuzzy Hash: F8C09B35544301BFDE114F40FD05F09BF71BB84F05F004414B244640B1C2714414EB17

Function 00419681 Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
Instruction ID: 4be01e504a1dbe863e5cd1883b5f47abe9c308d3627063d178914d84215e5ed1
Opcode Fuzzy Hash: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
Instruction Fuzzy Hash: 32319E31614206EFDF14AF15D9517DAB3A0FF00364F11412BF8259B290EB38EDE09BA9

Function 004059F7 Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00405A28

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: 47d81a72ba5e86c6c08ea2f576f41ce6956625c552654a9f8307a541cecd461b
Instruction ID: a3dc623871aa55e9e138b6aa735e1cfc4d22eb4fa3c35538bc996f6fefcd79cf
Opcode Fuzzy Hash: 47d81a72ba5e86c6c08ea2f576f41ce6956625c552654a9f8307a541cecd461b
Instruction Fuzzy Hash: 65113A75600A05AFCB14DF69C9C19ABB7F8FF04314B10463EA456E7241DB34E9458F68

Function 004050B7 Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00405137: CloseHandle.KERNEL32(000000FF,004050C7,00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF), ref: 0040513F

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetLastError.KERNEL32(00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF,00000000,00000104), ref: 00405124

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID:
API String ID: 2136311172-0
Opcode ID: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
Instruction ID: 849b43cde7c86ee220a2fa92f028283b8c7de21471a02e191cd59f19f3ad1342
Opcode Fuzzy Hash: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
Instruction Fuzzy Hash: DD0181B1815A008AD720AB65DC057A776E8DF11319F10893FE5A5EF2C2EB7C94408E6E

Function 004085EB Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 00408604: ??3@YAXPAX@Z.MSVCRT(00000000,00401A20,Function_000434FC,?,00000001,00401A71,?,00401E44), ref: 0040860B

??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401DDF), ref: 004085F4

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: c4c244ccb30b183d3550635b452a5d4afba6a495f05b66f96448f990385c2ccf
Instruction ID: 922d8024f7c410ba2bf811e6c001bae8f16a2ee087a1061d919dd730706e44d9
Opcode Fuzzy Hash: c4c244ccb30b183d3550635b452a5d4afba6a495f05b66f96448f990385c2ccf
Instruction Fuzzy Hash: 36C02B3241D2101FD764FFB4360205722D4CE822383014C2FF0C0D3100DD3884014B4C

Function 00408037 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040803E

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
Instruction ID: b2304b4461d9917b15a132db01dd128865174dbe20628525ae7b4e3248e143f9
Opcode Fuzzy Hash: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
Instruction Fuzzy Hash: 17C08CB24107018FF7308F11C905322B3E4AF0073BFA08C0EA0D0914C2DBBCD084CA08

Function 00402778 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040277F

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
Instruction ID: cac01d1bc301b84fbdbddb48431dcac5afc2edf88536e2650f831a4bf4b80b8a
Opcode Fuzzy Hash: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
Instruction Fuzzy Hash: 7AC00272550B019FF7609F15C94A762B3E4AF5077BF918C1DA4A5924C1E7BCD4448A18

Function 00412B6F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00412B73

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
Instruction ID: 46b4f55e9d8111901284769a6e1cf788246b5727949f953e2d9518689c8df02f
Opcode Fuzzy Hash: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
Instruction Fuzzy Hash: AC900282455501216C4522755D1750511080851176374074A7032A59D1DE688150601C

Non-executed Functions

Function 00411196 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 143processlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00402778: free.MSVCRT ref: 0040277F

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00001000,?,00000000), ref: 004111B6
memset.MSVCRT ref: 004111CB
Process32FirstW.KERNEL32(?,?), ref: 004111E7
OpenProcess.KERNEL32(00000410,00000000,?,00001000,?,00000000), ref: 0041122C
memset.MSVCRT ref: 00411253
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00411288
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 004112A2
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 004112F4
free.MSVCRT ref: 0041130D
Process32NextW.KERNEL32(?,0000022C), ref: 00411356
CloseHandle.KERNEL32(?,?,0000022C), ref: 00411366

Strings

kernel32.dll, xrefs: 00411283
QueryFullProcessImageNameW, xrefs: 00411292

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 1344430650-1740548384
Opcode ID: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
Instruction ID: bbba850b15206e26884db202d857e323fd936e243bbe251c85cc099381913945
Opcode Fuzzy Hash: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
Instruction Fuzzy Hash: 7E51AF72840258ABDB21DF55CC84EDEB7B9EF94304F1001ABFA18E3261DB759A84CF54

Function 00407363 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 0040736D

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000), ref: 0040738A
GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040739B
GlobalLock.KERNEL32(00000000), ref: 004073A8
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073BB
GlobalUnlock.KERNEL32(00000000), ref: 004073CD
SetClipboardData.USER32(0000000D,00000000), ref: 004073D6
GetLastError.KERNEL32 ref: 004073DE
CloseHandle.KERNEL32(?), ref: 004073EA
GetLastError.KERNEL32 ref: 004073F5
CloseClipboard.USER32 ref: 004073FE

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
Instruction ID: 70226e125eefff96fe42492f97b8668800667adb6f1e94a7dd2fd5f696112ff0
Opcode Fuzzy Hash: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
Instruction Fuzzy Hash: E311423A904204FBE7105FB5EC4DA5E7F78EB06B52F204176FD02E5290DB749A01DB69

Function 0041604B Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00416065
memcpy.MSVCRT(?,?,00000010), ref: 00416074
GetCurrentProcessId.KERNEL32 ref: 00416085
memcpy.MSVCRT(?,?,00000004), ref: 00416098
GetTickCount.KERNEL32 ref: 004160AC
memcpy.MSVCRT(?,?,00000004), ref: 004160BF
QueryPerformanceCounter.KERNEL32(?), ref: 004160D5
memcpy.MSVCRT(?,?,00000008), ref: 004160E5

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
Instruction ID: b821822af8fa1f08beba458ee4fa97db6355aebb6f9a48b4278dc6bbcb45c8c8
Opcode Fuzzy Hash: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
Instruction Fuzzy Hash: 601163F3900118ABDB00EFA4DC899DAB7ACEF19710F454536FA09DB144E674E748C7A9

Function 004072FB Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00407303
wcslen.MSVCRT ref: 00407310
GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040D79F,-00000210), ref: 00407320
GlobalLock.KERNEL32(00000000), ref: 0040732D
memcpy.MSVCRT(00000000,?,00000002,?,?,?,0040D79F,-00000210), ref: 00407336
GlobalUnlock.KERNEL32(00000000), ref: 0040733F
SetClipboardData.USER32(0000000D,00000000), ref: 00407348
CloseClipboard.USER32 ref: 00407358

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
Instruction ID: e9f640a6ba64593c4f3b5e3a0a2b414f675f529f5a9edaa6aa7e0ad5043136ba
Opcode Fuzzy Hash: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
Instruction Fuzzy Hash: 14F0B43B5002187BD2102FE5AC4DE1B772CEB86F97B050179FA09D2251DE749E0486B9

Function 004021D9 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00402201
_wcsicmp.MSVCRT ref: 00402231
_wcsicmp.MSVCRT ref: 0040225E
_wcsicmp.MSVCRT ref: 0040228B

Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
Part of subcall function 0040805C: memcpy.MSVCRT(?,?,00000000,00000001,00401A18,Function_000434FC,?,00000001,00401A71,?,00401E44), ref: 0040808E

memset.MSVCRT ref: 0040262F
memcpy.MSVCRT(?,?,00000011,?,00000000,00000080), ref: 00402664

Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897

memcpy.MSVCRT(?,?,0000001C,?,00000090,00000000,?), ref: 004026C0
LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040271E
FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040272D

Strings

z, xrefs: 0040255D
\, xrefs: 00402510
K, xrefs: 0040239F
t, xrefs: 004025F7
/, xrefs: 004024DF
L, xrefs: 004025E9
2, xrefs: 00402580
y, xrefs: 00402352
K, xrefs: 0040253A
Data, xrefs: 00402280
F, xrefs: 004023A6
0, xrefs: 0040240E
t, xrefs: 0040252C
!, xrefs: 00402525
com.apple.Safari, xrefs: 00402634
w, xrefs: 004024D8
#, xrefs: 004025CD
&, xrefs: 0040230C
n, xrefs: 0040258E
n, xrefs: 0040254F
=, xrefs: 0040251E
y, xrefs: 00402469
>, xrefs: 004022E9
I, xrefs: 004023F3
', xrefs: 004023D7
&, xrefs: 004025C6
~, xrefs: 00402579
q, xrefs: 004024AF
}, xrefs: 004022E2
{, xrefs: 00402383
S, xrefs: 004024D1
>, xrefs: 004022D4
a, xrefs: 004024ED
H, xrefs: 004022DB
^, xrefs: 004025FE
t, xrefs: 0040261A
b, xrefs: 004022F7
$, xrefs: 0040259C
`, xrefs: 004024A1
com.apple.WebKit2WebProcess, xrefs: 00402656
u, xrefs: 0040244D
Account, xrefs: 00402253
u, xrefs: 004023DE
h, xrefs: 004024BD
H, xrefs: 004022CD
g, xrefs: 0040231A
8, xrefs: 0040249A
), xrefs: 004025AA
Path, xrefs: 00402226
server, xrefs: 004021ED
O, xrefs: 00402360
A, xrefs: 0040236E
@, xrefs: 00402533
X, xrefs: 00402605

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 462158748-1134094380
Opcode ID: 67cf4eee38665e4ec1be56c90270dd44ce6e0e009cbb4a5b7d9f17bd5b1e0b61
Instruction ID: cc44404655acc20b5533cc0c34fbbab0c7f11d0fd0cfcd5d05bb593c6a12ed59
Opcode Fuzzy Hash: 67cf4eee38665e4ec1be56c90270dd44ce6e0e009cbb4a5b7d9f17bd5b1e0b61
Instruction Fuzzy Hash: C9F1FF208087E9C9DB32D7788D097CEBE645B23324F0443D9E1E87A2D2D7B55B85CB66

Function 004113F4 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00411421
GetDlgItem.USER32(?,000003E8), ref: 0041142D
GetWindowLongW.USER32(00000000,000000F0), ref: 0041143C
GetWindowLongW.USER32(?,000000F0), ref: 00411448
GetWindowLongW.USER32(00000000,000000EC), ref: 00411451
GetWindowLongW.USER32(?,000000EC), ref: 0041145D
GetWindowRect.USER32(00000000,?), ref: 0041146F
GetWindowRect.USER32(?,?), ref: 0041147A
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041148E
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041149C
GetDC.USER32 ref: 004114D5
wcslen.MSVCRT ref: 00411515
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00411526
ReleaseDC.USER32(?,?), ref: 00411573
_snwprintf.MSVCRT ref: 00411636
SetWindowTextW.USER32(?,?), ref: 0041164A
SetWindowTextW.USER32(?,00000000), ref: 00411668
GetDlgItem.USER32(?,00000001), ref: 0041169E
GetWindowRect.USER32(00000000,?), ref: 004116AE
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004116BC
GetClientRect.USER32(?,?), ref: 004116D3
GetWindowRect.USER32(?,?), ref: 004116DD
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411723
GetClientRect.USER32(?,?), ref: 0041172D
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411765

Strings

EDIT, xrefs: 0041160B
%s:, xrefs: 0041162B
STATIC, xrefs: 004115D5

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
Instruction ID: 8ff438caca04d900f401a49fee0f0db12add2221ca5be9c1dac879361ae65e4d
Opcode Fuzzy Hash: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
Instruction Fuzzy Hash: E3B1B071108341AFD720DF68C985E6BBBF9FB88704F004A2DF69692261DB75E944CF16

Function 0040109F Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 004010F7
ChildWindowFromPoint.USER32(?,?,?), ref: 00401109
GetDlgItem.USER32(?,000003EE), ref: 0040113F
ChildWindowFromPoint.USER32(?,?,?), ref: 0040114C
GetDlgItem.USER32(?,000003EC), ref: 0040117A
ChildWindowFromPoint.USER32(?,?,?), ref: 0040118C
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401195
LoadCursorW.USER32(00000000,00000067), ref: 0040119E
SetCursor.USER32(00000000,?,?), ref: 004011A5
GetDlgItem.USER32(?,000003EE), ref: 004011C6
ChildWindowFromPoint.USER32(?,?,?), ref: 004011D3
GetDlgItem.USER32(?,000003EC), ref: 004011ED
SetBkMode.GDI32(?,00000001), ref: 004011F9
SetTextColor.GDI32(?,00C00000), ref: 00401207
GetSysColorBrush.USER32(0000000F), ref: 0040120F
GetDlgItem.USER32(?,000003EE), ref: 00401230
EndDialog.USER32(?,?), ref: 00401265
DeleteObject.GDI32(?), ref: 00401271
GetDlgItem.USER32(?,000003ED), ref: 00401296
ShowWindow.USER32(00000000), ref: 0040129F
GetDlgItem.USER32(?,000003EE), ref: 004012AB
ShowWindow.USER32(00000000), ref: 004012AE
SetDlgItemTextW.USER32(?,000003EE,004511E0), ref: 004012BF
SetWindowTextW.USER32(?,WebBrowserPassView), ref: 004012CD
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004012E5
SetDlgItemTextW.USER32(?,000003EC,?), ref: 004012F6

Strings

WebBrowserPassView, xrefs: 004012C5

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: WebBrowserPassView
API String ID: 829165378-2171583229
Opcode ID: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
Instruction ID: 8d9c6eba8ddb3a7c26c98eaf12cf57faa7ce2db5dd3d1d54ce32cd9ff2fd20fc
Opcode Fuzzy Hash: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
Instruction Fuzzy Hash: 8C517E35500308BBDB22AF64DC45E6E7BB5FB04742F104A7AF952A66F0C774AE50EB18

Function 0040F767 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0040F7AC
GetDlgItem.USER32(?,000003EA), ref: 0040F7C4
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F7E2
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0040F7EE
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040F7F6
memset.MSVCRT ref: 0040F81D
memset.MSVCRT ref: 0040F83F
memset.MSVCRT ref: 0040F858
memset.MSVCRT ref: 0040F86C
memset.MSVCRT ref: 0040F886
memset.MSVCRT ref: 0040F89B
GetCurrentProcess.KERNEL32 ref: 0040F8A3
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F8C6
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F8F8
memset.MSVCRT ref: 0040F94B
GetCurrentProcessId.KERNEL32 ref: 0040F959
memcpy.MSVCRT(?,004509D0,0000021C), ref: 0040F987
wcscpy.MSVCRT ref: 0040F9AA
_snwprintf.MSVCRT ref: 0040FA19
SetDlgItemTextW.USER32(?,000003EA,?), ref: 0040FA31
GetDlgItem.USER32(?,000003EA), ref: 0040FA3B
SetFocus.USER32(00000000), ref: 0040FA42

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040FA0E
{Unknown}, xrefs: 0040F831

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
Instruction ID: 69e9f0bde0ef3093fe47e3bafb281a214b560c7f74f151c34d98b156b899ddfd
Opcode Fuzzy Hash: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
Instruction Fuzzy Hash: F7719FB680121DBEEF219B50DC45EDA7B6CEF08355F0000B6F508A21A1DA799E88CF69

Function 0040F4F7 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F51A
wcslen.MSVCRT ref: 0040F522
wcslen.MSVCRT ref: 0040F52E
wcscpy.MSVCRT ref: 0040F5A5
wcscpy.MSVCRT ref: 0040F5B6
memset.MSVCRT ref: 0040F5CF
memset.MSVCRT ref: 0040F5E4
_snwprintf.MSVCRT ref: 0040F5FE
memset.MSVCRT ref: 0040F63D
wcslen.MSVCRT ref: 0040F64D
wcslen.MSVCRT ref: 0040F65B
wcscpy.MSVCRT ref: 0040F611

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

wcscpy.MSVCRT ref: 0040F6A2
memset.MSVCRT ref: 0040F6D1
memset.MSVCRT ref: 0040F6E6
_snwprintf.MSVCRT ref: 0040F702
wcscpy.MSVCRT ref: 0040F715

Strings

Path, xrefs: 0040F72A
profiles.ini, xrefs: 0040F527, 0040F543
Profile%d, xrefs: 0040F5EA, 0040F6F4
IsRelative, xrefs: 0040F745
General, xrefs: 0040F5B0

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
String ID: General$IsRelative$Path$Profile%d$profiles.ini
API String ID: 3014334669-2600475665
Opcode ID: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
Instruction ID: ca42eae1a8a54deb15ae60d9a008fbbac9316f2c57223d03809256618168ca92
Opcode Fuzzy Hash: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
Instruction Fuzzy Hash: F151627290021CBADB20EB55CD45ECEB7BCAF14744F5044B7B10DA2091EB789B888F6A

Function 0040D1D0 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 254windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A2C8: LoadMenuW.USER32(00000000), ref: 0040A2D0

SetMenu.USER32(?,00000000), ref: 0040D2E0
CreateStatusWindowW.COMCTL32(50000000,Function_000434FC,?,00000101), ref: 0040D2FB
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040D313
GetModuleHandleW.KERNEL32(00000000), ref: 0040D322
LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 0040D32F
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040D359
GetModuleHandleW.KERNEL32(00000000), ref: 0040D366
CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 0040D38D
GetFileAttributesW.KERNEL32(004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D468
GetTempPathW.KERNEL32(00000104,004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D478
wcslen.MSVCRT ref: 0040D47F
wcslen.MSVCRT ref: 0040D48D
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001,?,00000000,/nosaveload,00000000,00000001), ref: 0040D4DA
SendMessageW.USER32(?,00000404,00000002,?), ref: 0040D515
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040D528

Part of subcall function 00403A14: wcslen.MSVCRT ref: 00403A31
Part of subcall function 00403A14: SendMessageW.USER32(?,00001061,?,?), ref: 00403A55

Strings

SysListView32, xrefs: 0040D387
report.html, xrefs: 0040D486, 0040D49E
commdlg_FindReplace, xrefs: 0040D4D5
/nosaveload, xrefs: 0040D412

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Message$Send$CreateWindowwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterStatusTempToolbar
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
API String ID: 1638525581-2103577948
Opcode ID: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
Instruction ID: 7a0d9eec849a31f4480aab016bccc9be6ec6f6c883519ecda8bf5f9757aa8271
Opcode Fuzzy Hash: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
Instruction Fuzzy Hash: D7A1A171500388AFEB11DF68CC89BCA7FA5AF55704F04447DFA486B292C7B59908CB69

Function 00408836 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 234fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040885E

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401DDF), ref: 004085F4

Part of subcall function 0040FC89: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31

CloseHandle.KERNEL32(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA
_wcsicmp.MSVCRT ref: 0040898B
_wcsicmp.MSVCRT ref: 0040899E
_wcsicmp.MSVCRT ref: 004089B1
OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,000000FF,00000000,00000104), ref: 004089C5
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00408A0B
DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00408A1A
memset.MSVCRT ref: 00408A38
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00408A6B
_wcsicmp.MSVCRT ref: 00408A8B
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 00408ACB
FreeLibrary.KERNEL32(?,?,?,000000FF,00000000,00000104), ref: 00408AED

Strings

taskhostex.exe, xrefs: 004089A9
dllhost.exe, xrefs: 00408982
taskhost.exe, xrefs: 00408996

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateFreeLibraryNameOpen
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 814719012-3398334509
Opcode ID: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
Instruction ID: ac6d74245de41f4a68afaf46936feeb9e4215e23a81ac82868d75cf9687b4f7b
Opcode Fuzzy Hash: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
Instruction Fuzzy Hash: FB9115B1D00209AFDB10EF95C985AAEBBB5FF04305F60447FE949B6291DB399E40CB58

Function 004125BA Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004125DC
memset.MSVCRT ref: 004125F1
wcscpy.MSVCRT ref: 00412623
_snwprintf.MSVCRT ref: 00412643
wcscat.MSVCRT ref: 00412650
_snwprintf.MSVCRT ref: 0041267F
wcscat.MSVCRT ref: 0041268C
wcscat.MSVCRT ref: 0041269A
wcscat.MSVCRT ref: 004126AC
wcscat.MSVCRT ref: 004126B7
wcscat.MSVCRT ref: 004126C9
wcscat.MSVCRT ref: 004126DB

Strings

color="#%s", xrefs: 0041266E
</b>, xrefs: 004126C3
<font, xrefs: 0041261D
</font>, xrefs: 004126D5
<b>, xrefs: 004126A6
size="%d", xrefs: 00412632

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
Instruction ID: 1bdd15307226dc02cd036ffdab734ce65306a7f25c134a46d7f370f8b7d92746
Opcode Fuzzy Hash: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
Instruction Fuzzy Hash: 2C31E9B2900305BEEB20AA559E82DBF73BCDF41715F60405FF214E21C2DABC9E859A1C

Function 004126E8 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041270E
memset.MSVCRT ref: 00412723
memset.MSVCRT ref: 00412738
_snwprintf.MSVCRT ref: 00412767
_snwprintf.MSVCRT ref: 00412796
wcscpy.MSVCRT ref: 004127A7
_snwprintf.MSVCRT ref: 004127C7
memset.MSVCRT ref: 00412803
_snwprintf.MSVCRT ref: 00412824
_snwprintf.MSVCRT ref: 0041285E

Part of subcall function 0041248F: _snwprintf.MSVCRT ref: 004124B3

Strings

width="%s", xrefs: 00412813
<table border="1" cellpadding="5"><tr%s>, xrefs: 004127B6
<th%s>%s%s%s, xrefs: 0041284D
bgcolor="%s", xrefs: 00412756
</font>, xrefs: 004127A1
<font color="%s">, xrefs: 00412785

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
Instruction ID: df620ac0873104ba588d68bc57a3bc16e82c0a505241d1212890b0a23309d9f4
Opcode Fuzzy Hash: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
Instruction Fuzzy Hash: 03418371D402197AEB20EB55DD41EFB727CFF04304F4401AAB509E2181EB749B948F6A

Function 004035E2 Relevance: 27.1, APIs: 18, Instructions: 66windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C912
Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C927
Part of subcall function 0040C8CF: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
Part of subcall function 0040C8CF: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
Part of subcall function 0040C8CF: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 0040C9F8
Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
Part of subcall function 0040C8CF: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 0040CA15
Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
Part of subcall function 0040C8CF: GetSysColor.USER32(0000000F), ref: 0040CA2E

GetModuleHandleW.KERNEL32(00000000), ref: 004035F4
LoadIconW.USER32(00000000,00000072), ref: 004035FF
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403610
GetModuleHandleW.KERNEL32(00000000), ref: 00403614
LoadIconW.USER32(00000000,00000074), ref: 00403619
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00403624
GetModuleHandleW.KERNEL32(00000000), ref: 00403628
LoadIconW.USER32(00000000,00000073), ref: 0040362D
ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 00403638
GetModuleHandleW.KERNEL32(00000000), ref: 0040363C
LoadIconW.USER32(00000000,00000075), ref: 00403641
ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 0040364C
GetModuleHandleW.KERNEL32(00000000), ref: 00403650
LoadIconW.USER32(00000000,0000006F), ref: 00403655
ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 00403660
GetModuleHandleW.KERNEL32(00000000), ref: 00403664
LoadIconW.USER32(00000000,00000076), ref: 00403669
ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 00403674

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Image$Icon$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 792915304-0
Opcode ID: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
Instruction ID: 62ec96a61e35675a05b55f01cd8090f0511f6faf4d41b9404683e1d7d0c62212
Opcode Fuzzy Hash: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
Instruction Fuzzy Hash: 6901E1A17957087AF53137B2EC4BF6B7B5EDF81F4AF214414F30C990E0C9A6AD105928

Function 0040E191 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E197
_wcsicmp.MSVCRT ref: 0040E1AC

Strings

/sverhtml, xrefs: 0040E1A7
/sxml, xrefs: 0040E1BC
/skeepass, xrefs: 0040E210
/stabular, xrefs: 0040E1E6
/shtml, xrefs: 0040E192
/stab, xrefs: 0040E1D1
/scomma, xrefs: 0040E1FB

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
Instruction ID: 054bd0190cb9dfc881084e553ec7e2e67fad8357780775fa0482b63ba5cfd284
Opcode Fuzzy Hash: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
Instruction Fuzzy Hash: 7101DE72ACA31138F83851672D17F971A598FA1B7AF70196FF514D81C6EEAC9000709D

Function 004037C3 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040383E: FreeLibrary.KERNEL32(?,004037CB,00000000,00408635,?,00000000,?), ref: 00403845

LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819

Strings

CredFree, xrefs: 004037EB
CredDeleteA, xrefs: 004037F7
CredEnumerateA, xrefs: 00403803
CredReadA, xrefs: 004037E3
advapi32.dll, xrefs: 004037CB
CredEnumerateW, xrefs: 0040380F

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
Instruction ID: c94656deef6b20b6b745ef32668947add9de3545ed3fb2bb9f52e7e7eb3e89f2
Opcode Fuzzy Hash: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
Instruction Fuzzy Hash: D9012C355007809AD730AF6AC809F06BEE4EF54B02B21886FF091A3791D7B9E240CF48

Function 0041139E Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED

Strings

psapi.dll, xrefs: 004113A4
GetModuleInformation, xrefs: 004113E3
EnumProcessModules, xrefs: 004113BF
GetModuleFileNameExW, xrefs: 004113CB
GetModuleBaseNameW, xrefs: 004113B5
EnumProcesses, xrefs: 004113D7

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2238633743-70141382
Opcode ID: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
Instruction ID: b0fa25657284a8e9196716ee499a251a0e3e908d4b843c37df8f242eb1d66817
Opcode Fuzzy Hash: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
Instruction Fuzzy Hash: A3F03478988704AEEB30AF75DC08E07BEF0EFA8B11721892EE0C593650D7799441EF58

Function 004033DF Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

memset.MSVCRT ref: 00403415
memset.MSVCRT ref: 0040342A
memset.MSVCRT ref: 0040343F
_snwprintf.MSVCRT ref: 00403467
wcscpy.MSVCRT ref: 00403483
_snwprintf.MSVCRT ref: 004034C6

Strings

<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004034B9
<table dir="rtl"><tr><td>, xrefs: 0040347D
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040345A
WebBrowserPassView, xrefs: 004034AB
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004033EF

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf$FileWritewcscpywcslen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$WebBrowserPassView
API String ID: 2731979376-1376879643
Opcode ID: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
Instruction ID: ae32d01ec2d3a7685ec326ba9a70c170c8059c8ae6e66fa8bd15e07dd33865c2
Opcode Fuzzy Hash: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
Instruction Fuzzy Hash: 2E217672D002187ADB21AF55DC41FEA76BCEB08785F0040AFF509A6191DA799F848F69

Function 0040931D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,004094E9,?,?,00409553,00000000), ref: 0040933D

Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE

GetFileSize.KERNEL32(00000000,00000000), ref: 0040936D

Part of subcall function 0040928C: _memicmp.MSVCRT ref: 004092A6
Part of subcall function 0040928C: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,00409553,00000000), ref: 004092BD

memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 004093B4
strchr.MSVCRT ref: 004093D9
strchr.MSVCRT ref: 004093EA
_strlwr.MSVCRT ref: 004093F8
memset.MSVCRT ref: 00409413
CloseHandle.KERNEL32(00000000), ref: 00409460

Strings

4, xrefs: 00409361
h, xrefs: 004093C5

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
Instruction ID: cde85974a53443ad19b2097b399cb4fe7e1f14935bf37b0ef0624c00476b394c
Opcode Fuzzy Hash: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
Instruction Fuzzy Hash: 333186B1900118BEEB11EB54CC85BEE77ACEF04358F10406AFA08E6181D7789F558B69

Function 004121F2 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00412265

Strings

Start Menu, xrefs: 00412216
Desktop, xrefs: 0041220F
Common Desktop, xrefs: 00412251
Programs, xrefs: 0041222B
AppData, xrefs: 0041224A
Common Start Menu, xrefs: 00412232
Startup, xrefs: 0041221D
Common Programs, xrefs: 0041225F
Favorites, xrefs: 00412224
Common Startup, xrefs: 00412258

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 1284135714-318151290
Opcode ID: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
Instruction ID: 454bece2ea24cac32075296694d9d3cbfc4d611bf65854eebe1c10393ee0200f
Opcode Fuzzy Hash: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
Instruction Fuzzy Hash: 46F01D3329C746A0383D09680B06AFF1001E2127497B585D3A882E06D5C8FDCEF2F81F

Function 0040A16C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040A182
memset.MSVCRT ref: 0040A1A6
GetMenuItemInfoW.USER32 ref: 0040A1E1
memset.MSVCRT ref: 0040A210
wcschr.MSVCRT ref: 0040A21C
wcscat.MSVCRT ref: 0040A277
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040A293

Strings

0, xrefs: 0040A1C1
6, xrefs: 0040A1CC

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
Instruction ID: 34000a492db7a65727c4d20bf870b817f1c48c155544aae5e12c30b4e9d7c158
Opcode Fuzzy Hash: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
Instruction Fuzzy Hash: 64318B72408340AFDB20DF91D845A9BB7E8FF84354F00497EF948A2291E37ADA14CB5B

Function 0040684F Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406878
memset.MSVCRT ref: 0040688C
strcpy.MSVCRT(?), ref: 004068A6
strcpy.MSVCRT(?,?,?,?,?,?), ref: 004068EB
strcpy.MSVCRT(?,00001000,?,?,?,?,?,?), ref: 004068FF
strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?), ref: 00406912
wcscpy.MSVCRT ref: 00406921
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 00406948
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 0040695E

Strings

Rp@, xrefs: 0040684F

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$ByteCharMultiWidememset$wcscpy
String ID: Rp@
API String ID: 4248099071-3382320042
Opcode ID: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
Instruction ID: 073529020724e05d4964247b7c64433db30515fb9166064be710f6d7ccb76f44
Opcode Fuzzy Hash: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
Instruction Fuzzy Hash: 653141B290011DBFDB20DA55CC84FEA77BCFF09358F0445AAB919E3141DA74AA588F68

Function 0040A818 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(?,?), ref: 0040A83F

Part of subcall function 0040A668: GetMenuItemCount.USER32(?), ref: 0040A67E
Part of subcall function 0040A668: memset.MSVCRT ref: 0040A69D
Part of subcall function 0040A668: GetMenuItemInfoW.USER32 ref: 0040A6D9
Part of subcall function 0040A668: wcschr.MSVCRT ref: 0040A6F1

DestroyMenu.USER32(00000000), ref: 0040A85D
CreateDialogParamW.USER32(?,?,00000000,0040A813,00000000), ref: 0040A8AB
memset.MSVCRT ref: 0040A8C7
GetWindowTextW.USER32(00000000,?,00001000), ref: 0040A8DC
EnumChildWindows.USER32(00000000,Function_0000A759,00000000), ref: 0040A907
DestroyWindow.USER32(00000000), ref: 0040A90E

Part of subcall function 0040A497: _snwprintf.MSVCRT ref: 0040A4BC

Strings

caption, xrefs: 0040A8F3

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
String ID: caption
API String ID: 1928666178-4135340389
Opcode ID: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
Instruction ID: 1ee1ed61ad6e464c94b1b5c04ceaba47984998c4c5bccbb9cf540d7a9e91c68f
Opcode Fuzzy Hash: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
Instruction Fuzzy Hash: 4C21B472100314BBDB11AF50DC49BAF3B78FF45751F148436F905A5191D7788AA0CB6A

Function 004070BF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 004070E4
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE), ref: 00407102
wcslen.MSVCRT ref: 0040710F
wcscpy.MSVCRT ref: 0040711F
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 00407129
wcscpy.MSVCRT ref: 00407139

Strings

netmsg.dll, xrefs: 004070DF
Unknown Error, xrefs: 00407131

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: Unknown Error$netmsg.dll
API String ID: 2767993716-572158859
Opcode ID: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
Instruction ID: 89f566b746906e4e3228774242dd749435861e54522ca67c51f24cfbd45377e0
Opcode Fuzzy Hash: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
Instruction Fuzzy Hash: 2301F231A08114BBEB145B61EC46E9FBB68EB05BA1F20007AF606F41D0DEB96F00969C

Function 004150B6 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 0041510E
Sleep.KERNEL32(00000001), ref: 00415118
GetLastError.KERNEL32 ref: 0041512A
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 00415202

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
Instruction ID: 880e68434f8ef122057b7821066ce039c6a6aeb50982fb6198a036ab3cbbf4dd
Opcode Fuzzy Hash: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
Instruction Fuzzy Hash: 7641F379504B42EFE3228F219C05BEBB7E0EFC0B15F20492FF59556240CBB9D9858E1A

Function 004124C0 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,",0000000C,?,?,00000000,0040C14A,?,?), ref: 004124F7
memcpy.MSVCRT(?,&,0000000A,?,?,00000000,0040C14A,?,?), ref: 00412523
memcpy.MSVCRT(?,<,00000008,?,?,00000000,0040C14A,?,?), ref: 0041253D

Strings

°, xrefs: 0041250E
", xrefs: 004124F1
<, xrefs: 004124D4
&, xrefs: 0041251D
<br>, xrefs: 00412537
>, xrefs: 004124E2

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
Instruction ID: 1d27d4cf7977f40543be0eb13b72094ec5c0409efe485552fd301264f6eb4def
Opcode Fuzzy Hash: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
Instruction Fuzzy Hash: 570145B6E54260F2FA3024058EE6FF30145CB62754FA40027F88AA02C0A1CD0EE3A29F

Function 00409657 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407EB8: free.MSVCRT ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT ref: 00407EC3

Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

Part of subcall function 00408001: free.MSVCRT ref: 00408010

memset.MSVCRT ref: 004096C7
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
_wcsupr.MSVCRT ref: 0040970F

Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
Part of subcall function 00407EDE: free.MSVCRT ref: 00407F16
Part of subcall function 00407EDE: free.MSVCRT ref: 00407F39
Part of subcall function 00407EDE: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F5D

memset.MSVCRT ref: 0040975E
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 00409796

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00409674

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 4131475296-680441574
Opcode ID: 61904c526cf53957fd16323c1f6e0e8fade1d8a510b8a6cc6f8339011a263633
Instruction ID: ced938f56f23152dc4036b8c9c372f29a7907612beabbfd18841790b2154e098
Opcode Fuzzy Hash: 61904c526cf53957fd16323c1f6e0e8fade1d8a510b8a6cc6f8339011a263633
Instruction Fuzzy Hash: F84118B6D4011DABCB10EF99DD85AEFB7BCAF18304F1040AAB504F2191D7749B458BA4

Function 0040A759 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A77E
GetDlgCtrlID.USER32(?), ref: 0040A789
GetWindowTextW.USER32(?,?,00001000), ref: 0040A7A0
memset.MSVCRT ref: 0040A7C7
GetClassNameW.USER32(?,?,000000FF), ref: 0040A7DE
_wcsicmp.MSVCRT ref: 0040A7F0

Part of subcall function 0040A62F: memset.MSVCRT ref: 0040A642
Part of subcall function 0040A62F: _itow.MSVCRT ref: 0040A650

Strings

sysdatetimepick32, xrefs: 0040A7EA

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
Instruction ID: 9d6a1000cc6d846fb7caa7b95204278ebeb8f13d5a9664e287c5e204bace7976
Opcode Fuzzy Hash: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
Instruction Fuzzy Hash: E21177325002197AEB24EB91DD4AE9F77BCEF04750F4040B6F508E1192E7745A51CB69

Function 00419008 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041C796,00000000,00000000), ref: 00419140
memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041C796,00000000,00000000), ref: 00419152
memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041C796,00000000,00000000), ref: 0041916A
memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041C796,00000000,00000000), ref: 00419187
memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041919F
memset.MSVCRT ref: 0041926C

Strings

-wal, xrefs: 00419199
-journal, xrefs: 00419164

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: 3fb32538101a96232d471ca328e00ad1292916094483904f8e7d4fc59e84f921
Instruction ID: 551b55634523189e5c53bd135c739114fe40c1c2f7e89174430398bb56853e76
Opcode Fuzzy Hash: 3fb32538101a96232d471ca328e00ad1292916094483904f8e7d4fc59e84f921
Instruction Fuzzy Hash: 54A1DEB1A00606BFDB14CFA4C8517DEBBB0BF04314F14856EE468D7381D778AA95CB99

Function 0040D0C3 Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040D0E2
GetWindowRect.USER32(?,?), ref: 0040D0F8
GetWindowRect.USER32(?,?), ref: 0040D10B
BeginDeferWindowPos.USER32(00000003), ref: 0040D128
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040D145
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040D165
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040D18C
EndDeferWindowPos.USER32(?), ref: 0040D195

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
Instruction ID: 1b30ad45943261d114c7945feb8e2d934b1f0a15928f611d2c59e033839f0f44
Opcode Fuzzy Hash: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
Instruction Fuzzy Hash: 5F21D875900209FFDB11DFA8CD89FEEBBB9FB48701F104164F655A2160C771AA519B24

Function 0040A668 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040A67E
memset.MSVCRT ref: 0040A69D
GetMenuItemInfoW.USER32 ref: 0040A6D9
wcschr.MSVCRT ref: 0040A6F1

Strings

0, xrefs: 0040A6B8
6, xrefs: 0040A6C0

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
Instruction ID: 6379b183058c7bfcb2c9996af6a46f5bf8fbaffb9494aead0661b6c96fd4ce8b
Opcode Fuzzy Hash: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
Instruction Fuzzy Hash: FF219A72505340ABD721DF55C84599BB7F8FB84745F044A3FFA84A2280E7B6CA10CB9A

Function 0040A497 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040A4BC
wcscpy.MSVCRT ref: 0040A4DF

Strings

strings, xrefs: 0040A4CA
dialog_%d, xrefs: 0040A4B0
general, xrefs: 0040A4D5
menu_%d, xrefs: 0040A4A0

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
Instruction ID: 8e174b2d8d79018ad6e296a97c01706163ed31911536b8ede193c50f01e1bc5f
Opcode Fuzzy Hash: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
Instruction Fuzzy Hash: CBE0B679A8830079F96025861E4BB2E61508774F59FB0886FF50AB05D1E9FE95A8710F

Function 00428591 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00428610

Strings

aggregate functions are not allowed in the GROUP BY clause, xrefs: 00428853
a GROUP BY clause is required before HAVING, xrefs: 0042883F
ORDER, xrefs: 0042879B
8, xrefs: 00428728
GROUP, xrefs: 004287CD

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
Instruction ID: a56ed1d78848c17894bc611d03527086a745bd119e00672256ad5f5daa2e3940
Opcode Fuzzy Hash: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
Instruction Fuzzy Hash: 93818E706093619FDB10DF15E88161FB7E0BF98354F94885FE8849B252EB78EC44CB9A

Function 0040D53E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D560

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT(00000000,00000002), ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
Part of subcall function 00407CFE: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D76
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
Part of subcall function 00407CFE: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D97

Part of subcall function 00407B1D: GetSaveFileNameW.COMDLG32(?), ref: 00407B6C
Part of subcall function 00407B1D: wcscpy.MSVCRT ref: 00407B83

Strings

*.htm;*.html, xrefs: 0040D5C6
*.csv, xrefs: 0040D5B1
txt, xrefs: 0040D565
*.xml, xrefs: 0040D5ED
*.txt, xrefs: 0040D582

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 1392923015-3614832568
Opcode ID: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
Instruction ID: 456ec3227f593179f02471f626d387f8bd8a0122acdd439c58b7a13f613657e4
Opcode Fuzzy Hash: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
Instruction Fuzzy Hash: 6131FAB1D002599BDB50EFA9D8C1AEDBBB4FF09314F10417AF508B7282DF385A458B99

Function 0040C0F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

memset.MSVCRT ref: 0040C129

Part of subcall function 004124C0: memcpy.MSVCRT(?,<,00000008,?,?,00000000,0040C14A,?,?), ref: 0041253D

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C173

Strings

<item>, xrefs: 0040C0FC
</item>, xrefs: 0040C18D
<%s>%s</%s>, xrefs: 0040C166

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWrite_snwprintf_wcslwrmemcpymemsetwcscpywcslen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 2236007434-2769808009
Opcode ID: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
Instruction ID: bd8afa7c54c2b984639c4d8fb182e53c6b214fce1ab7be0445daf1b4a409d2ac
Opcode Fuzzy Hash: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
Instruction Fuzzy Hash: 82119132904615BFEB11AF65DC82E99BB74FF04318F10402AF9046A5E2DB75B960CBD8

Function 0040E030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040E051
RegisterClassW.USER32(?), ref: 0040E076
GetModuleHandleW.KERNEL32(00000000), ref: 0040E07D
CreateWindowExW.USER32(00000000,WebBrowserPassView,WebBrowserPassView,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 0040E09C

Strings

WebBrowserPassView, xrefs: 0040E094, 0040E099, 0040E09A

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID: WebBrowserPassView
API String ID: 2678498856-2171583229
Opcode ID: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
Instruction ID: d6937ed4ed068f8a41babfbfc400960a7e9d41ce1fcf29d78c1aeb4d070e2d0f
Opcode Fuzzy Hash: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
Instruction Fuzzy Hash: 5301C4B1901629ABDB019F998D89ADFBFBCFF09B50F10421AF514A2240D7B45A408BE9

Function 0040C2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C2EB
memset.MSVCRT ref: 0040C302

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C33E

Strings

<%s>, xrefs: 0040C32D
<?xml version="1.0" ?>, xrefs: 0040C307

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
String ID: <%s>$<?xml version="1.0" ?>
API String ID: 168708657-3296998653
Opcode ID: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
Instruction ID: 826567bfe222e6a97a7157a9ef984588091dd6de8d25c20f5ec279ce0d2f683a
Opcode Fuzzy Hash: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
Instruction Fuzzy Hash: 780167F2D401297AEB20A755CC46FEE767CEF44308F0000B6BB09B61D1DB78AA458A9D

Function 00403853 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
FreeLibrary.KERNEL32(00000000), ref: 00403897

Strings

crypt32.dll, xrefs: 0040385D
CryptUnprotectData, xrefs: 0040386E

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 145871493-1827663648
Opcode ID: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
Instruction ID: e5a88ed766aaa6e52f35248584035ac6595561cae6bd6684aeb1aa38a92ec81b
Opcode Fuzzy Hash: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
Instruction Fuzzy Hash: 0A011A32500611ABC6219F158C4881BFEEAEBA1B42724887FF1C5E2660C3748A80CB54

Function 004071BD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
_snwprintf.MSVCRT ref: 004071FE
MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217

Strings

Error, xrefs: 00407208
Error %d: %s, xrefs: 004071ED

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
Instruction ID: 3b05860ebe56c522f2c5ab20428fa68284bb982c16b5ab54bfd07cc8ba07ffa8
Opcode Fuzzy Hash: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
Instruction Fuzzy Hash: 74F0E23680021867DB11AB94CC02FDA72ACBB54B82F0400AAB905F2180EAF4EB404A69

Function 00412455 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shlwapi.dll,753D8FB0,?,004048E6,00000000), ref: 0041245E
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484

Strings

shlwapi.dll, xrefs: 00412457
SHAutoComplete, xrefs: 00412466

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
Instruction ID: b7e45597e31c4a606350929a185ef34a25fe7475720eeaf8429eabe2a59cceae
Opcode Fuzzy Hash: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
Instruction Fuzzy Hash: 6BD05B393502206BA7116F35BC48EAF2E65EFC6F537150031F501D1260CB544E429669

Function 0043310B Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

Strings

old, xrefs: 0043318F
oid, xrefs: 004331D5
foreign key constraint failed, xrefs: 004333AB
new, xrefs: 00433199

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
Instruction ID: 956c7fa9d19c0f39a897be9568c0d7cc0038550a6314a583777b8070e5951de7
Opcode Fuzzy Hash: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
Instruction Fuzzy Hash: 90E18F71E00208EFDF14DFA5D881AAEBBB5FF48304F14846EE805AB251DB79AE41CB55

Function 004063C1 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004063E2
wcslen.MSVCRT ref: 004063ED
wcslen.MSVCRT ref: 004063FB
memset.MSVCRT ref: 00406451

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

nss3.dll, xrefs: 004063F3, 004063F8, 0040640C

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetwcslen$wcscatwcscpy
String ID: nss3.dll
API String ID: 1250441359-2492180550
Opcode ID: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
Instruction ID: 7e6fc29c8000acf8dfdc2cef167c58109b3e52db234c734628f4c22aee9d38d0
Opcode Fuzzy Hash: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
Instruction Fuzzy Hash: E711ECB2D0421DAADB10E750DD45BCA73EC9F10314F1004B7F60CE20C2F778AA548A9D

Function 0040A302 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040A314
GetWindowRect.USER32(?,?), ref: 0040A321
GetClientRect.USER32(00000000,?), ref: 0040A32C
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040A33C
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040A358

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
Instruction ID: 816d64d46c4b910dad83cc5cff1f19606824cbaca0e9d5d20ff5cebd8420fa85
Opcode Fuzzy Hash: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
Instruction Fuzzy Hash: 06014836800129BBDB11AFA59C49EFFBFBCFF46B15F044169F901A2190D77896028BA5

Function 004421EB Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,00410671,?,?), ref: 00442202
??2@YAPAXI@Z.MSVCRT(0000000A), ref: 00442216
memset.MSVCRT ref: 00442225

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

??3@YAXPAX@Z.MSVCRT(00000000), ref: 00442248

Part of subcall function 00441FDC: memchr.MSVCRT ref: 00442017
Part of subcall function 00441FDC: memcpy.MSVCRT(?,00443D7C,0000000B,?,?,?,00000000,00000000,00000000), ref: 004420BB
Part of subcall function 00441FDC: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004420CD
Part of subcall function 00441FDC: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004420F5

CloseHandle.KERNEL32(00000000), ref: 0044224F

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: 8d684c0203be65d6cee86c411987c92c8a6445e23ddedbadec83ee29d411de9b
Instruction ID: 5cd116c641245c85bcd5bad65d9d69835b0888748ca48550e443bbafd66aa86b
Opcode Fuzzy Hash: 8d684c0203be65d6cee86c411987c92c8a6445e23ddedbadec83ee29d411de9b
Instruction Fuzzy Hash: 3DF0FC325041007AE21077329D4AF6B7B9CDF85761F10053FF515911D2EA789904C179

Function 0040C35B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C37F
memset.MSVCRT ref: 0040C396

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C3C5

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

</%s>, xrefs: 0040C3B4

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
String ID: </%s>
API String ID: 168708657-259020660
Opcode ID: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
Instruction ID: 40532074a48dce177473b235f1db1661615fe75cb863f0afecc7fe9ed9b88556
Opcode Fuzzy Hash: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
Instruction Fuzzy Hash: 910136F3D4012976EB20A755DC45FEE76BCEF45308F4000B6BB09B7181DB78AA458AA8

Function 0040A414 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A44E
SetWindowTextW.USER32(?,?), ref: 0040A47E
EnumChildWindows.USER32(?,Function_0000A3B6,00000000), ref: 0040A48E

Strings

caption, xrefs: 0040A463

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
Instruction ID: f5bb4e3483ddd063dbb45333af41605001ac6cd66b5ccbc099165aa82e617e5a
Opcode Fuzzy Hash: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
Instruction Fuzzy Hash: 44F0C83690031466FB20EB51DD4EB9A3768AB04755F5000B6FF04B61D2DBF89E50CBAE

Function 0040103E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004075AD: memset.MSVCRT ref: 004075B7
Part of subcall function 004075AD: wcscpy.MSVCRT ref: 004075F7

CreateFontIndirectW.GDI32(?), ref: 0040105D
SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040107C
SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 0040109A

Strings

MS Sans Serif, xrefs: 00401049

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
Instruction ID: b86dbe1d582a7894089203107e7a1e4413fc3d6f7e8de8594febed0b37e93160
Opcode Fuzzy Hash: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
Instruction Fuzzy Hash: 56F05E75A4030877E621ABA0DC06F8A7BB9B740B01F000935B711B51E0D7E4A285C658

Function 00411140 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004112EE,?,?,?,?,?,00000000,?), ref: 00411151
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0041116B

Strings

kernel32.dll, xrefs: 0041114C
GetProcessTimes, xrefs: 0041115B

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetProcessTimes$kernel32.dll
API String ID: 1646373207-3385500049
Opcode ID: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
Instruction ID: be5b0e9885743e8d30da273d8ef78610b28524ab18dcfae55e11e98fa027414b
Opcode Fuzzy Hash: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
Instruction Fuzzy Hash: 4FF01C35104308AFEB128FA0EC04B967BA9BB08749F048425F608C1671C775C9A0DF58

Function 004076CD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004076EC
GetClassNameW.USER32(?,00000000,000000FF), ref: 00407703
_wcsicmp.MSVCRT ref: 00407715

Strings

edit, xrefs: 0040770F

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
Instruction ID: 51a03c7d5923a90201923a44b10f324a390683a0d3b2f84b2934c4bf373e0ab9
Opcode Fuzzy Hash: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
Instruction Fuzzy Hash: A9E04872D8031E7AFB14ABA0DC4BFA977BCBB04704F5001F5B615E10D2EBB4A6454A5C

Function 004121C3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6

Strings

shell32.dll, xrefs: 004121CC
SHGetSpecialFolderPathW, xrefs: 004121E0

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2574300362-880857682
Opcode ID: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
Instruction ID: 4b50289c71ca44835333f785f02b611be4b8370b72da6f54bb0e40a9521e89f3
Opcode Fuzzy Hash: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
Instruction Fuzzy Hash: 86D0C774600313BADB108F209D48B4239746712743F251036F430D1771DF7895C49A1C

Function 0041B0C3 Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041B0D6
memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041B0EC
memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041B0FB
memcmp.MSVCRT(00000000,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041B143
memcpy.MSVCRT(00000000,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B15E

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
Instruction ID: 295c5a0bc2866328f8dcc37ada2a4d99e769f04d629d2bea2717987aff5dfa66
Opcode Fuzzy Hash: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
Instruction Fuzzy Hash: 01217C72E10248BBDB18DAA5DC56E9F73ECEB44740F50042AB512D7281EB78E644C765

Function 0040E5BA Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E5D9
memset.MSVCRT ref: 0040E5EF
memset.MSVCRT ref: 0040E601
memcpy.MSVCRT(?,?,00000010, D,?,00443D7C), ref: 0040E626
memset.MSVCRT ref: 0040E630

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
Instruction ID: 5db9a22820b402d4d4dd4a010236648e296a7231ae54e5ee969484aed16c8927
Opcode Fuzzy Hash: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
Instruction Fuzzy Hash: D301F0B174070077D335AA35CC03F1A73E49FA1714F400E1DF152666C2D7F8A105866D

Function 00415494 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004154B8
memset.MSVCRT ref: 004154E8

Part of subcall function 0041538D: memset.MSVCRT ref: 004153AA
Part of subcall function 0041538D: UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA

Part of subcall function 00414EFE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414F2A
Part of subcall function 00414EFE: SetEndOfFile.KERNEL32(?), ref: 00414F54
Part of subcall function 00414EFE: GetLastError.KERNEL32 ref: 00414F5E

Strings

,A, xrefs: 00415560
%s-shm, xrefs: 004154FC

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$File$ErrorLastUnlockUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s-shm$,A
API String ID: 1271386063-2158068007
Opcode ID: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
Instruction ID: 8012e8fd2c705de7aa363bc2bd32bd15ad04531b7aa24a5a7ab2fd91cc4b7507
Opcode Fuzzy Hash: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
Instruction Fuzzy Hash: B1510671504B05FFD710AF21DC02BDB77A6AF80754F10481FF9299A282EBB9E5908B9D

Function 00415804 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004158E7
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 00415912
GetLastError.KERNEL32 ref: 00415939
CloseHandle.KERNEL32(00000000), ref: 0041594F

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID:
API String ID: 1661045500-0
Opcode ID: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
Instruction ID: 02e61587b06ba7d058713df3830c0e33945dcb010177779d6ae1e8dc7ea6695b
Opcode Fuzzy Hash: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
Instruction Fuzzy Hash: B6518EB4214B02DFD724DF25C981AA7B7E9FB84315F10492FE88286651E734E854CB59

Function 0042C345 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004132EA: memset.MSVCRT ref: 00413304

memcpy.MSVCRT(?,?,?), ref: 0042C42D

Strings

sqlite_altertab_%s, xrefs: 0042C3FE
Cannot add a column to a view, xrefs: 0042C39A
virtual tables may not be altered, xrefs: 0042C384

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1297977491-2063813899
Opcode ID: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
Instruction ID: 3e8a37011c5d834ac6e6d4f8fd11fd3d4e87e0ccd438cada7bf19ffd6667b676
Opcode Fuzzy Hash: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
Instruction Fuzzy Hash: 03419D71A00615AFDB10DF69D881A5EB7F0FF08314F24856BE8489B352D778EA51CB88

Function 0042E398 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,0044B2E0), ref: 0042E4D8

Strings

CREATE TABLE , xrefs: 0042E44D
, xrefs: 0042E40E
, , xrefs: 0042E415

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE
API String ID: 3510742995-3459038510
Opcode ID: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
Instruction ID: 75c0c8dac0447bb43292008ef446c40d7ab48a9469891862f1914eead86e2b05
Opcode Fuzzy Hash: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
Instruction Fuzzy Hash: C3518171E00219DFCF10DF9AD4856AEB7B5FF44309F64809BE841AB205D778AA45CB98

Function 0040475A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004047A1

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT(00000000,00000002), ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
Part of subcall function 00407CFE: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D76
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
Part of subcall function 00407CFE: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D97

Part of subcall function 00407AB6: GetOpenFileNameW.COMDLG32(?), ref: 00407AFF
Part of subcall function 00407AB6: wcscpy.MSVCRT ref: 00407B0D

Strings

*.*, xrefs: 004047E2
wand.dat, xrefs: 004047C7
dat, xrefs: 004047A6

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
String ID: *.*$dat$wand.dat
API String ID: 3589925243-1828844352
Opcode ID: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
Instruction ID: 6d0f55f818233349c8d1636aac4371a0276c995c789a620d4a51b657e5e4e923
Opcode Fuzzy Hash: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
Instruction Fuzzy Hash: 6F419971A04206AFDB14EF61D885AAE77B4FF40314F10C42BFA05A71C2EF79A9958BD4

Function 0040E51C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040,00000001,00443D7C,?,?,0040ED5A,?,00443D7C), ref: 0040E55F
memcpy.MSVCRT(?,?,00000040,00000001,00443D7C,?,?,0040ED5A,?,00443D7C), ref: 0040E589
memcpy.MSVCRT(?,?,00000013,00000001,00443D7C,?,?,0040ED5A,?,00443D7C), ref: 0040E5AD

Strings

@|=D, xrefs: 0040E5A6

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: @|=D
API String ID: 3510742995-4242725666
Opcode ID: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
Instruction ID: e04d1c669876fac24280ac48723ffca9e388da4b41f072ca806e7767fffd92f4
Opcode Fuzzy Hash: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
Instruction Fuzzy Hash: 19113BF29003047BDB348E66DC84C5A77A8EB603987000E3EF90696291F675DF69C6D8

Function 004084EE Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,?,?,004014B8,?,?,?,?,0044CD68,0000000C), ref: 00408523
memset.MSVCRT ref: 00408534
memcpy.MSVCRT(004503EC,?,00000000,00000000,00000000,00000000,00000000,?,?,004014B8,?,?,?,?,0044CD68,0000000C), ref: 00408540
??3@YAXPAX@Z.MSVCRT ref: 0040854D

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 006f3b584c6a23bdda7a4d338d7a1bb9511f2f472f5785237822146c56e0ee29
Instruction ID: d20edd04bd2483e58964879576c48f2ebc5a647496c0cba51e85d391a6ad2c86
Opcode Fuzzy Hash: 006f3b584c6a23bdda7a4d338d7a1bb9511f2f472f5785237822146c56e0ee29
Instruction Fuzzy Hash: 0D118C71204601AFD328DF2DCA91A26F7E5FFD8340B60892EE4DAC7385EA75E801CB14

Function 004123CC Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004123DC
SHBrowseForFolderW.SHELL32(?), ref: 0041240E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00412422
wcscpy.MSVCRT ref: 00412435

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
Instruction ID: 5cda3e6a61a15ee9057d47663b3b2e0c0e874c437a77379260a47c7555d96391
Opcode Fuzzy Hash: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
Instruction Fuzzy Hash: C5110CB5A00208AFDB00DFA9D9889EEB7F8FF49714F10406AE905E7200D779EB45CB64

Function 0042D603 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042D63E
memset.MSVCRT ref: 0042D648
memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,00000000,?,00000000,00000068,?,?,00000068), ref: 0042D673

Strings

sqlite_master, xrefs: 0042D616

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
Instruction ID: ee6e5cfbbe52718914f41d47f1c84030a85cc49ac4fd556a51d86816da10b362
Opcode Fuzzy Hash: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
Instruction Fuzzy Hash: 6901B972900218BAEB11EFB18D42FDDB77DFF04315F50405AF60462142D77A9B15C7A4

Function 0041538D Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004153AA
UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA
LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004153D6
GetLastError.KERNEL32 ref: 004153E4

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockUnlockmemset
String ID:
API String ID: 3727323765-0
Opcode ID: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
Instruction ID: b4c6314a975e1eba122d49f899d78a16df92238a1a9f5a4b2f2908291fae13bb
Opcode Fuzzy Hash: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
Instruction Fuzzy Hash: 7201D131100608FFDB219FA4EC848EBBBB8FB80785F20442AF912D6050D6B09A44CF25

Function 00403081 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004030A6
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 004030C3
strlen.MSVCRT ref: 004030D5
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004030E6

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
Instruction ID: e51875297eda531c80c3ec5ec415ee795d437164a5b9689062039e3667910632
Opcode Fuzzy Hash: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
Instruction Fuzzy Hash: 56F04FB680022CBEFB15AB949DC5DEB776CDB04254F0001A2B709E2041E5749F448B78

Function 0041176D Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 004076CD: memset.MSVCRT ref: 004076EC
Part of subcall function 004076CD: GetClassNameW.USER32(?,00000000,000000FF), ref: 00407703
Part of subcall function 004076CD: _wcsicmp.MSVCRT ref: 00407715

SetBkMode.GDI32(?,00000001), ref: 00411794
SetBkColor.GDI32(?,00FFFFFF), ref: 004117A2
SetTextColor.GDI32(?,00C00000), ref: 004117B0
GetStockObject.GDI32(00000000), ref: 004117B8

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
Instruction ID: 4524e9a356975b07e10c0673c8b36924071ef161512cc5bea393be377801c3c3
Opcode Fuzzy Hash: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
Instruction Fuzzy Hash: 9AF0A435100209BBDF112F64DC05BDD3F61AF05B25F104636FA25541F5CF769990D648

Function 0040928C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE

_memicmp.MSVCRT ref: 004092A6
memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,00409553,00000000), ref: 004092BD

Strings

URL , xrefs: 004092A0

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FilePointer_memicmpmemcpy
String ID: URL
API String ID: 2108176848-3574463123
Opcode ID: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
Instruction ID: 33b3fc867a4e2474f07ea88972ed825a8fcb80c5477311fdb059a6d734a7dbfa
Opcode Fuzzy Hash: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
Instruction Fuzzy Hash: 8411A031604208BBEB11DF29CC05F5F7BA8AF85348F054066F904AB2D2E775EE10CBA5

Function 004153F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,00415610,?,00000000), ref: 0041542C
CloseHandle.KERNEL32(?), ref: 00415438

Strings

!-A, xrefs: 00415417

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseFileHandleUnmapView
String ID: !-A
API String ID: 2381555830-3879722540
Opcode ID: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
Instruction ID: 6c5ed3bf8746cf55bcd37c1067f9027f6bc59eb5530dee428a664ff8177fa162
Opcode Fuzzy Hash: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
Instruction Fuzzy Hash: 5611BF35500B10DFCB319F25E945BD777E0FF84712B00492EE4929A662C738F8C48B48

Function 00408116 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00408125
_memicmp.MSVCRT ref: 00408153

Strings

History, xrefs: 0040811F, 00408124, 00408151

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memicmpwcslen
String ID: History
API String ID: 1872909662-3892791767
Opcode ID: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
Instruction ID: 2715e0f5b76d9e8bf3bfa22bf35e41ec2dcc8bed56e6222f305abdff7d2b472d
Opcode Fuzzy Hash: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
Instruction Fuzzy Hash: 7BF0A4721046029BD210EA299D41A2BB7E8DF813A8F11093FF4D196282DF79DC5646A9

Function 004017B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?,?,?,?,0040D8F3,?,General,?,?,?,?,?,00000000,00000001), ref: 004017E0
memset.MSVCRT ref: 004017F3

Strings

WinPos, xrefs: 00401806

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
Instruction ID: 403492ab1ae1e8e085d1b686bd15613ed323b870b3f74ac0ef6546771a88dbd4
Opcode Fuzzy Hash: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
Instruction Fuzzy Hash: BDF0FF71600204ABEB14EFA5D989F6E73E8AF04700F544479E9099B1D1D7B899008B69

Function 0042917D Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000000,?), ref: 0042921F
memcpy.MSVCRT(?,?,?,?), ref: 00429258
memset.MSVCRT ref: 0042926E
memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 004292A7

Memory Dump Source

Source File: 00000006.00000002.1487462665.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
Instruction ID: 8c22702d92a242b4074cdc0308f2d59ea0ad553ae454c6356856be76eef94a8a
Opcode Fuzzy Hash: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
Instruction Fuzzy Hash: 2551A775A0021AFBEF15DF95DC81AEEB775FF04340F54849AF805A6241E7389E50CBA8

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log

C:\Users\user\AppData\Local\Temp\holderwb.txt

C:\Users\user\AppData\Roaming\WindowsUpdate.exe

C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\pid.txt

C:\Users\user\AppData\Roaming\pidloc.txt

C:\Windows\assembly\Desktop.ini

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 07737727 Relevance: 3.9, Strings: 3, Instructions: 125
COMMON

Function 07736E90 Relevance: 3.9, Strings: 3, Instructions: 113
COMMON

Function 077379E1 Relevance: 3.9, Strings: 3, Instructions: 101
COMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre